Acunetix Build History

Version 11 (build 11.0.163221044) – 17th November 2016

New Features

  • New web-based user interface
  • Targets are now stored in Acunetix with their individual settings, and can be easily re-scanned.
  • Targets can be classified by their Business Criticality
  • Reports are stored in the central interface
  • Users can choose between “Target reports”, “Scan reports” or “All vulnerabilities reports”
  • Role-based multi-user system, allowing users to be assigned the security scanning of specific targets.
  • All vulnerabilities for all the targets are now shown in one list which can be easily filtered.
  • Export vulnerabilities to F5 BIG-IP ASM and Fortinet FortiWeb Web Application Firewalls directly from within Acunetix
  • Acunetix now supports sending vulnerabilities to these Issue trackers: Github, JIRA and Microsoft Team Foundation Service (TFS)
  • Documentation is now inbuilt into the new interface
  • New Dashboard, providing an instant overview of the security status of your assets.

Improvements

  • The Acunetix tools are being released as a separate installation and can be downloaded from http://www.acunetix.com/vulnerability-scanner/manual-tools/
  • Various updates and bug fixes

Update 20160520 – 20th May 2016

Bug Fixes

  • Fixed minor bugs reported

Update 20160510 – 10th May 2016

New Features

Build v10.5.20160504 – 5th May 2016

Improvements

  • Updated the PCI DSS compliance report for PCI DSS 3.2
  • Updated the NIST Special Publication 800-53 – Recommended Security Controls for Federal Information Systems compliance report to comply with revision 4 of the publication

Bug Fixes

  • Fixed a bug that could result in remote code execution

Build v10.5.20160427 – 27th April 2016

New Features

  • New version of .NET AcuSensor (requires removal of the sensors installed in the web applications – check this blog post for more info)
  • Implemented a test looking for JSP source code disclosure via SOH (start of header)
  • Added a script for parsing specific Java error messages to improve crawling coverage and discover new content.

Improvements

  • Improved backup config files discovery
  • Request cookies will now be automatically processed from proxy log requests and used during a scan
  • The Crawler now processes untrusted URLs even if they do not belong to the host being scanned.

Bug Fixes

  • Fixed a number of false positives in the SQL injection vulnerability checks
  • Limit AST parsing to files smaller than 1Mb
  • Fixed an SQL injection vulnerability in the reporter.

Update 20160302 – 2nd March 2016

New Features

Build v10.5.20160215 – 16th February 2016

New Features

Improvements

  • Improved Blind and Error-based SQL injection tests
  • Improved XSS tests
  • Big improvements to the XXE (XML External Entity) tests
  • Improved static crawling by parsing of JavaScript event handler parameters.
  • Improve Email header injection test based on the paper from http://www.mbsd.jp/Whitepaper/smtpi.pdf

 

Build v10.0.20151125 – 26th November 2015

New Features

  • Added a test looking for insecure CORS configurations.
  • Added a test looking for CVE-2014-7829 – Arbitrary file existence disclosure in Action Pack.
  • Added a test looking for Rails application running in development mode.
  • Added a test looking for CVE-2015-7808 vBulletin 5 PreAuth RCE.
  • Added a test looking for Insecure DNS records
  • Added a test looking for Spring Boot Actuator
  • Added a test looking for Tornado Debug mode
  • Added a test looking for Pyramid Debug mode
  • Implemented PHP object deserialization of user-supplied data
  • Added a test looking for older versions of the ZeroClipboard SWF library that are vulnerable to a cross-site scripting vulnerability.

Improvements

  • Updated WordPress plugins and WordPress core checks.
  • Improved tests for possible sensitive directories and sensitive files.
  • Improved Apache Axis audit script.
  • Added a test for Java object deserialization of user-supplied data
  • Various improvements for XSS detection.
  • Improved HTML structural parser and added allow to robots.txt parser
  • Added support for WADL files when served using content-type application/vnd.sun.wadl+xml

Bug Fixes

  • Fixed crash cause during auto session detection.
  • Security fix for privilege escalation reported by security researcher Daniele Linguaglossa

 

Build v10.0.20151028 – 28th October 2015

Improvements

  • Improved the description for all the vulnerability checks in Scanning Profiles

Build v10.0.20151026 – 26th October 2015

Bug Fixes

  • Bug limiting the number of external hosts in kbase
  • Fixed a issue which caused the scanner to crash
  • Some script dependencies could cause the scan to not finish
  • Importer crash when user user cancels the importation
  • Fixed syntax error affecting Chinese Windows
  • Restrictions configured in LSR where not taken into consideration in some POST requests

Build v10.0.20150921 – 22nd September 2015

New Features

Improvements

  • Updated database of WordPress core and plugin vulnerabilities.
  • Added more checks for vulnerable JavaScript libraries.
  • Improved WADL parsing to support more representation types.

Bug Fixes

  • Fixed some false positives in JavaScript libraries audit.
  • Fixed a false positive in File Inclusion script.
  • Fixed an issue causing JSON and XML inputs not being checked for XSS.
  • Fixed SSL audit bug that is triggered when server_name extension was not sent to the server during SSL negotiation.

 

Build v10.0.20150820 – 20th August 2015

New Features

  • Added a test for Server-Side Template Injection vulnerability.
  • Added tests for new WordPress (core and plugins) vulnerabilities.
  • Added a test checking for Django Debug Mode

Improvements

  • Improved CRLF injection/HTTP response splitting tests
  • Improvements to the XSS testing script
  • Updated Payment Card Industry (PCI) report to PCI 3.1
  • Updated DISA Application Security and Development STIG report to V3R10
  • LSR updated to support all SSL cipher suites

Bug Fixes

  • Fixed a crash in WSDL scanner
  • Various updates and fixes in the Login Sequence Recorder
  • DeepScan blocks on a specific sites
  • Fixed bug in Scan wizard
  • Crash in Scan wizard when choosing a non-existent login sequence file name
  • Crawler starturl was incorrectly set to http instead of https when importing from proxy log

 

Build v10.0.20150623 – 24th June 2015 – NEW VERSION

New Features