Rapid7 NeXpose & Acunetix

Posted on 2010-09-01
Last Modified: 2012-05-10

I have a questionnaire on my site that a college student would like to use in his project.

However the IT department of his college must first run a web application vulnerability assessment. I was told that the scan will not target operating system and/or network vulnerabilities, but rather potential vulnerabilities in the web application.

Either Rapid7 NeXpose or Acunetix will be used to perform the scan.

For Rapid7 NeXpose does anything have to be installed on my server? From what I can tell, with Acunetix nothing has to be installed on my server, the scan can be made from any computer.

Could there be a security risk for me when other people run these programs and check my site's applications, or do I only stand to gain if they inform me of possible vulnerabilities?

If these programs can be run by anybody, why do you think I was asked to give permission? Is it because I can find evidence that these programs have been run from my logs?

thanks for your help!
Question by:netplus21
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 11

Accepted Solution

slemmesmi earned 250 total points
ID: 33583969
Dear netplus21,

please let me try to answer your questions:

1. You do not need to install anything on your server (being the target of the penetration test/vulnerability can) in regards of the Rapid7 neXpose. You can see the detailed architecture of the product described on

2. Yes there is definately a (security) risk with a vulnerability scan/penetration test. E.g. a such might test for the servers potential vulnerability towards DOS attacks, and ("inadvertently") cause a DOS. Also other types of test (trying to exploit potential vulnerabilities) may negatively impact the availability of your server. You must thus be 100% certain you have the approval from the Business Process Owner (if not the Board of Directors) as well as the internal IT security officer and auditors, that they are ok with the test to come, and accept the related potential risk. Hence you must ensure you in advance know exactly what the "test" does, and agree to the timeslots (begin/end) during which the test is done (so you know during that time there  is a risk, and you may see reports/alarms of some malicious behaviour). Frankly, as this is to be done by a "college student", I'd NOT let this happen towards any productive system, at the most towards a test system!

3. I believe you were asked to give permission for the reasons detailed in '2' above. Also you may have an issue with internal/external auditors in terms of justifying that the test really was a test and not  a real "attack".

Hope this helps.

Kind regards,
LVL 63

Assisted Solution

btan earned 250 total points
ID: 33605705
Agreed with Soren, both the product do not need to install agent but note that depending on the exploit used, "agent" may be planted to perform leapfrog testing to other interconnected devices. Hence, advice is do it on staging server with the predetermined test cases then proceed with the production at a convenient time (off peak hours). If best, production server need not be "touched" if staging can already revealed lots of flaws. The baseline has to be set.

The less intrusive approach can be via whitebox tesing. See below related comments. have a clear objective and not over scope it as there are two part to it web server and the web appl that should be considered in the pentest. It is not the server solely

Normally penetration testing can be blackbox testing (without knowing the internal architecture) or whitebox testing (with prior knowledge of target architecture). The key is the scope of the pentest work to be covered need to be understood by both the "customer" and "tester". This is to resolve unnecessary disagreements during and after the test phases. Typically there can be a neutral party to oversee the testing is done in accordance to the agreement test specification scopes. The objective for this is to establish the baseline security posture for the site and give customer assurance of the risk being exposed. In short, threat assessment can be done (in paper) and verify through the testing mentioned above. Note that there is no 100% secure website - it is susceptible to multiple factor e.g. host server platform, web server, appl server, web appl, etc.

Proposed to include whitebox testing - review the code of the website using static code analyser. There are some open one in link  @

LVL 11

Expert Comment

ID: 33626197
Dear netplus21,

did you get any further with the above, or do you need more from our side?

Kind regards,

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s the first day of March, the weather is starting to warm up and the excitement of the upcoming St. Patrick’s Day holiday can be felt throughout the world.
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question