Acunetix Standard & Premium

New Features

• New OWASP Top 10 2021 compliance report
• JAVA AcuSensor now supports JDK 11

New Vulnerability Checks

• New check for GitLab ExifTool RCE (CVE-2021-22205)
• New check for Sitecore XP Deserialization RCE (CVE-2021-42237)

Fixes

• Fixed issue causing hang in scanner
• Fixed issue causing some vulnerabilities not to be detected when AcuSensor is enabled and not installed on the web application

Updates

• Removed message to “Press any key to continue” when installing .NET AcuSensor from CLI. This was hindering the automatic installation of the .NET sensor

Fixes

• Fixed issue causing scans to fail when site redirets from http to https
• Fixed issue causing incremental scans initiated from Jenkins plugin not to start

New Features

• Added support for URL optional fields
• Added support for Brotli encoding
• JAVA AcuSensor can now be used on Tomcat 10.0.x
• Added support for Restify framework in Node.js Sensor
• Added support for LoopBack framework in Node.js Sensor
• Added support for Sequelize ORM in Node.js Sensor
• Added support for Router Package in Node.js Sensor
• Added support for Director Router in Node.js Sensor

New Vulnerability Checks

• New check for Apache HTTP Server Source Code Disclosure
• New check for ManageEngine ADSelfService Plus Authentication Bypass (CVE-2021-40539)
• New check for Oracle Business Intelligence ReportTemplateService XXE (CVE-2021-2400)
• New check for Jira Unauthorized User Enumeration (CVE-2020-14181)
• New check for Jira Unauthorized User Enumeration via UserPickerBrowser
• New check for Jira Projects accessible anonymously
• New check for Payara Micro File Read (CVE-2021-41381)

Updates

• Export to AWS WAF is now available in all pages which allow WAF Export
• Updated Pre-request scripts, making it easier to update session header value
• Updated the detection of WAFs to support new WAFs
• Increased the detection of development files
• Improved the JavaScript Library Audit checks

Fixes

• Fixed issue in Paros import
• Fixed issue in scanner causing False Negatives when processing specific pages
• Fixed issue in AWS WAF Export
• Fixed issue in PHP Sensor not being detected when used in a large site with many files
• Fixed issue causing pre-request scripts not to be loaded by scanner
• Fixed 3 issues in Postman imports
• Fixed False Negative in Django Debug Mode vulnerability check
• Fixed issue causing high response times in UI caused by large quantity of Targets configured
• Fixed false positive in “User credentials are sent in clear text” check

Fixes

• Fixed: Error when adding new Targets
• Fixed: Scanner crash when using a Postman import file

New Features

• Pre-request script support
• New Log Data Retention options

New Vulnerability Checks

• New check for Oracle E-Business Suite Information Disclosure
• New check for Alibaba Nacos Authentication Bypass (CVE-2021-29441)
• New check for Gitlab CI Lint SSRF
• New check for Gitlab open user registration
• New check for Gitlab user disclosure via graphql endpoint
• New check for Bitrix galleries_recalc.php XSS
• New check for Bitrix open redirect
• New check for Jetty ConcatServlet Information Disclosure (CVE-2021-28164)
• New check for Jenkins open user registration
• New check for Open Mikrotik stats
• New check for Open Nuster stats
• New check for RethinkDB administrative interface publicly exposed
• New check for spring-boot-actuator-logview Path Traversal
• New check for Hasura GraphQL API without authentication
• New check for ForgeRock OpenAM Deserialization RCE (CVE-2021-29156)
• New check for BuddyPress REST API Privilege Escalation
• New check for Grandnode Path Traversal (CVE-2019-12276)
• New check for SearchBlox Local File Inclusion (CVE-2020-35580)
• New check for Zimbra Collaboration Suite SSRF (CVE-2020-7796)
• New check for Ghost CMS Theme Preview XSS (CVE-2021-29484)
• New check for qdPM Information Disclosure
• New checks for vulnerabilities in WordPress Plugins

Updates

• Max items shown per page can now be configured
• Updated Deepscan to process hashes in URLs
• Updated Chromium to v92.0.4512.0
• Updated CSV export to include text only details
• JavaScript Library Audit now supports merged JavaScript files
• Added support for dev tools in standalone LSR
• Multiple UI updates
• Multiple LSR updates
• Target knowledgebase will now be reset when Target settings are changed
• Updated Selenium import to support selectFrame
• Updated OWASP Top 10 report to include CVSS score
• Updated Compliance report to include CWE
• Added option to enable debuglogs for all Targets
• Optimisations to the Java and Node.js AcuSensors
• Improved support for Hapi framework in Node.js AcuSensor
• Add support for find-my-way HTTP router in Node.js AcuSensor
• Improved ionCube Loader-wizard information disclosure check
• Improved cache poisoning DOS checks
• Improved detection of Apache Struts2 Remote Command Execution (S2-052)
• Improved detection of Directory Traversal vulnerabilities
• Added option to skip testing of login form configured for the Target
• Improved handling of Custom 404 pages

Fixes

• Fixed multiple crashes in the scanner
• Fixed issue causing some requests to be done to restricted links
• Addressed multiple Deepscan issues
• Paused scans can now be Aborted
• Fixed XPath Injection false positive
• Fixed Bitrix Open Redirect false positive
• Fixed Spring Boot Actuator false negative
• Fixed issue in .NET Sensor Manager not showing buttons on lower resolutions