What is a Host Header Attack?

It is common practice for the same web server to host several websites or web applications on the same IP address. This why the host header exists. The host header specifies which website or web application should process an incoming HTTP request. The web server uses the value of this header to dispatch the request […]

Read More →

New Joomla! SQL Injection vulnerability gives attackers full control of your website

A high-severity SQL injection vulnerability has been identified in versions 3.2 through to 3.4.4 of Joomla!. The popular Content Management System (CMS), second only to WordPress with a staggering 6.6% CMS marketshare (as of October 23, 2015, based on a W3Techs’ trend reports runs on an estimated 2.8 million sites (according to a survey carried out by […]

Read More →

Blind Out-of-band Remote Code Execution vulnerability testing added to AcuMonitor

Similar to Blind Out-of-band SQL Injection vulnerabilities, AcuMonitor can now detect Blind Out-of-band Remote Code Execution vulnerabilities. Let’s consider a vulnerable PHP application that contains the following code $cmd = isset($_GET[‘1’]) ? $_GET[‘1’] : ”; if ($cmd) { exec(‘ping -c 1 ‘ . $cmd); } This application executes a shell command that is composed from […]

Read More →

Blind Out-of-band SQL Injection vulnerability testing added to AcuMonitor

Acunetix AcuMonitor is a free intermediary service that helps detect second-order vulnerabilities (i.e. vulnerabilities that do not provide a response to a scanner during testing) during a scan. AcuMonitor made its debut with Acunetix WVS version 9. Since then, we’ve continuously improved the service and the number of vulnerabilities it can detect. With the latest […]

Read More →

XML external entity injection via REST APIs

The new version of Acunetix Web Vulnerability scanner comes with improved support for scanning REST APIs. When Acunetix WVS finds an REST API definition (via a WADL file or from Acunetix DeepScan) it also scans this API resource for XML external entity injection vulnerabilities. If it receives a REST API resource from Acunetix DeepScan and […]

Read More →

Improved support for Ruby on Rails web applications

Aside from better scanning of Java/J2EE web applications, Acunetix WVS version 10 comes with improved support for web applications built using the popular framework Ruby on Rails. A lot of new Rails specific tests were added in the new version. For example, many Rails developers use Rails scaffolding. Rails scaffolding is a quick way to […]

Read More →

Better scanning of Java / J2EE web applications

With the release of Acunetix WVS version 10, we’ve introduced a lot of improvements on how we test Java web applications. Java web applications are notoriously hard to scan automatically for many reasons, the most important one being session management. This type of application will frequently invalidate user sessions, making the process of crawling and […]

Read More →

BASH Vulnerability leaves IT Experts Shell Shocked!

Yesterday, a critical vulnerability was reported in GNU Bash.  Bash is the Bourne Again Shell that is installed on all Linux distributions.   The vulnerability is related to the way environment variables are parsed before running the BASH shell. It is possible to create environment variables that include function definitions. BASH processes the trailing strings after these function […]

Read More →