Better scanning of Java / J2EE web applications

With the release of Acunetix WVS version 10, we’ve introduced a lot of improvements on how we test Java web applications. Java web applications are notoriously hard to scan automatically for many reasons, the most important one being session management. This type of application will frequently invalidate user sessions, making the process of crawling and scanning very complicated and slow. The scanner will detect that the session was invalidated, re-run the login sequence to login again, the application will invalidate the session again and the cycle continues again and again. A scan caught in such a cycle can take a long time to complete and various parts of the web application will not be properly audited.

In the new version we employ a number of heuristics to detect such Java web applications and try to crawl more attentively so we don’t hit patterns that will cause session invalidation. This together with other crawler improvements, drastically improves scanning of Java web applications. The scanning time is reduced since the scanner does not need to execute the login sequence multiple times and our scanning coverage will increase.

In most cases Java web applications are detected automatically. However, if your web application is not automatically detected you can manually optimize the scan for Java web applications by ticking the Java/J2EE checkbox from the “Optimize for following technologies” group in the Target section of the Scan Wizard.

Optimize scan for Java/J2EE web applications

Optimize scan for Java/J2EE web applications

Aside from generic crawling improvements related with Java web applications we’ve also added improvements in scanning Java applications built using the most popular Java frameworks. The new version will try to automatically detect applications such as Java frameworks and better crawl and scan these web applications.

We currently have support for the following Java frameworks:

  • Spring
  • Struts
  • JavaServer Faces (JSF)
  • GWT

When a particular Java framework is detected, the scanner will perform a number of tests specific to that framework. The new version contains a large number of new Java related (or framework specific) security tests.

For example, in the case below, Acunetix WVS version 10 performed a scan of a Spring based web application, performed tests specific to this Java framework and issued an alert for a “Directory traversal in Spring framework” vulnerability.

"Directory traversal in Spring framework" vulnerability

“Directory traversal in Spring framework” vulnerability

Share this post

Leave a Reply

Your email address will not be published.