Acunetix Standard & Premium

New Features

• New AcuSensor for Node.js
• New Target Knowledgebase records scan data which is used to improve future scans
• New FQDN and Target filter in Grouped Vulnerabilities page
• New FQDN column in Targets page

New Vulnerability Checks

• New test for Unrestricted access to Prometheus Interface
• New test for Unrestricted access to Prometheus Metrics
• New test for Unrestricted access to Golang expvar
• New test for Unrestricted access to Node.js status-monitor page
• New test for Unrestricted access to HAProxy stats page
• New test for Unrestricted access to Nginx stub_status page
• New test for Unrestricted access to Nginx nginx-module-vts status page
• New test for Unrestricted access to Traefik Dashboard
• New test for Unrestricted access to Kafka monitoring
• New test for Unrestricted access to Netdata Dashboard
• New test for Typo3 Admin publicly accessible
• New test for Typo3 sensitive files
• Updated WordPress Plugin checks
• Updated Drupal core checks

Updates

• Simplified User Profile page
• Improved handing of HTML comments
• Improved processing of sites using dynamic links
• Improved parsing of JavaScript for new paths
• Form input type is taken into consideration when processing forms
• Scanner now supports NTLM Authentication for proxy authentication
• multiple DeepScan updates
• Comprehensive report updated to use time zone configured for Acunetix user
• Added setting in settings.xml to choose which SSL cipher to be used by the scanner
• Integrated LSR logs are now stored for troubleshooting purposes
• Notify user when client certificate is required but not configured for Target
• Improvements in MAC installation
• PHP AcuSensor will start including Stack Trace
• Multiple LSR / BLR updates

Fixes

• Filter items sorted alphabetically
• Fixed minor UI glitch in multi-engine registration page
• Multiple fixes in SlowLoris detection
• Fixed scanner crashes
• Fixed CSV injection in Target Export
• Fixed UI issues in Target Groups page
• Fixed formatting for issues pushed to Jira
• Fixed issue when installing on Centos8

New Features

• New user role: Platform Admin, provides full access to Acunetix

Updates

• Network Settings can now be confirmed using the new Check Settings button
• Management of Targets by Tech Admin role can now be selectively turned off

Fixes

• Fixed issue causing inability to access last continuous failed scan
• Fixed UI issues causing inability to add targets to target group when target list is filtered
• Acunetix is now correctly reporting progress for Network Scans
• UI updated to hide specific options for the different Acunetix user roles

New Features

• Logon Banner can be configured for Acunetix logon page (satisfies DOD Notice and Consent Banner requirement)
• Added ability to export vulnerabilities to CSV (available as WAF Export option)
• Added ability to export scan locations to CSV (available as WAF Export option)

New Vulnerability Checks

• New check for JavaScript Source map detected
• New check for Unauthenticated Remote Code Execution via JSONWS in Liferay 6.1 (LPS-88051)
• New check for Oracle WebLogic Server unauthenticated remote code execution (CVE-2020-14882)
• Updated WordPress plugin checks

Updates

• Improved handling of Swagger
• The scanner will try to detect differences in the site using different user-agents
• Various minor UI updates
• Added Scan Profile used in Scan results
• Business Logic Recorder cannot be used on Targets which require Manual Intervention
• Updated Jira issue tracker
• Improved error shown when checking for updates fails
• Updated import file feature to support files using BOM
• Comprehensive report tags vulnerabilities detected by AcuSensor and AcuMonitor

Fixes

• Fixed issue causing multi-line session detection not to be used during scan
• Updated Jira issue tracker to use proxy server if configured
• Fixed issue causing gzip encoded body of HTTP responses to become invalidated
• Fixed: Printing the Coverage report would not print the sitemap in the report
• Fixed issue causing some login forms not to be detected during the scan
• Fixed timing issue when scheduling a scan for a future date
• Fixed scanner crashes caused by specific import files
• Fixed issue causing DeepScan not to be used on Kali Linux
• Fixed false positive in Zend Framework LFI via XXE
• Fixed issue causing some scans to fail because of the client certificate
• Fixed issue causing LSR playback to fail for some scans
• Fixed issue in New Scan dialog for Tech Admin users

New Features

• New Data Retention settings, providing the ability to:
  • Keep the last 3 scans for each target and archive previous scans
  • Delete archived scans which are older than 2 years
  • The above data retention settings are configurable
  • The above settings affect vulnerabilities detected, which are archived / deleted accordingly
• A default scan profile can be configured for each target
• Forgot Password option for Acunetix On premise, allowing users to reset their password – Email settings need to be configured
• Detect paths in JavaScript code via static method analysis
• Ability to retrieve links from several HTTP headers
• Scanner will try to auto-discover API definitions

New Vulnerability Checks

• New check for SAP NetWeaver RECON (CVE-2020-6287)
• New check for DNN (DotNetNuke) CMS Cookie Deserialization RCE (CVE-2017-9822)
• New check for Insecure Referrer Policy
• New check for Remote code execution of user-provided local names in Rails
• New check for Cisco Adaptive Security Appliance (ASA) Path Traversal (CVE-2020-3452)
• New check for Total.js Directory Traversal (CVE-2019-8903)
• New check for Envoy Metadata disclosure
• New checks for WordPress Core / Plugins / Themes, Drupal and Joomla vulnerabilities

Updates

• Vulnerabilities are now shown as grouped by Vulnerability Type and FQDNs
• Numerous improvements affecting vulnerability deduplication
• Deleted Targets will not be showing in the UI by default
• Malicious links detected will be highlighted in the vulnerability report
• Ability to scan all Targets in a Target Group
• Improved Swagger support implementation
• Updated backup files/folders and possible sensitive files checks to report alerts on parent of file detected
• Time zone can now be configured by each user account
• User accounts can now change UI to Chinese
• .NET Sensor updated to support .NET Core
• Updated Session Fixation vulnerability check to avoid possible False Positives
• Updated to Chromium v83

Fixes

• Fixed issue with offline activation
• Fixed a few crashes occurring on specific sites
• Fixed issue affecting AcuMonitor when scanning certain sites
• Various small UI fixes
• Fixed Target Deletion issue for Consult licenses
• Fixed: PDF report generation was failing in specific situations
• Fixed issue causing HTTP requests passing through a proxy to fail
• Fixed issue affecting relative HTTP redirects
• Fixed issue causing Manual Intervention not to work on Linux
• Fixed issue causing DeepScan to miss some DOMXSS vulnerabilities
• Fixed text overlapping issue in reports
• Fixed issue causing Telerik Web UI RadAsyncUpload Deserialization (CVE-2019-18935) to not always be detected
• Fixed: ‘HTTP Strict Transport Security (HSTS) not implemented’ and ‘HTTP Strict Transport Security (HSTS) Best Practices’ where using the same name
• Fixed: Sensitive files / directories checks were missing Attack details
• Fixed issue caused when sorting scans by target description
• fixed a few issues in the Login Sequence Recorder and Business Logic Recorder