Acunetix Launches Free Cross-Site-Scripting Scanner

Enterprises can protect Web sites from threat of cross-site scripting problems

• By James E. Powell
• 09/05/2007

Acunetix has released a free edition of its commercial Web vulnerability scanner that enables organizations to find cross-site scripting vulnerabilities at no cost.

In cross-site scripting (XSS), attackers embed malicious code (JavaScript, VBScript, ActiveX, HTML, or Flash) into a dynamic page that executes the script to gather data. XSS can, according to Acunetix, "compromise private information, manipulate or steal cookies, create requests that can be mistaken for those of a valid user, or execute malicious code on the end-user systems."

These vulnerabilities are dangerous, and their number (typically undercounted) is growing. For example, Acunetix notes, in August 2006, "hackers stole the personal data of nearly 19,000 DSL equipment customers through a vulnerability in AT&T's online store." In June 2006, PayPal users were tricked into giving away their Social Security numbers, credit card information, and other sensitive personal information through a cross site scripting vulnerability at PayPal's Web site.

"Companies don't realize the danger their Web sites are under and are therefore reluctant to invest in Web vulnerability scanners. Consequently, security officers don't have the tools to protect their Web sites. The free XSS scanner will give security officers access to a professional cross-site scanning tool that will allow them to assess their Web sites for the cross-site scripting danger," said Jonathan Spiteri, technical manager of Acunetix, in a company statement.

The free tool Acunetix offers scans any Web site or Web application for XSS vulnerabilities and provide the essential information about it (for example, the location and suggested remediation techniques). The company says the scan is a "quick exercise" that depends on the site's size.

The Free edition also lets users see the detection skills of Acunetix WVS by using it to scan several test sites created by Acunetix..

Acunetix's commercial product, Web Vulnerability Scanner, checks for SQL injection and cross-site scripting, examines password strength on authentication pages, and automatically audits shopping carts, forms, and dynamic content. When finished, the software creates reports that pinpoint the vulnerabilities

For more information about Acunetix, visit: http://www.acunetix.com. The free edition of Acunetix Web Vulnerability Scanner (WVS) is available immediately at http://www.acunetix.com/cross-site-scripting/scanner.htm. To learn more about cross-site scripting, visit http://www.acunetix.com/websitesecurity/cross-site-scripting.htm.