We have used Acunetix Web Vulnerability scanner (Free 14-Day Trial) to test our Spring MVC and HDIV example application available on Github with HDIV 2.1.8 (Branch: rules) version.
Here is the video that summarizes this process:
What is Acunetix Web Vulnerability Scanner?
According to Acunetix:
“Acunetix Web Vulnerability Scanner is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross site scripting, and other exploitable vulnerabilities.”
Acunetix’s security levels
Acunetix categorizes their vulnerabilities according to four severity levels:
- High Risk Alert Level 3 –“Vulnerabilities categorized as the most dangerous, which put the scan target at maximum risk for hacking and data theft.”
- Medium Risk Alert Level 2 –“Vulnerabilities caused by server misconfiguration and site-coding flaws, which facilitate server disruption and intrusion.”
- Low Risk Alert Level 1 – “Vulnerabilities derived from lack of encryption of data traffic or directory path disclosures.”
- Informational Alert –“These are items which have been discovered during a scan and which are deemed to be of interest, e.g. the possible disclosure of an internal IP address or email address, or matching a search string found in the Google Hacking Database, or information on a service that has been discovered during the scan.”
As the video shows, HDIV covers ‘High Risk Alert Level 3’ by default, the rest of the risks are out of HDIV’s scope.
Results
As described within the video, HDIV protects from the attacks performed by Acunetix Web Vulnerability Scanner, avoiding the exploitation of application level web risks such as:
- OWASP A1 – SQL Injection
- OWASP A3 – Cross-Site Scripting (XSS)
- OWASP A8 – Cross-Site Request Forgery (CRSF)
It is important to note that Acunetix Web Vulnerability Scanner does not detect OWASP A4 – Insecure Direct Object Reference (Parameter Tampering). This is normal with all kinds of vulnerability scanners because in many cases, this category of vulnerability requires human intelligence to identify it.