• Blind server-side XML/SOAP injection
  • Blind XSS (delayed XSS)
  • Host header attack
  • Out-of-band remote code execution (OOB RCE)
  • Out-of-band SQL Injection (OOB SQLi)
  • Email header injection
  • Server-side request forgery (SSRF)
  • XML External Entity injection (XXE)
  • AcuMonitor is a publicly accessible service. It waits for two types of connections: connections from your web application after processing an Acunetix vulnerability payload and connections from your Acunetix scanner (online or on-premise).
  • When Acunetix performs a test for an out-of-band vulnerability, the payload is designed to send a specific request to the AcuMonitor service. In the case of out-of-band vulnerabilities, this can happen either immediately or with a delay and from a different location in the application or from a completely different web application.
  • Your Acunetix scanner regularly polls AcuMonitor to check whether the payload has reached the service. If it has, it receives details from AcuMonitor, thus confirming the out-of-band vulnerability with 100% certainty.
  • AcuMonitor payloads use TLS whenever possible. This ensures that connections to AcuMonitor are encrypted.
  • AcuMonitor does not receive or store enough information to identify the source of the vulnerability. The scanner does not send any information about the original request to AcuMonitor. To distinguish between tests, AcuMonitor uses your unique AcuMonitor ID acquired during registration and random unique identifiers generated by Acunetix.
  • Requests made to AcuMonitor are stored for a limited amount of time (maximum 7 days) and then securely deleted.