Interactive Application Security Testing (IAST) with AcuSensor

Interactive Application Security Testing (IAST), also referred to as gray-box testing, is a testing methodology that combines techniques from black-box security testing and white-box security testing.

The combination of dynamic and static vulnerability assessment techniques brings improved coverage and quality to vulnerability test results. IAST typically works by embedding instrumentation code within a running application which allows a dynamic scanner to inspect the application whilst it is being scanned.

The Interactive Application Security Testing (IAST) scan complements a regular dynamic scan (DAST) scan with additional tests, coverage and context based on how the application reacts during a scan. This information is made available to the scanner thanks to an agent that is installed and enabled on the server-side when a scan is in progress.

Acunetix AcuSensor™ is an IAST offering by Acunetix for PHP, ASP.NET and Java web applications. AcuSensor™ is included by default with Acunetix and works by installing a lightweight sensor on the server where the application is running.

IAST

The following are a number of key benefits to using AcuSensor™ within automated security scans.

False positive reduction and verification

Since AcuSensor™ has back-end application visibility whilst a scan is running, it provides Acunetix with additional information and context throughout the scan. This makes an AcuSensor™ scan even more accurate, and further reduces an already low false positive and false negative rate.

Aside from being able to detect a vaster range of SQL injection vulnerabilities (including in SQL INSERT statements), AcuSensor™ can verify the existence of following high-severity vulnerabilities with a 100% accuracy by running additional tests and observing the application’s behaviour on the back-end.

Line-of-code visibility

AcuSensor™ can identify vulnerabilities down to specific lines of code (for PHP applications), or provide detailed stack traces (for ASP.NET and Java applications). Furthermore, AcuSensor™ also provides a preview of SQL queries as they would have been run by the database for SQL injection vulnerabilities it discovers.

This means that identified vulnerabilities are much faster to remediate since security and development teams are pointed to the source of the problem immediately instead of wasting time tracking-down a vulnerability source.

JAVA AcuSensor

Backend crawling

Crawling is one of the most essential phases in any dynamic scan since it is the process by which a scanner discovers what it should test. While the Acunetix DeepScan crawler already does a lot to discover hard-to-find pages heuristically there could still be a chance that some complexly-named files and directories are not picked up.

Since AcuSensor™ has access to the back-end of the application it can request a directory listing and supply it back to the scanner for further analysis. AcuSensor™even goes further by discovering hidden GET and POST inputs and presents them to Acunetix for testing, making crawling much more thorough and ensuring full coverage.

No modification to existing applications

Since AcuSensor™ is designed to work on running applications, it does not need to be compiled-in, and can even work with signed code (signed JAR files in Java, and Strong-named assemblies in ASP.NET applications). This is a major advantage over IAST offerings that require you to compile sensors within your code, often requiring you to change your build process or add additional software dependencies to your project.


Interactive Application Security Testing (IAST) brings advantages of both black-box and white-box security testing together to deliver a the best each testing methodology has to offer. With AcuSensor™ being built-in to Acunetix, supporting PHP, ASP.NET and Java it’s easier than ever to take your automated application security programme to the next level and get started with IAST.