AcuMonitor Service – Out-of-Band Vulnerability Detection

AcuMonitor is a service provided by Acunetix, which allows the scanner to detect out-of-band vulnerabilities. This service is automatically used by out-of-band checks and requires no installation or configuration, only simple registration for on-premises versions.

What Are the Benefits of AcuMonitor?

AcuMonitor increases the scope of vulnerabilities that the Acunetix scanner can detect. Without AcuMonitor, out-of-band detection is not possible. Also, vulnerabilities detected with AcuMonitor are never false positives. Here are some of the vulnerabilities detected by Acunetix with AcuMonitor:

  • Blind server-side XML/SOAP injection
  • Blind XSS (delayed XSS)
  • Host header attack
  • Out-of-band remote code execution (OOB RCE)
  • Out-of-band SQL Injection (OOB SQLi)
  • Email header injection
  • Server-side request forgery (SSRF)
  • XML External Entity injection (XXE)

How Does AcuMonitor Work?

During an Acunetix scan, your Acunetix scanner sends payloads to the tested application. Here is how these payloads work with AcuMonitor:

  • AcuMonitor is a publicly accessible service. It waits for two types of connections: connections from your web application after processing an Acunetix vulnerability payload and connections from your Acunetix scanner (online or on-premise).
  • When Acunetix performs a test for an out-of-band vulnerability, the payload is designed to send a specific request to the AcuMonitor service. In the case of out-of-band vulnerabilities, this can happen either immediately or with a delay and from a different location in the application or from a completely different web application.
  • Your Acunetix scanner regularly polls AcuMonitor to check whether the payload has reached the service. If it has, it receives details from AcuMonitor, thus confirming the out-of-band vulnerability with 100% certainty.

Is AcuMonitor Secure?

AcuMonitor is absolutely secure both in terms of data transmission and data storage.

  • AcuMonitor payloads use TLS whenever possible. This ensures that connections to AcuMonitor are encrypted.
  • AcuMonitor does not receive or store enough information to identify the source of the vulnerability. The scanner does not send any information about the original request to AcuMonitor. To distinguish between tests, AcuMonitor uses your unique AcuMonitor ID acquired during registration and random unique identifiers generated by Acunetix.
  • Requests made to AcuMonitor are stored for a limited amount of time (maximum 7 days) and then securely deleted.