Acunetix update introduces Business Logic Recorder, CVSS 3.1 scoring, and support for Citrix WAF and the Azure DevOps Services issue tracker

Acunetix Version 13 build 13.0.200508159 for Windows and Linux has been released.

This new build introduces the Business Logic Recorder, which allows the user to record logic implemented in multi-step web forms. The Acunetix scanner will go through the multi-step form and will be able to attack each step in the form. In addition, vulnerabilities can now be sent to Citrix WAF for virtual patching or the Azure DevOps Services issue tracker for further follow-up by the team. Most vulnerabilities have been updated to include a CVSS 3.1 score. This update adds a good number of important vulnerability checks and includes various updates and fixes, which are available for all editions of Acunetix.

Here is the full set of updates:

New Features

• Business Logic Recorder – used to record logic used in multi-step forms
• Export to Citrix WAF
• Support for the Azure DevOps Services issue tracker
• CVSS3.1 score for most Acunetix vulnerabilities
• Targets can now be exported to CSV
• A new graph in the dashboard showing average vulnerabilities per target

New Vulnerability Checks

• New check for Server-Side Template Injection (SSTI) in ASP.NET Razor
• New check for Oracle BI AMF Deserialization RCE (CVE-2020-2950)
• New check for Possible Cross Site Scripting via jquery.htmlPrefilter() (CVE-2020-11023)
• New check for Stored XSS in WP theme Onetone (CVE-2019-17230 and CVE-2019-17231)
• Updated detection of phpinfo pages
• New checks in WordPress Core and WordPress plugins

Updates

• Manual intervention (used for CAPTCHAs, OTP, etc.) is now using the integrated (web-based) LSR
• As a result of the previous update, manual intervention is now available on Linux
• Improved error reporting for network scans aborted due to network errors
• Vulnerability alerts updated to show important information at the top
• Updated the Github issue tracker to support personal access token (PAT) authentication
• Improved reporting of paused scans in the UI
• Improved UI message when the user triggers a scan which is not allowed due to manual intervention
• API documentation can now be downloaded from within the Acunetix UI
• Added support for popup windows in the Login Sequence Recorder
• Improved handling of large import files
• Improved handling large requests/responses generated from import files
• Decreased false positives reported for possible username or password disclosure
• Truncated large vulnerability alerts when sending to the Jira issue tracker

Fixes

• Fixed the incorrect email address used for monthly update emails
• Fixed an AcuMonitor UI notification to link to a corresponding vulnerability
• Fixed an issue causing vulnerability checks to not be able to send empty values
• Fixed a number of crashes
• Fixed an issue causing ASP.NET sites to be processed as ASP sites
• Fixed 2 issues when using Swagger import files
• Improved handling of txt import files that use an incorrect import format
• Fixed a session fixation false positive
• Fixed a UI issue when configuring custom cookies
• Trend charts where not being updated for user accounts
• Fixed an issue in excluded hours
• Fixed a Client Certificate Not Set message that was incorrectly reported

Upgrade to the Latest Build

If you are already using Acunetix v13, you can initiate the automatic upgrade from the new build notification in the Acunetix UI > About page.

If you are using a previous version of Acunetix, you need to download Acunetix version 13 from here. Use your Acunetix license key to download and activate your product.