How Acunetix 360 identifies out-of-date technologies

Using outdated technologies introduces serious risks and can allow attackers to exploit vulnerabilities to harm your system. Even if your application has no vulnerabilities, it will not be secure if it uses even a single vulnerable external library. Acunetix 360 can track and report on issues to help you secure your third-party components, such as JavaScript libraries and off-the-shelf web applications.

This document explains the vulnerability database in general and how Acunetix 360 identifies out-of-date components in your web application.

Vulnerability Database

Acunetix 360 is an advanced heuristic web application security scanner that also checks for known web application vulnerabilities. To report known vulnerabilities, the scanner rests on its vulnerability database (VDB). This database is an integration point for the Acunetix 360 security checks that serve as a data store of known technologies, their versions, and their vulnerabilities. Acunetix 360 automatically updates its vulnerability database and adds new vulnerabilities to your scan policy, so there is no need to manually update it.

How Acunetix 360 identifies out-of-date versions

There are three stages in detecting out-of-date version(s).

• First, Acunetix 360 tries to identify applications, such as JavaScript libraries and web servers in your system. It reports these issues as identified technologies.
• Then the scanner tries to identify the version of these applications. If successful, it reports this as a version disclosure issue.
• Acunetix 360 then queries its vulnerability database to check for a newer version of the technology. If there is a newer version, it reports the out-of-date version and any CVEs linked to the outdated application.

Acunetix 360 also has a couple of security checks that are integrated (or directly working with the vulnerability database) to identify out-of-date issues. To clarify the dynamics, here is more information about the vulnerability database integrated security checks:

Web App Fingerprint Check

Acunetix 360 first identifies web applications and their versions. Then it reports vulnerabilities in the web application(s) that the scanner identified.

If Acunetix 360 matches the web application with more than one version, it reports them, merges them into a list, and updates the report's confidence score regarding the matched version count.

The severity of the out-of-date vulnerabilities will be elevated to match the most severe CVE (Common Vulnerabilities and Exposures) reported for the identified version(s).

Javascript Libraries Check

Acunetix 360 extracts all of the JavaScript libraries while crawling the target. Then the scanner tries to determine their versions. To do this, Acunetix 360 searches for some predetermined signatures on the source of the JS library or calls specific functions of these JavaScript that may expose the version information of the library itself. Then, it reports vulnerabilities, if any, in these libraries.

For more information, refer to Which JavaScript Libraries Does the Acunetix 360 Scanner Detect?

Signatures Check

Acunetix 360 runs a couple of predetermined signatures against responses it received during the crawling stage. If this RegEx matches and Acunetix 360 identifies versions, this security check will communicate with the vulnerability database to report any known vulnerabilities.

If a newer version is found in the Acunetix 360 vulnerability database, it also reports an out-of-date issue. This security check mostly reports on application servers, programming languages, frameworks, etc.

VDB-Integrated Checks

In addition to the earlier security checks, proof-generating security checks also interact with the vulnerability database. For example, when SQL Injection checks extract a proof containing technology and its version, they communicate with the vulnerability database to report any known issues related to the extracted technologies.

SQL Injection Check

As a web application security scanning tool, Acunetix 360 does not have direct security check(s) to identify database servers in your system. Still, it reports these vulnerabilities in the following way:

1. SQL Injection security check identifies a vulnerability in your system
2. Proof-based scanning technology exploits this vulnerability in a read-only and safe manner.
3. Acunetix 360 extracts version information of the underlying database management system.
4. Acunetix 360 reports this information as confirmed.
5. Then Acunetix 360 queries the vulnerability database to determine other vulnerabilities related to this version.
6. Acunetix 360 also reports these related vulnerabilities if any.