Acunetix | Web Security Blog
-
Liferay vulnerability scanner: How to detect and remediate CVEs in Liferay Portal and DXP
Liferay environments face a growing volume of CVEs and limited patch paths for older versions. This guide explains which vulnerabilities matter, how they are exploited, and how Acunetix scans Liferay Portal and DXP to identify real risk.
The post Liferay vulnerability scanner: How to detect and remediate CVEs in Liferay Portal and DXP appeared first on Acunetix.
-
IIS security best practices: How to secure an IIS server and web applications
Learn how to secure Microsoft IIS with practical hardening best practices, attacker-focused insights, and continuous validation strategies. This guide covers common IIS misconfigurations, real-world exploitation techniques, and how to protect web applications running on IIS servers.
The post IIS security best practices: How to secure an IIS server and web applications appeared first on Acunetix.
-
SNI proxy SSRF vulnerabilities: Misconfigurations, exploitation, and defense
SNI proxy SSRF is a lesser-known but high-impact vulnerability class where misconfigured proxies route traffic based on attacker-controlled TLS metadata. Under specific conditions, this can expose internal services and even cloud metadata endpoints in AWS and Azure. This article explains how these attacks work, when they are exploitable, and how to defend against them.
The post SNI proxy SSRF vulnerabilities: Misconfigurations, exploitation, and defense appeared first on Acunetix.
-
What is an IDOR vulnerability?
Insecure direct object references (IDOR) are a type of access control vulnerability where an application exposes internal object identifiers – such as user IDs, order numbers, or file names – without verifying whether the requesting user is authorized to access them. IDOR is no longer...
The post What is an IDOR vulnerability? appeared first on Acunetix.
-
Your session cookies are probably misconfigured: How to fix cookie security flags
Understand how to correctly implement cookie security flags in modern web applications. Includes practical examples, browser behavior nuances, and guidance on HttpOnly, Secure, and SameSite settings.
The post Your session cookies are probably misconfigured: How to fix cookie security flags appeared first on Acunetix.
-
REST API security testing: A complete guide
Learn how to perform REST API security testing with a practical, step-by-step approach. This guide covers the OWASP API Security Top 10, common vulnerabilities, and proven techniques to discover, test, and validate real API risks using modern automated tools.
The post REST API security testing: A complete guide appeared first on Acunetix.
-
Configuring your web server to not disclose its identity
If you are running a web server, it often shows the world what type of server it is, its version number, and sometimes even the operating system. This information is exposed in HTTP response headers and can be obtained with a simple request using a...
The post Configuring your web server to not disclose its identity appeared first on Acunetix.
-
Acunetix Security Hardening Guide
A new document was prepared instead of this blog post. You can find it here.
The post Acunetix Security Hardening Guide appeared first on Acunetix.
-
Next.js middleware authorization bypass vulnerability: Are you vulnerable?
A critical vulnerability in the Next.js framework, officially disclosed on March 21, 2025, allows attackers to bypass middleware security controls through a simple header manipulation. This post summarizes what we know about CVE-2025-29927, how you can mitigate the vulnerability, and how Acunetix can help you detect and confirm your organization’s risk.
The post Next.js middleware authorization bypass vulnerability: Are you vulnerable? appeared first on Acunetix.