New build improves auto-login, detection of DOM XSS, WAFS, CDNs, and reverse proxies

Acunetix version 12 (build 12.0.190703137) has been released. This new build includes a number of updates including a big improvement to Auto-Login, improved detection of DOM XSS, and improved crawling of Spring-based web applications. In addition, a number of vulnerability checks have been reviewed with the aim to reduce the reporting of false positives. There are also new vulnerability checks for Joomla! Core and new or improved detection of WAFs, CDNs, and reverse proxies. The new build also includes a number and fixes, all of which are available for Acunetix on-premise for Windows and Linux and Acunetix Online.

Here is a full set of updates:

New Vulnerability Checks

  • New test for Joomla! Core CSV Injection vulnerability check (CVE-2019-12765)
  • New test for Joomla! Core XSS vulnerability check (CVE-2019-12766)
  • New test for Joomla! Core Security bypass (CVE-2019-12764)
  • New test for Oracle Weblogic XXE (CVE-2019-2647)
  • Added the detection of CDNs
  • Added the detection of reverse proxies

Updates

  • Auto-Login is now using the LSR functionality – this will improve auto-login in general
  • Improved detection of DOM XSS
  • Improved handling of invalid Selenium scripts
  • Improved handling of email address fields in web forms
  • Improved parsing of WSDL files
  • Implemented support for Proxy-Authenticate header
  • Improved crawling of Spring-based web applications
  • Updated LSR to automatically dismiss modal dialogs during playback
  • Reduced false positives in checks looking for sensitive and backup files
  • Reduced false positives in SSN number detection
  • Reduced false positives in XSS in URIs
  • Improved the detection of WAFs
  • LSR can now record actions within <iframe> elements
  • Jira Issue Tracker integration now supports HTTP Authentication with API key

Fixes

  • Fixed a crash when parsing SOAP messages
  • Fixed issue in the interpretation of some Selenium scripts
  • Fixed a number of broken links in the Vulnerability Alerts
  • Autologin was recording the password in the log file
  • Fixed crash caused when reading specific swagger files
  • Fixed crash caused when reading specific large files
  • Fixed issue causing the scanner to go into a loop
  • Fixed issue causing the crawler to not interpret correctly certain locations in JavaScript
  • Fixed issue in Manual Intervention
  • Fixed issue affecting sites using euc-kr encoding
  • Fixed Chromium issue caused when window.chrome is used by the site
  • Fixed issue causing Chromium not to load on Kali Linux
  • Fixed LSR playback issue caused when the input field contained predefined text
  • SRI not implemented was being reported multiple times per host

Upgrade to the latest build

If you are already using Acunetix v12, you can initiate the automatic upgrade from the new build notification in the Acunetix UI > Settings page.
If you are using a previous version of Acunetix, you need to download Acunetix version 12 from here. Use your Acunetix License Key to download and activate your product.

Share this post
Nicky SciberrasNicholas Sciberras Chief Technical Officer
LinkedIn: https://www.linkedin.com/in/nicholas-sciberras/

As the CTO at Acunetix, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams and provided technical training.

Leave a Reply

Your email address will not be published.