AcuMonitor: For detecting Email Header Injection, Blind XSS and SSRF

This article explains how our new and state-of-the-art AcuMonitor service is used to detect specific types of vulnerabilities, and which web application vulnerabilities are detected. Email Header Injection will be used to illustrate how AcuMonitor is used in practice.

Traditional crawling and scanning techniques implemented by automated web vulnerability scanners on the market today are inapt at detecting vulnerabilities such as Blind XSS, Server Side Request Forgery and Email Header Injection, since these web vulnerabilities can only be detected or verified using an intermediate server.

Acunetix Web Vulnerability Scanner V9 makes the detection of these vulnerabilities possible through the new AcuMonitor service, which is made exclusively available to V9 users.

Detecting Email Header Injection Vulnerabilities

Many web applications implement a feedback submission web form. The web form accepts the user's email address, and a message. The web form creates an email, sets the FROM email address to the email address provided by the user, and the message is inserted in the email's body. The email's recipient is hard coded, so that all emails created from the web form are sent to the same email address within the organization.

Email Header Injection is a common vulnerability for these types of web forms, whereby an attacker finds a way to inject additional email headers into the email through the web form. This is most often used by spammers, who inject additional recipients into the message header, thus making use of the organisation's web form (and mail system) to send spam emails.

When Acunetix WVS v9 scans such a web form, it instructs the web application to send an email to a unique email address hosted and monitored by AcuMonitor. Each Email Header Injection request sent by Acunetix WVS during the scan is uniquely identified and stored in a database on the machine where Acunetix WVS is installed.

Web applications that are vulnerable to Email Header Injection will send an email to AcuMonitor. AcuMonitor will use the details in the message to identify the registered owner of the Acunetix WVS installation. AcuMonitor will then automatically send a notification email to the registered owner with information retrieved from the email. The email notification will include the unique ID of the request that triggered the Email Header Injection. This ID can be used to identify the vulnerable web page and web form.

It would not be possible to automatically detect an Email Header Injection vulnerability without the use of the AcuMonitor service acting as the intermediate server. The AcuMonitor service is also used to detect other types of vulnerabilities such as Server Side Request Forgery (SSRF), XML External Entity and Blind XSS.

The following diagram illustrates the steps needed to detect these types of vulnerabilities using Acunetix Web Vulnerability Scanner and the AcuMonitor service.

An illustration of how Acunetix Web Vulnerability Scanner and AcuMonitor work together to detect specific types of vulnerabilities which are otherwise not detected using an automated scanner.

Detecting Vulnerabilities using the AcuMonitor Service. (Click to enlarge)

 

  1. The user initiates a scan. The user has already registered with the AcuMonitor service from Acunetix WVS > Application Settings > Acunetix VVS.
  2. Acunetix WVS starts scanning the web application. Using various vulnerabilities, Acunetix WVS instructs the web application to make requests to the AcuMonitor Service.
  3. Each request is stored in a database on the machine running Acunetix WVS, and given a unique ID.
  4. When a vulnerable web page or web form is found, the web application will make the request to the AcuMonitor service. Depending on the vulnerability, this can occur either during the Acunetix WVS scan, or after some time.
  5. AcuMonitor will process the request, identify the Registered User for the Acunetix installation that initiated the scan, and send a notification email to the registered email address.
  6. The user will use the unique ID or the attachment in the email notification to get more information on the request that triggered the vulnerability. This will allow the user to identify the vulnerable web page / web form.

Vulnerabilities Identified with the Help Of AcuMonitor

  • Blind XSSVarious XSS script payloads are injected in the web application. The vulnerable web application will store the unsanitised script in a backend store (e.g. database or log file). When the unsanitised script is loaded, generally from a different web application, the script makes a web request to AcuMonitor, which sends a notification email to the admin. It generally takes a while for this to happen.
  • Email Header InjectionAn email is sent from the vulnerable web application to AcuMonitor.
  • Server Side Request Forgery (SSRF)A URL is injected into the web application. The vulnerable web application will make a request to this URL which is hosted at AcuMonitor. Acunetix WVS verifies with AcuMonitor if the request was made by the web application.
  • XML External EntityAn XML containing an XXE entity pointing to the AcuMonitor domain is injected into the application. The vulnerable application will make a request to AcuMonitor. Acunetix WVS verifies with AcuMonitor if such request was made by the web application.
  • Host Header Based Attacks. A malicious Host header pointing to the AcuMonitor domain is injected into the web application. If a request is later made to the AcuMonitor domain a notification email will be sent to the user.

AcuMonitor FAQs

Q. Why do I need to register to the AcuMonitor service?
A. When a vulnerability is detected by the AcuMonitor service, AcuMonitor will send a notification email to the user registered with AcuMonitor with the details of the vulnerability. Registration is required to link the scans done by an installation of Acunetix WVS to the user performing the scans.

Q. How do I register to the AcuMonitor service?
A. On first launch, Acunetix WVS v9 asks you to register to the AcuMonitor service. Alternatively you can register from Acunetix WVS > Configuration > Application Settings > AcuMonitor > Register

Q. What is the 'Saved scans folder' used for?
A. The 'Saved scans folder' is used to store the unique web requests that are made to the scanned web applications which might trigger vulnerabilities that make use of AcuMonitor. This information is used to identify the vulnerable web page / web form, and is never sent to the AcuMonitor. You can configure the location of the Saved scan folder from Acunetix WVS > Configuration > Application Settings > AcuMonitor.

Q. I have received an email notification about a vulnerability detected by AcuMonitor. What should I do?
A. The email notification sent to you by AcuMonitor contains information about the type of vulnerability that has been detected. Either download and open the Report file, or open the attachment in order to load the web request which triggered the vulnerability. Alternatively, you can copy the Request ID from the email, and lookup the web request manually from Acunetix WVS > Configuration > Application Settings > AcuMonitor > Lookup Request.

Q. Should I be concerned that information about the vulnerabilities on my website is hosted on AcuMonitor?
A. There is no need to be worried.

  • The AcuMonitor service is hosted in a very secure environment
  • The web request which was originally used to trigger the vulnerability is not stored at AcuMonitor. These are stored in the 'Saved scans folder, on the machine running Acunetix WVS.
  • Any requests performed from your web application to AcuMonitor will only be stored for a limited amount of time (maximum 7 days).