Holistic and accurate vulnerability detection lies in the ability to detect anything from the most obvious to the most obscure SQL Injection, XSS and over 500 other types of web application vulnerabilities. Acunetix is the industry leader in detecting the largest variety of SQL Injection and XSS vulnerabilities, including Out-of-band SQL Injection and DOM-based XSS.
Acunetix achieves top scores in SQLi, XSS and hidden file detection benchmarks.
Source – SecTools Addict Benchmark
In-depth SQL Injection and Cross-site Scripting (XSS) Vulnerability Testing
Acunetix rigorously tests for hundreds of web application vulnerabilities including SQL Injection and Cross-site Scripting. SQL Injection is one of the oldest and most prevalent of software bugs; it allows attackers to modify SQL queries in order to gain access to data in the database. Cross-site Scripting attacks allow attackers to execute malicious scripts inside your visitors’ browser; possibly leading to impersonation of that user.
When it comes to Dynamic Application Security Testing (DAST), while the number of tests a scanner can run is important, it is secondary to how well it can crawl an application – If you can’t crawl it, you can’t scan it! Acunetix DeepScan Technology has the ability to crawl complex client-side Single Page Applications (SPAs), guaranteeing the highest vulnerability detection rate even in client-side vulnerabilities such as DOM-based XSS vulnerabilities.
Advanced Automated DOM-based XSS Vulnerability Testing
DOM-based XSS is an advanced type of XSS attack which is made possible when the web application’s client-side scripts write user provided data to the Document Object Model (DOM). The data is subsequently read from the DOM by the web application and outputted to the browser. If the data is incorrectly handled, an attacker can inject a payload, which will be stored as part of the DOM and executed when the data is read back from the DOM.
DOM-based XSS is often a client-side attack, and the attacker’s payload is never sent to the server. This makes it even more difficult to detect. Acunetix can scan for a wide range of advanced DOM-based XSS and also provide a stack-trace of the injected payload as it moves inside of the browser’s DOM.
Detection of Blind XSS, XXE, SSRF, Host Header Attacks and Email Header Injection
Traditional methods of detecting vulnerabilities fall short when attempting to detect second-order vulnerabilities; i.e. testing for vulnerabilities that do not provide a response to a scanner during testing. Detection of second-order vulnerabilities requires an intermediary service; Acunetix, combined with it’s built-in AcuMonitor Technology, makes automatic detection of such vulnerabilities possible and transparent to the user running the scan.
AcuMonitor allows the detection of vulnerabilities such as Blind XSS, XML External Entity Injection (XXE), Server Side Request Forgery (SSRF), Host Header Attacks, Email Header Injection and Password Reset Poisoning.