How AcuSensor enriches vulnerability reports in Acunetix 360

Acunetix 360 helps to streamline remediation efforts by providing detailed information about issues even down the line of code and instructions on how to fix each issue.

Acunetix 360 is a dynamic application security testing tool (DAST). It probes the entire running application, so it can test the entire attack surface and find all the vulnerabilities that an attacker could. Even so, it still has no access to the source code, so it cannot truly pinpoint identified weaknesses.

When you install and use the AcuSensor, Acunetix 360 becomes an IAST solution (grey-box scanner) in addition to being a DAST scanner (black-box scanner).
The AcuSensor works together with the main vulnerability scanning engine to extend the DAST capabilities of the Acunetix 360 vulnerability scanning engine.
AcuSensor continuously provides additional information about vulnerabilities and the environment itself.

With AcuSensor, Acunetix 360 can pinpoint many vulnerabilities right down to the line number and provides additional details for security teams.

The following table shows how the combination (DAST+IAST) enriches the issue result:

Name	Severity	Extra Information
SQL Injection	Critical	Source file Line number The function that has been called with the payload Payload
Boolean Based SQL Injection	Critical	Source file Line number The function that has been called with the payload Payload
Blind SQL Injection	Critical	Source file Line number The function that has been called with the payload Payload
Command Injection	Critical	Source file Line number The function that has been called with the payload Payload
Blind Command Injection	Critical	Source file Line number The function that has been called with the payload Payload
Code Evaluation (PHP)	Critical	Source file Line number The function that has been called with the payload Payload
Code Evaluation (ASP)	Critical	Source file Line number The function that has been called with the payload Payload
Local File Inclusion	High	Source file Line number The function that has been called with the payload Payload
HTTP Header Injection	Medium	Source file Line number The function that has been called with the payload Payload

While AcuSensor extends the capabilities of the main vulnerability engine, it also runs its own attacks to identify other vulnerabilities.

Information

IAST attacks in Acunetix 360 are enabled by default. If you want to scan your application with a customized scan policy, make sure you included IAST attacks into the custom scan policy. So, AcuSensor can run its own attacks as well. If not included, AcuSensor falls back to enriching existing engines.

The following list shows the vulnerabilities AcuSensor can identify:

Name	Severity	Extra Information
SQL Injection (IAST)	Critical	New Vulnerability Template Source file Line number The function that has been called with the payload Payload
Command Injection (IAST)	Critical	New Vulnerability Template Source file Line number The function that has been called with the payload Payload
Code Evaluation PHP (IAST)	Critical	New Vulnerability Template Source file Line number The function that has been called with the payload Payload
Local File Inclusion (IAST)	High	New Vulnerability Template Source file Line number The function that has been called with the payload Payload
Arbitrary File Creation Detected	High	New Vulnerability Template Source file Line number The function that has been called with the payload Payload
Arbitrary File Deletion Detected	High	New Vulnerability Template Source file Line number The function that has been called with the payload Payload
HTTP Header Injection (IAST)	Medium	New Vulnerability Template Source file Line number The function that has been called with the payload Payload
PHP enable_dl Is Enabled	Medium	Acunetix 360 provides a brand new template specific for this vulnerability
PHP register_globals Is Enabled	Medium	Acunetix 360 provides a brand new template specific for this vulnerability
PHP session.use_trans_sid Is Enabled	Medium	Acunetix 360 provides a brand new template specific for this vulnerability
PHP allow_url_fopen Is Enabled	Low	Acunetix 360 provides a brand new template specific for this vulnerability
PHP allow_url_include Is Enabled	Low	Acunetix 360 provides a brand new template specific for this vulnerability
PHP display_errors Is Enabled	Low	Acunetix 360 provides a brand new template specific for this vulnerability
PHP open_basedir Is Not Configured	Low	Acunetix 360 provides a brand new template specific for this vulnerability
ASP.NET Tracing Is Enabled	High	Acunetix 360 provides a brand new template specific for this vulnerability
ASP.NET Cookieless Authentication Is Enabled	Medium	Acunetix 360 provides a brand new template specific for this vulnerability
ASP.NET Cookieless Session State Is Enabled	Medium	Acunetix 360 provides a brand new template specific for this vulnerability
ASP.NET Custom Errors Is Disabled	Medium	Acunetix 360 provides a brand new template specific for this vulnerability
ASP.NET Login Credentials Stored In Plain Text	Medium	Acunetix 360 provides a brand new template specific for this vulnerability
ASP.NET ValidateRequest Is Globally Disabled	Medium	Acunetix 360 provides a brand new template specific for this vulnerability
ASP.NET: Failure To Require SSL For Authentication Cookies	Medium	Acunetix 360 provides a brand new template specific for this vulnerability
ASP.NET ViewStateUserKey Is Not Set	Low	Acunetix 360 provides a brand new template specific for this vulnerability
ASP.NET Debugging Enabled	Information	Acunetix 360 provides a brand new template specific for this vulnerability
Hidden Files (IAST)		Acunetix 360 gets all hidden files within the application. From there, Acunetix 360 adds these files to the link pool so that Acunetix 360 can crawl and attack them.

« Back to the Acunetix Support Page