YOU ARE HERE: HOMEWhether Acunetix can detect Null Byte Injection in PHP

Whether Acunetix can detect Null Byte Injection in PHP

Acunetix do check for this vulnerability. It is part of Acunetix Local File Inclusion checks, and would be reported as LFI not NULL byte injection.
Any chance for customer will mis configure and miss to detect it?
It could be that the client is not configuring the target correctly and as such Acunetix is not managing to find all the locations in his application.
As best practice, it always make practical following best practice is being implement as many as possible, to maximum the vulnerability detection and coverage:
  • If (web application, portal application) authentication is require, to properly set up the LSR (Login Sequence Recorder), including Restrictions and Session detection pattern.

  • To make sure that Acunetix has found all possible locations in  the application. This can be augmented by pre-seeding the scan with an import file that contains all the locations in the application.
  • E-SPIN is particular recommend all customer for all kind of automated web scanner to buy with at least one Burp Suite Pro license for capable to perform manual, advance and complex web application penetration testing for kind of web application security testing project. It just tiny for the investment cost, but serve well as Swiss knife for expert user to accomplish lot of web application security testing  project and operation requirement.

  • ​If their application is in PHP, .NET, or JAVA, they can install Acusensor (ie grey box testing) to further increase their coverage. Special remark: target website need to install respective platform agent, else simply turn on from console it will not working.

Another area E-SPIN is always recommended all customer is to equip user with the adequate working knowledge for both the web application security testing skill and the testing tool feature and how-to-do workflow and process, so you can maximum the investment. Depend on your actual and how serious the use case, E-SPIN being delivered for 10 days customized training and knowledge transfer session to facilitate enterprise client for the extensive investment in threat and vulnerability management (TVM) cover various product point solution, working as integrated end to end solution cover vulnerability assessment to penetration testing (VAPT), feel free to contact E-SPIN for all kind of project requirement.