I have received an email notification about a vulnerability detected by AcuMonitor. What should I do?
Some vulnerabilities can only be detected by using an intermediary service. Acunetix uses AcuMonitor as the intermediary service, allowing the scanner to detect multiple types of out-of-band vulnerabilities such as Blind XSS, XML External Entity (XXE) and Server Side Request Forgery (SSRF).
Common in-band vulnerabilities such as SQL Injection and Cross-Site Scripting execute embedded payloads instantaneously, providing immediate feedback to the scanner. Out-of-band vulnerabilities are different, since the scanner is not able to detect that the payload is triggered. In addition, the payload of some of these vulnerabilities is triggered after the scan is finished. Examples of these vulnerabilities are Blind XSS, Blind RCE and Email Header Injection.
AcuMonitor is an online service hosted by Acunetix. It is used to detect these out-of-band vulnerabilities, including the ones that are triggered after a scan is finished. During a scan, Acunetix Web Vulnerability Scanner tests for out-of-band vulnerabilities by injecting payloads into a web page or web form which will contact AcuMonitor when these are executed. If the payload is executed some time in the future, AcuMonitor will send an email to the registered email address (Configuration > Application Settings > AcuMonitor > Register) containing information about the request that was executed.
Below is an example of an email sent by AcuMonitor.
AcuMonitor tries to provide as much information as possible in the email, including a Request ID which you can use to retrieve information about the original request that the scanner sent during the scan.The original request sent by the scanner is stored on the machine running Acunetix. To get to this information, copy the request Id (e.g. 32-81) to Acunetix > Configuration > Application Settings > Lookup Request.
Acunetix will load the request into the HTTP Sniffer, highlighting the payload. This allows you to better understand the vulnerability.
You can manually modify the request in order to get a better idea of how the application reacts to multiple variations of the original request, allowing you to also confirm the vulnerability.