Acunetix 360 On-Premises - v2.4
NEW FEATURES
- Added the Business Logic Recorder feature in Acunetix 360, so you can scan web applications without extensive manual work or additional non-automated tools.
- Added support for Azure Key Vault.
- Added GraphQL Libraries detection support.
- Added built-in DVWA policies to scan policies.
- Added the feature to tag discovered websites.
- Added AcuSensor (IAST and SCA) node to the Knowledge Base.
IMPROVEMENTS
- Improved the Authentication Verifier to work with .NET 6.0.
- [Breaking Change] Added support for on-premises versions of CyberArk, HashiCorp Vault, and Azure Key Vault. This requires an authentication verifier agent.
- Improved the Late-Confirmation Storage Mechanism to lower disc usage.
- Improved the rate limit for the All Issues API endpoint.
- Improved the Cloud Provider setting to enable the Linux ID Image.
- Added an API endpoint to better understand how many websites each user scanned.
- Added raw scan file expired status to the Scan Failure Reasons.
- Added the IsEnabled API endpoint for the OAuth2 setting.
- Updated the icons on the Trend Matrix page.
- Added logs to scheduled scans to identify the license issue when the scan couldn’t be launched.
- Improved the internal agent to check whether OAuth2 is enabled or not.
- Improved the agent’s language setting to prevent non-English texts from appearing on the scan results.
- Improved the Activity Log to include information on vulnerability profile changes.
- Improved the Scan Profiles API endpoint to include information on the imported URLs.
- Added integration failed status for the Secrets and Encryption Management services.
- Updated the scan agent update workflow. When there is a new update and users have more than one scan agent, the new version will be downloaded only once. Other scan agents will rely on this new package to update themselves.
- Added a drop-down to determine how many results to be displayed on a page.
- Added a new explanation for the api/1.0/scans/unschedule endpoint to clear any ambiguity
- Added a filter that checks the number of issues being displayed on the global dashboard.
- Improved the IP filtering on the discovered websites’ page.
- Updated the Splunk plug-in to prevent exporting unnecessary HTML information to the Splunk ticket.
- Added ‘Is Encoded’ option to OAuth2 parameters.
- Adding the Connection Timeout option to the scan policy.
- Improved the Knowledge Base tab in the technical report section for accessibility.
- Added the Browser Settings to scan policy.
- Added report policy migration process while relaunching scan session to prevent launch scan issue.
- Added a discovered date column for websites detected by the Discovery Service.
- Updated the AcuMonitor’s redirection while validating the certificate.
- Added a timeout for website import. The default value for timeout is 400 ms.
- Improved the tooltip for security checks on the scan policy page to properly reflect the security policy selections.
- Updated the SCIM integration for provisioning on Azure Active Directory’s marketplace.
- Added the ability to bulk edit issues.
- Added the scan policy header to the OAuth2 requests.
- Improved JWT confirmation to avoid false positives.
- Added a new IAST vulnerability: Overly Long Session Timeout.
- Added new config vulnerabilities for the IAST Node.js sensor.
- Added new config vulnerabilities for the IAST Java sensor.
- Added support for detecting SQL Injections on HSQLDB.
- Added support for detecting XSS through file upload.
- Updated DISA STIG Classifications.
- Updated Java and Node.js IAST sensors.
- Improved the Content Security Policy Engine.
- Updated XSS via File Upload vulnerability template.
- Added Extract Resource default property to DOM simulation.
- Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
- Added the agent mode to the authentication request.
- Added a default behavior to scan the login page.
- Added a default behavior to disable TLS1.3.
FIXES
- Fixed a bug with displaying cookie names in the scan policy.
- Fixed a Globally Unique Identifier bug that assigned zero to a custom vulnerability when identified.
- Fixed a bug that prevents editing an internal website.
- Fixed a bug that caused a broken website-scan relationship as a result of an inconsistent update.
- Fixed the inconsistent vulnerabilities listed in XML and CVS reports.
- Fixed the bug that caused the issues’ status to stay the same in the case of bulk editing.
- Fixed a bug on the user interface that showed incorrect scan status.
- Fixed an issue with global servers in imported Swagger files.
- Fixed a bug that adds duplicated users to a team when added using SCIM.
- Fixed the Azure board integration webhook issue caused by the status codes.
- Fixed a bug that prevents members with user-defined roles from being deleted.
- Fixed a bug that prevents the information displayed when users select Jira on the user mapping.
- Fixed a bug that prevents a notification from being sent to users when users filter the state.
- Fixed a bug that does not request to verify website ownership when the website’s agent mode is changed from internal to Cloud.
- Fixed a bug that causes showing an outdated vulnerability database version of an agent on the user interface.
- Fixed a bug that does not show the website thumbnail when the scan is completed.
- Fixed an issue that causes custom vulnerabilities not to be added to the Vulnerability Lookup table.
- Changed filter for Groupable Custom vulnerabilities when creating vulnerability model.
- Fixed a bug that prevents a scan profile from being updated when users add a client certificate.
- Fixed a bug that threw an error when users tried to delete a scan policy.
- Fix a bug that prevents exporting a vulnerability list report in CSV or XML when AcuSensor (IAST) is enabled.
- Fixed a bug while excluding cookies during the scan.
- Fixed a bug that prevents websites from being deleted.
- Fixed the Jazz Team Server multiple category issue.
- Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
- Fixed a bug that prevents editing the FreshService integration.
- Fixed the link that throws an error on the SCIM API documentation page.
- Fixed a bug that throws an exception when the agent is started in debug mode on IDE.
- Removed the space on CVSS Scores that caused incorrect values to show up.
- Fixed the parsing problem encountered when Burp and Postman files are imported via the Links/API Definition page.
- Fixed imported links DLL mismatch problem for GraphQL.
- Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.
- Fixed a bug that causes scan failures if the scan profile name includes the “/” character.
- Fixed a bug that was caused by special characters that affected the Out of Scope node.
- Fixed a bug that caused the OAuth2 settings to disappear after being saved in a scan profile following enabling and disabling operations.
- Fixed a bug that throws errors on the summary page for technologies links.
- Fixed the issue that IP Address Restriction is not working on API access.
- Fixed an issue that shows the same vulnerabilities more than once in the scan summary reports.
- Fixed a bug that shows the soft-deleted scan policies when their URL is entered.
- Fixed a bug while excluding cookies during the scan.
- Fixed a bug that prevents notifications from appearing on the user interface when data size is exceeded.
- Fixed imported links DLL mismatch problem for Postman and GraphQL.
- Fixed a bug that shows the empty list of possible GraphQL endpoints in the Security Checks list.
- Fixed a bug that throws 500 Internal Server Error returns upon “GET issues/addressedissues” API call.
- Fixed a bug that throws 500 Internal Server Error returns upon “GET /issues/todo” API call.
- Fixed an issue that passive vulnerabilities were reported at out-of-scope links.
- Fixed an issue that imports global servers at Swagger files.
- Fixed an issue where the OK button disappears during interactive login.
- Fixed an issue that adds interactive login buttons to iframes.
- Fixed a null reference exception at the LFI exploit panel.
- Fixed basic authorization over HTTP bug.
- Fixed SQL Injection Vulnerability Family Reporting Bug.
- Fixed a bug in that the custom script throws a null reference exception when a script is added to the paused scan.
- Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
- Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
- Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
- Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
- Fixed the LFI Exploiter null reference.
- Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
- Fixed a bug when the Log4J vulnerability profile is not migrated with the report policy migration.
- Fixed a bug that prevents the WSDL files from being imported.
- Fixed reporting “SSL/TLS not implemented” when scanning only TLS 1.3 supported site.
- Fixed a bug that throws an error for NTML authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
- Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.
- Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
- Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
- Fixed the bug that throws a null reference exception at the link pool.
- Fixed the bug that resulted in running many Chromium instances when a new scan is started.
REMOVED
- Removed the agent platform selection option for the internal agents from the user interface.
- Removed the Ignore these extensions field from the scan policies page.