File inclusion vulnerabilities are a major cause for concern within web applications since successful exploitation of such a vulnerability may lead to Remote Code Execution (RCE). Once an attacker gains the ability to execute arbitrary code on an application, it’s much easier for that attacker to escalate their attack and do more damage, such as, for example, “pivoting” to other hosts on the internal network in order to steal sensitive data.
File inclusion vulnerabilities are usually not difficult to fix, but finding them in large codebases could be challenging without the right tools. Acunetix is a web application vulnerability scanner and as part of the myriad of vulnerability test it performs, file inclusion is certainly one of them.
Beyond low hanging fruit
Runtime source code analysis
In addition to being a fully automated black box (no knowledge of backend code) file inclusion vulnerability scanner, Acunetix also provides AcuSensor as part of its standard offering. AcuSensor is a an optional sensor for Java, ASP.NET and PHP applications that can easily be deployed on the application’s backend to analyze source code while it is in execution by the scanner.
This type of testing is known as gray box testing since it combines the best of both worlds from black box testing and whitebox testing. When testing for file inclusion vulnerabilities, Acunetix AcuSensor increases the accuracy of a scan since it has access to the code on the backend. With AcuSensor, Acunetix’s file inclusion vulnerability scanner may also test pages that would not otherwise be discovered via crawling thanks to AcuSensor’s backend crawl technology.
When scanning large applications for file inclusion vulnerabilities, it may be desirable to divide the scanning of the application up into smaller segments, or scopes. A typical example of this would be when different development teams would be working on different parts of a large web application with different release cycles, and therefore, different scanning schedule requirements.
Acunetix makes customizing the scope of a file inclusion vulnerability scan easy and painless. There are several ways to restrict the scope of a file inclusion vulnerability scan — you may choose to exclude pages you don’t want to scan manually, or for more advanced users, Acunetix also supports excluding pages based on regular expressions. So don’t sit idle on file inclusion vulnerabilities. Get the most out of your web security efforts with Acunetix.
We use Acunetix as part of our Security in the SDLC and to test code in DEV and SIT before being promoted to Production.