Acunetix Standard & Premium

New features

• Improved the default roles.

New security checks

• Updated the WordPress plugin vulnerabilities.
• Updated the software composition analysis database.
• New security check for detection of ASP.NET core in the development mode.
• Added various checks for Content Security Policy misconfiguration.
• New security check for Oracle Web Applications Desktop Integrator unauthenticated takeover. (CVE-2022-21587)
• New security check for Deserialization RCE vulnerability in Oracle Access Manager OpenSSO Agent. (CVE-2021-35587)
• Updated the file extensions and parameter exclusions.
• New security check for F5 BIG-IP Cookie Remote Information Disclosure.
• New security check detecting retired hash functions usage in SAML.
• Improved the SQL injection check to identify whether the database user has admin privileges.

Improvements

• Added the Heuristic server-side routing detection to optimize attacks.
• Updated the embedded Chromium browser to v109.0.5414.119.
• Added the company name field to the registration process to Acunetix.
• Updated the issue tracker integrations to show the link to the relevant ticket created in those issue trackers.
• Updated the DISA STIG report to version 5.2.
• Improved the CSV importing link to limit the target limit to 500.
• Improved the scanner engine to reduce the memory footprint.
• Improved the .NET IAST sensor to mask any password.

Fixes

• Fixed the pagination bug on the Targets page.
• Fixed the crawler issue that the page becomes unresponsive when it contains many elements.
• Fixed the single-page application crawler to be consistent in the form submission.
• Fixed a notification bug that does not redirect users to the correct URL for the finished scan.
• Fixed the bug that does not refresh the user interface after the update.

New security checks

• Added SAML anonymous assertion consumer service audit for XML external entity injection, XSLT, Server-side request forgery, and Cross-site scripting.
• Added a SAML signature audit to test attacks on signature verification.
• Added various checks for Content Security Policy misconfiguration.
• New security check for ASP.NET core development mode.
• Updated the WordPress core vulnerabilities.
• Updated the WordPress plugin vulnerabilities.

Improvements

• Updated .NET IAST Sensor to detect a number of server-side configuration problems which may result in a security vulnerability.
• Improved the JSON payload tests.
• Updated JWT secrets dictionary.

Fixes

• Fixed a bug in the PHP IAST sensor when reporting arrays to the scanner.
• Fixed the scan summary page that failed to show some of the results.
• Fixed issues in the UI Notifications causing them to be unactionable.
• Fixed a problem that caused the LSR to show the mobile version for some sites incorrectly.
• Fixed .NET sensor issue that returns the root applications (website’s root) files although the sensor is enabled for sub-application.
• Fixed the version information shown on the user interface after the update.
• Fixed the routing issue for .NET Framework ASP.NET Web API because of compatibility issues.
• Improved the login sequence recorder notification that informs users when the response max size limit is exceeded.
• Fixed issue with pagination on the vulnerabilities page.
• Fixed the crawler issue that the page becomes unresponsive when it contains many elements.

New features

• New navigation menu for a better user experience.
• Notification updates are shown for the last 30 days

New vulnerability checks

• New check for Swagger UI DOM XSS vulnerability.
• New test for Fortinet Authentication bypass on the administrative interface (CVE-2022-40684).
• New test for Insecure usage of Version 1 UUID/GUID.
• New test for Text4shell: Apache Commons Text RCE via insecure interpolation (CVE-2022-42889).
• New test for OpenSSL X.509 Email Address Buffer Overflows (CVE-2022-3786).
• Updated test for Open Monitoring Interfaces.
• Updated the software composition analysis database.
• Updated the WordPress plugin vulnerabilities.

Updates

• Updated the embedded Chromium browser to v107.0.5304.87/88.
• Updated how scans reaching max scan time are displayed in UI.
• Updated Issue Tracker UI to accept internal URLs.
• Improved Log4J checks to reduce false positives.

Fixes

• Fixed the issue causing the IAST bridge to fail to send responses to the sensor when large packets are received from the sensor.
• Added loopback routes that returned ‘undefined’ as an HTTP method.
• Added the keep connection alive message between AcuSensor and the web application scanner to keep the connection alive.

Updates

• Updated to Chromium 105.0.5195.102

Fixes

• Fixed DeepScan issue

New features

• JAVA IAST AcuSensor can now be used on WebSphere
• HTTP requests can be copied as Curl command from the vulnerability data

New vulnerability checks

• New check for DotCMS unrestricted file upload (CVE-2022-26352)
• New check for .NET JSON.NET Deserialization RCE
• New check for Unauthenticated RCE in Confluence Server and Data Center (CVE-2022-26134)
• New check for Authentication bypass via MongoDB operator injection
• New check for MongoDB $where operator JavaScript injection

Updates

• Multiple DeepScan updates improving crawling of Single Page Applications (SPAs)
• Upgraded Chromium to v103.0.5060.114
• Improved handling of installed.json by PHP IAST AcuSensor
• SCA, AcuMonitor (OOB vulnerability checks) and URL malware checks now require the “Acunetix Online Services” to be enabled in the user profile
• Updated the MongoDB Injection checks
• Various UI updates and fixes

Fixes

• Multiple fixes in the JAVA and .NET IAST AcuSensors
• Fixed false negative in “Possible virtual host found”
• Fixed bug causing CSRF tokens to be retrieved using HTTP
• Fixed false positive in “Apache HTTP Server Source Code Disclosure”