Java related web application security vulnerabilities such as Cross-site Scripting (XSS), SQL injection and other common security issues are common in several open source and custom-built Java web applications. However, Java based web applications built using frameworks such as Spring, Struts, JavaServer Faces (JSF) and Google Web Toolkit (GWT) are notoriously hard for automated web application security scanners to scan.
Usually, this is because many web scanners have a hard time dealing with session management within many Java based web applications. This causes many scanners to constantly invalidate a session, therefore constantly getting logged out when trying to scan a moderately complex Java application.
Unlike many other web application scanners, Acunetix’s Java vulnerability scanner employs a number of heuristics to detect Java web applications. As a result, it can optimize the scan on the fly for Java applications’ session management. This results in a faster scan time as well as better coverage.
Runtime source code analysis
In addition to being a fully automated black box (no knowledge of backend code) web application vulnerability scanner, Acunetix also provides AcuSensor as part of its standard offering. AcuSensor is a an optional sensor for Java (also available for ASP.NET and PHP) applications that can easily be deployed on the application’s backend to analyze source code while it is in execution by the scanner.
This type of testing is known as gray box testing since it combines the best of both worlds from black box testing and whitebox testing. When testing for Java web application vulnerabilities, Acunetix AcuSensor reduces false positives even further and increases coverage thanks to AcuSensor’s backend crawl technology.
When scanning large applications for Java-related vulnerabilities, it may be desirable to divide the scanning of the application up into smaller segments, or scopes. A typical example of this would be when different development teams would be working on different parts of a large web application with different release cycles, and therefore, different scanning schedule requirements.
Acunetix makes customizing the scope of a Java web application vulnerability scan painless. There are several ways to restrict the scope of a scan — you may choose to exclude pages you don’t want to scan manually, or for more advanced users, Acunetix also supports excluding pages based on regular expressions.
Beyond the vulnerability scanning
Another problem that Acunetix solves which many other vulnerability scanners fall short of is the ability to produce great reports. Acunetix can instantly generate a wide variety of other technical and regulatory and compliance reports such as OWASP Top 10, PCI DSS, HIPAA and many others. Additionally, Acunetix also allows users to export discovered vulnerabilities to Issue Trackers such as Atlassian JIRA, GitHub and Microsoft Team Foundation Server (TFS).
With built in Jenkins integration, Acunetix can also easily integrate within existing software development code security and SDLC workflows such as CI/CD pipelines.
We use Acunetix as part of our Security in the SDLC and to test code in DEV and SIT before being promoted to Production.