DVWA is an intentionally vulnerable web application that you can install on your server to test vulnerability scanners or to practice penetration testing. You may want to use DVWA to test the capabilities of the Acunetix vulnerability scanner and compare it to similar tools. This…
Author Archives Bernhard Abele
Session Token in URL Vulnerability
The HTTP protocol and web servers are stateless by nature. This means that there is no way for them to track user activity. The web server treats every request as a new one. For this reason, browsers and web servers need to use session tokens….
Authenticated Scans on Applications That Make Use of One-time Tokens or CAPTCHAs
One-Time Tokens add another layer of security, supplementing the username and password with a code that only the individual user has access to (for example by SMS or via a security key). A CAPTCHA has a different purpose, as it provides a test used to…
Scanning applications that make use of Single Sign-On (SSO)
Single Sign-On (SSO) is a service which allows users to have one set of login credentials to access multiple web applications. SSO allows a user to log in once and gain access to various applications, without the need to re-enter login credentials at each application….
Session Detection: What to do if the LSR fails to identify a session pattern
Session Detection is the final step in the configuration of the Login Sequence Recorder (LSR). A valid Session Pattern is vital for a successful scan, as with it the scanner is able to identify whether it is authenticated or not. During a scan, the session…