New features
- Deepscan has been updated to make use of Chromium (Windows only - already included in Linux)
- Login Sequence Recorder has been updated to make use of Chromium (Windows only - already included in Linux)
- Acunetix can now test APIs document using Swagger (Windows only - already included in Linux)
- Introduced support for NTLM HTTP Authentication on Linux release (already included on Windows)
- Introduced support for Kerberos HTTP Authentication (Windows only)
New vulnerability checks
- A huge update increasing the detection of Stored XSS
- New test for possible file creation using the HTTP PUT method
- New test for Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12615)
- New test for Ektron Content Management System (CMS) 9.20 SP2, remote re-enabling users (CVE-2018–12596)
- New test for httpoxy vulnerability
- New test checks if CouchDB REST API is publicly accessible
- New test checks if CouchDB is vulnerable to Remote Privilege Escalation resulting in Remote Code Execution (CVE-2017-12635)
- New test for Apache ActiveMQ default credentials
- New test for Node.js Path validation vulnerability (CVE-2017-14849)
- New test for GoAhead web server RCE via unsafe environment initialization of forked CGI scripts (CVE-2017-17562)
- New test for publicly accessible Hadoop YARN ResourceManager WebUI
- New test for jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
- New test looks for Google Firebase Databases URLs in the response and checks if the Firebase Databases are accessible without authentication
- New test for Oracle WebLogic Remote Code Execution vulnerability via T3 (CVE-2018-3245)
- New test for Oracle WebLogic Authentication Bypass vulnerability (CVE-2018-2894)
- New test checks if Jupyter Notebook is publicly accessible
- New test for Apache Log4j socket receiver deserialization vulnerability
- New test for NGINX range filter integer overflow (CVE-2017-7529)
- New test for Xdebug remote code execution via xdebug.remote_connect_back
- Numerous new checks for WordPress Core, WordPress plugins, Joomla Core and Drupal Core.
Updates
- Numerous memory management improvements
- Multiple updates to LSR and session detection improving scanning of restricted areas
- Improved speed of SQL Injection vulnerability checks
- The new LSR / Deepscan will improve support of JavaScript rich sites
- Added mock geo-location support to support scanning sites that require geo-location
- Improved analysis of XML and JSON
Fixes
- Fixed scanner crash when scan was resumed from paused state
- Fixed some issues in the handling of cookies
- Custom cookies were not always used
- Content-Type header was not always being sent. This affected the detection of some vulnerabilities
- Fixed a false positive in SSL weak key length vulnerability check
- Fixed issue in the Social Security Number and Credit Card number check
- Fixed issue with AcuSensor download on Linux release
- Fixed issue causing scans to be aborted when server returns an invalid charset
- Fixed a number of other issues causing the scanner to close unexpectedly
- Sensitive and Backup files were not being checked for in the site root
- Fixed issue with jquery version extractor
- Fixed 2 internally reported security issues
- Fixed issue with re-installation of Linux installations