Acunetix AcuSensor

Acunetix AcuSensor

Category: IAST
License: Commercial
Visit Website →

Acunetix AcuSensor is an IAST (Interactive Application Security Testing) agent that works alongside the Acunetix DAST scanner to provide deeper vulnerability analysis and precise source code location information.

What is Acunetix AcuSensor?

AcuSensor is a lightweight agent deployed within your application runtime that collaborates with the Acunetix DAST scanner during security assessments.

While the DAST scanner sends requests from outside the application, AcuSensor observes how those requests are processed internally, providing visibility into the application’s behavior at the code level.

This combined approach eliminates the black-box limitations of traditional DAST scanning.

AcuSensor can identify the exact source file and line number where vulnerabilities exist, trace SQL queries back to their origin, and detect issues that would be invisible to external scanners alone.

The technology supports PHP, Java, .NET (ASP.NET), and Node.js applications, making it suitable for most enterprise web application stacks.

Key Features

Line-of-Code Vulnerability Mapping

AcuSensor’s most distinctive capability is pinpointing vulnerabilities to their exact location in source code.

When a SQL injection or cross-site scripting vulnerability is detected, the report includes the specific file name and line number where the vulnerable code resides.

This eliminates guesswork during remediation and reduces the time developers spend tracking down issues.

SQL Injection Trace Analysis

For SQL injection vulnerabilities, AcuSensor provides complete query traces showing how user input flows from the HTTP request through the application logic to the database query.

This trace includes all intermediate transformations and the final SQL statement executed, helping developers understand exactly how the injection occurs.

False Positive Reduction

By observing the application internally, AcuSensor can confirm whether a potential vulnerability identified by the DAST scanner is genuine.

If the scanner suspects a SQL injection but AcuSensor sees that the input is properly sanitized before reaching the database, it can eliminate the false positive.

This verification dramatically improves scan accuracy and reduces noise in security reports.

Hidden Input and Parameter Discovery

AcuSensor detects hidden form fields, undocumented parameters, and internal endpoints that the DAST crawler cannot discover through external analysis.

This expanded attack surface coverage helps identify vulnerabilities in areas that traditional scanners miss entirely.

Installation

PHP Installation

Download the AcuSensor agent from your Acunetix installation and deploy it to your PHP application:

# Copy the AcuSensor PHP file to your web root
cp acu_phpaspect.php /var/www/html/

# Add to php.ini or your PHP configuration
auto_prepend_file = /var/www/html/acu_phpaspect.php

Restart your web server after configuration:

sudo systemctl restart apache2
# or for nginx with PHP-FPM
sudo systemctl restart php-fpm

Java Installation

For Java applications, add the AcuSensor agent as a JVM argument:

java -javaagent:/path/to/acusensor.jar -jar your-application.jar

For Tomcat, add to CATALINA_OPTS in setenv.sh:

export CATALINA_OPTS="$CATALINA_OPTS -javaagent:/opt/acusensor/acusensor.jar"

.NET Installation

For ASP.NET applications, install the AcuSensor module:

# Copy AcuSensor DLL to your application's bin directory
Copy-Item AcuSensor.dll -Destination "C:\inetpub\wwwroot\YourApp\bin\"

# Register in web.config
# Add the HTTP module configuration as per Acunetix documentation

Node.js Installation

Install the AcuSensor npm package and require it at application startup:

npm install @acunetix/acusensor

Add to your application entry point:

// Add at the very beginning of your main file
require('@acunetix/acusensor');

// Your existing application code
const express = require('express');
const app = express();
// ...

Integration

Configuring Acunetix for AcuSensor Scans

Once the agent is deployed, configure your Acunetix scan target to use AcuSensor:

  1. In Acunetix, navigate to Targets and select your application
  2. Go to Site Configuration > AcuSensor
  3. Enter the AcuSensor URL (typically your application URL with /acu_phpaspect.php for PHP)
  4. Test the connection to verify AcuSensor is responding
  5. Run your scan with AcuSensor enabled

CI/CD Pipeline Integration

For automated testing in CI/CD pipelines, deploy AcuSensor to your staging environment:

# GitHub Actions example
name: Security Scan with AcuSensor

on:
  push:
    branches: [main, develop]

jobs:
  security-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Deploy application with AcuSensor
        run: |
          docker-compose -f docker-compose.staging.yml up -d
          # AcuSensor should be pre-configured in your staging image

      - name: Run Acunetix scan via API
        env:
          ACUNETIX_API_KEY: ${{ secrets.ACUNETIX_API_KEY }}
          ACUNETIX_URL: ${{ secrets.ACUNETIX_URL }}
        run: |
          curl -X POST "$ACUNETIX_URL/api/v1/scans" \
            -H "X-Auth: $ACUNETIX_API_KEY" \
            -H "Content-Type: application/json" \
            -d '{"target_id": "${{ vars.TARGET_ID }}", "profile_id": "full_scan"}'

# GitLab CI example
stages:
  - deploy
  - security

deploy-staging:
  stage: deploy
  script:
    - docker-compose -f docker-compose.staging.yml up -d
  environment: staging

acunetix-scan:
  stage: security
  script:
    - |
      SCAN_ID=$(curl -s -X POST "$ACUNETIX_URL/api/v1/scans" \
        -H "X-Auth: $ACUNETIX_API_KEY" \
        -H "Content-Type: application/json" \
        -d "{\"target_id\": \"$TARGET_ID\", \"profile_id\": \"full_scan\"}" | jq -r '.scan_id')
      echo "Scan started: $SCAN_ID"
  needs: [deploy-staging]

When to Use Acunetix AcuSensor

Use AcuSensor when:

  • You need precise source code locations for vulnerabilities rather than generic descriptions
  • False positives from DAST scans are consuming developer time
  • Your application has complex authentication or multi-step workflows that benefit from internal observation
  • You want to trace SQL injection vulnerabilities through your entire data flow
  • Your staging environment mirrors production and can accommodate agent deployment

Consider alternatives when:

  • You cannot deploy agents to your test environment due to policy restrictions
  • You need to test production systems (AcuSensor should only be deployed in non-production environments)
  • Your application uses a language not supported by AcuSensor (only PHP, Java, .NET, and Node.js are supported)

AcuSensor transforms Acunetix from a standard DAST tool into a hybrid DAST/IAST solution, providing the external attack perspective of dynamic testing combined with the code-level precision of instrumentation-based analysis.

Other IAST Tools

Checkmarx IAST
Checkmarx IAST

Unified AppSec Platform Integration

Contrast Assess
Contrast Assess

95%+ True Positive Rate

Datadog Code Security (IAST)
Datadog Code Security (IAST)

APM-Integrated Vulnerability Detection

Fortify WebInspect Agent (IAST)
Fortify WebInspect Agent (IAST)

Runtime Code-Level Reporting

See all IAST tools