What is the proof of exploit in the Acunetix vulnerability alert?

Acunetix uses various techniques to detect vulnerabilities in a web application while minimizing false positives. There are situations where the existence of vulnerability needs to be supported with additional evidence. This is a common request from developers when a vulnerability is reported and they need to prioritize the work required to fix the vulnerability.

Acunetix can automatically exploit the detected vulnerability and retrieve information that proves its existence. The proof of exploit indicates that Acunetix is 100% confident that the vulnerability exists. The proof of exploit confirms the severity of the vulnerability by providing information that is considered confidential and should not be accessible.

Acunetix can generate proof of exploit for the following vulnerabilities:

  • XML External Entity (XXE)
  • Directory traversal
  • File inclusion
  • Command injection
  • Blind command injection
  • Remote code evaluation – this includes:
    • PHP code injection
    • Perl code injection
    • Python code injection
    • Ruby on Rails code injection
  • Server-side template injection

In the following example, Acunetix used a directory traversal vulnerability to retrieve the content of a system file.

Acunetix v13 proof of exploit