Skip to main content
Simple Vulnerability Manager integrates with industry-leading vulnerability scanners, enabling one-click scan execution and automatic report import. This guide covers configuring scanner credentials, API endpoints, and authentication.

Web Vulnerability Scanners

Acunetix

SVM supports both Acunetix 10.5 (local) and Acunetix 11/12 (Enterprise API).

Acunetix 11/12 API Configuration

1

Obtain API Credentials

Log into your Acunetix installation and generate an API key from the user profile settings.
2

Configure API Settings

In SVM, navigate to ConfigurationWeb ScannersAcunetixEnter the following details:
  • API URL: https://[your-acunetix-server]:3443
  • API Key: Your generated API key
3

Test Connection

Click Test Connection to verify SVM can communicate with your Acunetix server.

Scan Configuration Options

The Acunetix integration supports advanced scan configurations: 
{
  "scan_speed": "moderate",
  "technologies": ["PHP"],
  "excluded_paths": ["manager", "phpmyadmin", "testphp"],
  "user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5)",
  "custom_headers": [
    "Accept: */*",
    "Connection: Keep-alive"
  ]
}

Built-in Scan Profiles

  • Full Scan: 11111111-1111-1111-1111-111111111111
  • High Risk Vulnerabilities: 11111111-1111-1111-1111-111111111112
  • XSS Vulnerabilities: 11111111-1111-1111-1111-111111111116
  • SQL Injection: 11111111-1111-1111-1111-111111111113
  • Weak Passwords: 11111111-1111-1111-1111-111111111115
  • Crawl Only: 11111111-1111-1111-1111-111111111117

Report Templates

Acunetix provides multiple report formats:
  • Developer: 11111111-1111-1111-1111-111111111111
  • Quick: 11111111-1111-1111-1111-111111111112
  • Executive Summary: 11111111-1111-1111-1111-111111111113
  • OWASP Top 10 2017: 11111111-1111-1111-1111-111111111125
  • PCI DSS 3.2: 11111111-1111-1111-1111-111111111120
  • Affected Items: 11111111-1111-1111-1111-111111111115 (default in SVM)
SVM automatically exports reports in both HTML and PDF formats. The scan script includes a 20-second delay multiplied by the URL number to prevent overwhelming the Acunetix server.
Support for Acunetix 10.5 Remote was removed in version 1.1.792 and replaced with Acunetix 11 API integration. Update your configuration accordingly.

Burp Suite

Configure Burp Suite Professional for web application testing:
1

Locate Burp Suite Executable

Navigate to ConfigurationWeb ScannersBurp Suite
2

Select Executable

Browse and select your Burp Suite JAR or executable file. SVM supports custom executable paths (fixed in version 1.1.790).
3

Configure Java

Ensure Java Runtime Environment (JRE) is installed and accessible in your system PATH.

Netsparker

Configure Netsparker for automated web application security scanning:
1

Configure Netsparker Path

Navigate to ConfigurationWeb ScannersNetsparker
2

Set Executable Location

Browse to your Netsparker installation directory and select the executable.
3

Launch Scans

Web URLs must include the protocol (http:// or https://) for proper scan execution (enforced since version 1.1.791).

Arachni

Configure Arachni Web Application Scanner for remote scanning:
1

Set Remote Server Details

Navigate to ConfigurationWeb ScannersArachniConfigure your Arachni server:
  • Server Address: IP or hostname
  • Port: Default Arachni port
  • Credentials: If authentication is enabled
2

Configure SSH Access

For remote Arachni installations, configure SSH credentials for report retrieval.
Web URLs must have the http:// or https:// protocol specified to launch Arachni scans successfully.

Service Vulnerability Scanners

Nessus

Configure Tenable Nessus for network and service vulnerability scanning.

Connection Settings

1

Configure Nessus Server

Navigate to ConfigurationService ScannersNessusEnter connection details:
  • Server: Nessus server hostname or IP
  • Port: HTTPS port (default: 8834)
  • Username: Nessus user account
  • Password: Account password
2

Verify Service Status

SVM automatically detects if the Nessus service is running. If not started, you’ll receive instructions to start it via SSH.

Service Management

If Nessus service is not running, start it manually: 
# On the Nessus server
/etc/init.d/nessusd start

Policy Configuration

1

Retrieve Scan Policies

SVM automatically fetches available scan policies from your Nessus server using the API.
2

Select Policy

Choose the appropriate policy for your scan:
  • Basic Network Scan
  • Advanced Scan
  • PCI Quarterly External Scan
  • Custom policies you’ve created

Export Formats

Nessus scans are exported in multiple formats (added in version 1.1.792):
  • HTML: Human-readable report format
  • XML/Nessus: Machine-readable format for importing into SVM
The User-Agent was updated in version 1.1.794 to ensure compatibility with Nessus 7 and later versions.

OpenVAS

Configure OpenVAS (Open Vulnerability Assessment System) for comprehensive vulnerability scanning.

Connection Configuration

1

Configure OpenVAS Manager

Navigate to ConfigurationService ScannersOpenVASConfigure connection parameters:
  • Server: OpenVAS Manager hostname/IP
  • Port: OMP port (default: 9390)
  • Username: OpenVAS user account
  • Password: Account password
2

Test OMP Connection

SVM uses the OpenVAS Management Protocol (OMP) to communicate with the scanner.

Scan Configurations

1

Retrieve Scan Configs

SVM fetches available scan configurations using OMP commands:
<get_configs />
2

Select Configuration

Choose from available scan configurations:
  • Full and fast
  • Full and very deep
  • System Discovery
  • Custom configurations

Report Formats

1

Get Available Report Formats

SVM retrieves available report formats from OpenVAS for export.
2

Configure Export Format

Select your preferred report format for automatic export after scan completion.

Remote OpenVAS Configuration

For remote OpenVAS installations:
1

Configure SSH Access

Set up SSH credentials for remote server access:
  • SSH Server: Remote server IP/hostname
  • SSH Username: Linux user account
  • SSH Password: Account password
2

Install Remote Tools

Navigate to ToolsInstallRemoteOpenVAS to install required components on the remote server.
3

Ubuntu for Windows 10 Support

OpenVAS remote scripts support Ubuntu for Windows 10 (WSL) as of version 1.1.792.
OpenVAS configuration retrieval displays detailed error messages when authentication fails, helping troubleshoot connection issues (improved in version 1.1.791).

Editing Scripts

1

Access Script Editor

Navigate to ToolsEdit ScriptOpenVAS
2

Modify Local or Remote Scripts

Edit OpenVAS scanning scripts for both local and remote configurations (added in version 1.1.787).

Plugin Management

1

Update OpenVAS Plugins

Navigate to ToolsUpdate PluginsOpenVAS
2

Synchronize Plugin Feed

SVM executes the plugin update command to ensure you have the latest vulnerability checks.

Qualys

Configure Qualys Community or Enterprise for cloud-based vulnerability scanning.

API Configuration

1

Configure Qualys Credentials

Navigate to ConfigurationService ScannersQualysEnter your Qualys account details:
  • Username: Qualys account username
  • Password: Qualys account password
2

Configure Proxy (if needed)

If accessing Qualys through a proxy:
  • Use Proxy: Enable proxy usage
  • Proxy IP: Proxy server address
  • Proxy Port: Proxy port number
  • Proxy User: Proxy authentication username
  • Proxy Password: Proxy authentication password

API Endpoint

SVM connects to Qualys API at: 
https://qualysapi.qualys.com/msp/report_template_list.php

Report Templates

1

Retrieve Templates

SVM automatically fetches available report templates from Qualys using the API.
2

Select Template

Choose from available templates based on your compliance requirements:
  • Technical Report
  • Executive Report
  • PCI Compliance Report
  • Custom templates
Qualys External scanning cannot scan private IP addresses. You’ll receive an informative message if attempting to scan private IPs (added in version 1.1.788).
Configuration retrieval issues are now properly displayed with descriptive error messages (fixed in version 1.1.791).

Network Scanning Tools

Nmap

Configure Nmap for network discovery and port scanning.

Local Nmap Configuration

1

Verify Nmap Installation

Ensure Nmap is installed and accessible in your system PATH.
2

Configure Nmap Path

Navigate to ConfigurationNetwork ToolsNmap
3

Test Nmap

Run a test scan to verify Nmap is properly configured.

Remote Nmap Installation

1

Install Remote Nmap

Navigate to ToolsInstallRemoteNmap (added in version 1.1.788)
2

Configure Remote Access

Set up SSH credentials for the remote server where scans will execute.
3

Edit Nmap Scripts

The local Nmap script was fixed in version 1.1.787 for improved reliability.

Scanning Web/Domains

1

Add Targets to Project

Add web URLs or domain names to your project’s target list.
2

Launch Nmap Scan

Select ToolsNmapScan Web/Domains
3

Domain Support

Nmap can scan domains without IP resolution (fixed in version 1.1.792).
Version 2.0.3 added the ability to launch Nmap scans against Web/Domains directly from the project interface.

Information Gathering Tools

Recon-ng

Configure Recon-ng for reconnaissance and information gathering.

Configuration

1

Configure Recon-ng Path

Navigate to ConfigurationInformation ToolsRecon-ng
2

Set API Keys

Configure API keys for various reconnaissance services:
  • SHODAN API Key: For Shodan queries
  • IPInfoDB API Key: For IP geolocation
  • Other service API keys as needed
3

Configure Modules

Version 2.0.1 added support for:
  • certificate_transparency
  • google_site_web
  • hackertarget
  • threatcrowd

Domain Scanning

1

Add Domains

Domains can be added without specifying the protocol (fixed in version 2.0.3).
2

Launch Recon-ng

Execute reconnaissance modules with a single click from the project interface.
The Recon-ng executable path was updated in version 2.0.0 for better compatibility. Configuration saving was fixed in version 2.0.1.

EyeWitness

Configure EyeWitness for web application screenshot capture.

Local Configuration

1

Configure EyeWitness Path

Navigate to ConfigurationInformation ToolsEyeWitness
2

Set Python Environment

Ensure Python and EyeWitness dependencies are installed.

Remote Configuration

1

Install Remote EyeWitness

Navigate to ToolsInstallRemoteEyeWitness
2

Configure Remote Server

Set SSH credentials for remote execution.
3

Retrieve Reports

SVM automatically retrieves EyeWitness reports from remote servers (fixed in version 1.1.792).
EyeWitness and Java remote installation options were added to the Tools menu in version 1.1.792.

Android Security Tools

MobSF (Mobile Security Framework)

Configure MobSF for Android application security analysis.
1

Configure MobSF Server

Navigate to ConfigurationAndroid ToolsMobSFEnter server details:
  • Server URL: MobSF web interface URL
  • API Key: MobSF API key
2

Test Connection

Verify SVM can communicate with your MobSF instance.

APK Tools

Configure tools for APK analysis and manipulation.

Android Debug Bridge (ADB)

  • Version 1.0.39 included (updated in version 2.1.0)
  • No additional configuration required
  • Automatically detected when Android device is connected

Apktool

1

Configure Apktool

SVM includes download links for Apktool 2.4.0 (updated in version 2.1.0)
2

Local and Remote Support

Apktool can execute locally or on remote servers via SSH.

Other Android Tools

  • Enjarify: DEX to JAR conversion
  • JD-Gui: Java decompiler (version 1.5.2 link updated in 2.1.0)
  • QARK: Quick Android Review Kit (script updated in version 1.1.794)
  • AndroBugs Framework: Static analysis
  • Uber APK Signer: APK signing tool (version 1.0.0 link updated in 2.1.0)
All Android tool configurations were updated in version 2.1.0 with the latest download links and version information.

General Scanner Configuration Tips

Certificate Handling

For scanners with self-signed certificates (OpenVAS, Nessus):
  • SVM’s integrated web browser can access pages with invalid certificates (fixed in version 1.1.789)
  • No additional certificate configuration required

Script Management

1

Update All Scripts

Navigate to ToolsUpdate Scripts and Tools to download the latest versions of all integration scripts.
2

Edit Scripts

All .bat and .sh scripts are open source and can be edited to customize scanner behavior.
3

Review Script Documentation

Each script includes comments explaining parameters and API endpoints used.

SSH Configuration for Remote Scanners

For remote scanner execution:
1

Install PuTTY Tools

SVM uses PuTTY tools for SSH connectivity:
  • PLink: Version 0.70 (updated in version 1.1.793)
  • PSCP: Version 0.70 (updated in version 1.1.793)
2

Configure SSH Credentials

Enter SSH credentials in scanner configuration:
  • Server: Remote server hostname/IP
  • Username: SSH username
  • Password: SSH password
3

Test SSH Connection

Use the test connection feature to verify SSH access before running scans.
Remote scanner scripts were improved in version 1.1.794 to properly copy files to remote servers (OpenVAS and QARK scripts fixed).

Troubleshooting

Common Configuration Issues

Target Format Requirements: All web URLs must include the protocol (http:// or https://) when launching scanner tools. This requirement was enforced in version 1.1.791 to prevent scanning errors.

Connection Testing

Always test scanner connections after configuration:
  1. Save your configuration
  2. Click “Test Connection”
  3. Review error messages for authentication or network issues
  4. Verify firewall rules allow outbound connections
  5. Check scanner service status on remote servers

Error Messages

SVM provides detailed error messages for configuration issues:
  • Authentication failures: Check username/password
  • Connection timeouts: Verify server address and port
  • SSL/TLS errors: Ensure proper certificate handling
  • API errors: Verify API keys and permissions
Configuration error handling was significantly improved in version 2.0.3, providing more descriptive messages for troubleshooting.