This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Fingerprinting Acunetix
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Tools
- Automation / API
- Automation/API Discussions
- Fingerprinting Acunetix
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-23-2013 09:21 AM
Dear PAN Developers,
Several times now a developer on our side has reported to us from monitoring tools he manages that people have scanned our critical applications with a freely available Web Application Vulnerability scanner from Acunetix.
Our CSO contacted the CTO of Acunetix asking how can we could fingerprint their scanner so as to protect our applications from it. Their CTO wrote this:
"About blocking the attack: I don't know exactly what edition was used to scan your website. Some of our editions send the following header with each request: Acunetix-Scanning-agreement:Third Party Scanning PROHIBITED Check if you can see this header and block based on that.However, if they are using a Consultant edition, this header is not sent.
All editions are making a request to the following URL before starting the scan: http://{website}/acunetix-wvs-test-for-some-inexistent-file. So, you can also look for that."
Please let me know if, based on this information, you can create for us a method by which to finger print and (dynamically) filter traffic from this scanner in the future. Our current countermeasure - waking up our network engineers and having them manually add the source IP of the scanner (which varies with each attack) - is time consuming...
Thank you so much
Dovid
7 REPLIES 7
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-24-2013 01:54 PM
SRA, thank you for your speedy reply. As the Acunetix CTO stated "All editions are making a request to the following URL before starting the scan:http://{website}/acunetix-wvs-test-for-some-inexistent-file"
OK, I re-ran an experiment scan after our firewall guy hit "session" in the rule: same results.
What can we do from here - any ideas?
Thanks again,
Dovid
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
07-24-2013 02:49 PM
The session vs. transaction option only matters when you have multiple conditions in the signature, and you want all of those be within a single transaction, or they can occur across transactions in a session. Have you taken a packet capture of the session to check if the patterns are indeed exactly the same as you used in the signature.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-06-2013 01:45 PM
Pardon me for the late reply, please; yes, we took a packet capture and have uploaded this capture to our ticket (ticket #: 00149001). Please let me know if this will suffice for now, or if there is anything else we can provide you with in helping us develop a filter to test against this scanner.
Thank you so much,
Dovid
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks