Version 14 build 14.8.220519149 for Windows, Linux and macOS – 23rd May 2022
New Features
JAVA IAST sensor now supports Jetty and Wildfly JAVA Severs
Improved support for Servlet3 and Jersey JAVA Frameworks
New Vulnerability Checks
Updates
Various UI improvements
Improved detection of Directory Traversal vulnerabilities
Improved detection of Directory Listing vulnerabilities
Improved detection of development files
Several improvements to LSR / DeepScan
Fixes
Fixed issue causing some vulnerabilities detected by AcuSensor not to show as AcuSensor verified
Fixed issue causing routes to not be listed by JAVA IAST sensor
Fixed 2 issues in Target CSV import
Fixed issue causing SCA not to be done on JAVA Spring boot web applications
Fixed issue causing some checks not to be executed on cookies with Secure flag
Version 14 build 14.7.220425114 for Windows, Linux and macOS – 26th April 2022
Updates
Upgraded Chromium to v100.0.4896.127
Version 14 build 14.7.220401065 for Windows, Linux and macOS – 1st April 2022
New Vulnerability checks
Version 14 build 14.7.220329162 for Windows, Linux and macOS – 30th March 2022
Updates
Upgraded Chromium to v99.0.4844.84
Version 14 build 14.7.220322147 for Windows, Linux and macOS – 28th March 2022
New Vulnerability checks
Updates
Engines page in UI now shows the number of Targets bound to a scanning engine
Vulnerabilities page in UI shows the Target Tracker Issue Id when the vulnerability is sent to an Issue Tracker
Upgraded Chromium to v99.0.4844.0
JWT audit checks are now done on GET / POST parameters
Fixes
Fixed several Scanner crashes
Numerous UI updates / fixes
Fixed error when configuring GitHub Issue Trackers
Numerous fixes related to CSRF token management
Better handling of imported URLs that are excluded in LSR
fixed issue causing pre-request scripts to be renamed, causing import scripts not to fail to be loaded
Version 14 build 14.7.220228146 for Windows, Linux and macOS – 1st March 2022
New Features
.NET IAST Sensor (AcuSensor) can now be installed on .NET Core v3 and v5 on Windows (with Kestrel server)
Acunetix Scanner updated to support Routes for frameworks supported by the IAST sensors (AcuSensor)
Added support for Laravel framework in PHP IAST Sensor (AcuSensor)
Added support for CodeIgnitor framework in PHP IAST Sensor (AcuSensor)
Added support for Symphony framework in PHP IAST Sensor (AcuSensor)
Added support for ASP.NET MVC in .NET Core IAST Sensor (AcuSensor)
Added support for Razor Pages in .NET Core in .NET IAST Sensor (AcuSensor)
Added support for Web API in .NET Framework and .NET Core IAST Sensors (AcuSensor)
Added support for Spring MVC in JAVA IAST Sensor (AcuSensor)
Added support for Spring Struts2 in JAVA IAST Sensor (AcuSensor)
New Vulnerability Checks
Updates
IAST Sensors (AcuSensor) capabilities have been updated to improve the detection of:
Arbitrary File Creation
Directory Traversal
SQL Injection
Remote Code Execution
Acunetix will start reporting when an old version of the IAST Sensor (AcuSensor) is installed on the web application
Considerable update to the handling of CSRF tokens
The Vulnerabilities page now includes a unique Vulnerability ID
Multiple UI updates
Multiple DeepScan updates
Fixes
Fixed issue with Gitlab issue types not showing in UI
Fixed issue with Amazon AWS WAF export
Fixed several scanner crashes
Fixed issue with .NET IAST AcuSensor not working on IIS prior to version 10
Fixed issue with Node.js IAST AcuSensor causing web application to stop working
Fixed ordering issue caused in PDF Comprehensive reports for multiple scans
Fixed timeout issue causing IAST data not to reach the Acunetix scanner
Version 14 build 14.6.220117111 for Windows, Linux and macOS – 18th January 2022
Updates
Updated Python binaries to v3.8.10
Updated WordPress plugin and WordPress core vulnerability checks
Version 14 build 14.6.211220100 for Windows, Linux and macOS – 20th December 2021
New Vulnerability Checks
Apache Log4j RCE vulnerability check updated to detect blind (delayed) instances of the vulnerability
Version 14 build 14.6.211215172 for Windows, Linux and macOS – 16th December 2021
New Vulnerability Checks
Apache Log4j RCE vulnerability check updated to detect the vulnerability in web server exceptions
Apache Log4j RCE vulnerability check updated to execute on various HTTP Headers
Updates
Updated the scanner to test custom headers used by the web application
Version 14 build 14.6.211213163 for Windows, Linux and macOS – 13th December 2021
New Vulnerability Checks
Version 14 build 14.6.211207099 for Windows, Linux and macOS – 7th December 2021
New Features
Scanner supports detecting HTTP/2 vulnerabilities
New Vulnerability Checks
Updates
Improved handling of Laravel CSRF tokens
Added possibility to restrict scanning a Target using the Main Installation’s scanning engine
Added ability to configure blocking of requests to Ad services
Multiple UI updates
Multiple DeepScan updates
Multiple updates to the PHP AcuSensor
Fixes
Fixed: SQLi false negative caused when AcuSensor is installed
Fixed: Incremental scans not starting when scheduled via Jenkins plugin
Fixed: 2 issues in .NET sensor injector CLI
Fixed: Node.js sensor not working on https sites
Fixed: Not all paths are importing from specific Burp state file
Fixed: Scanner crashes when parsing specific GraphQL and Swagger 2 files
Fixed: Specific excluded paths can cause the scanner to hang
Fixed: multiple scanner hangs
Fixed: Race condition between LSR and BLR
Fixed: Imported urls ignored when site redirects from http to https
Fixed: Incorrect permissions for some Acunetix files / folders on Linux / Mac
Version 14 build 14.5.211115146 for Windows, Linux and macOS – 16th November 2021
New Features
New OWASP Top 10 2021 compliance report
JAVA AcuSensor now supports JDK 11
New Vulnerability Checks
Fixes
Fixed issue causing hang in scanner
Fixed issue causing some vulnerabilities not to be detected when AcuSensor is enabled and not installed on the web application
Version 14 build 14.5.211109105 for Windows, Linux and macOS – 9th November 2021
New Vulnerability Checks
Fixes
Fixed issue in .NET AcuSensor CLI parameter used to list the web sites in IIS
Fixed issue in Clickjacking: CSP frame-ancestors missing vulnerability check
Fixed false positive in Сockpit CMS reset password NoSQLi
Version 14 build 14.5.211026108 for Windows, Linux and macOS – 26th October 2021
Updates
Removed message to “Press any key to continue” when installing .NET AcuSensor from CLI. This was hindering the automatic installation of the .NET sensor
Fixes
Fixed issue causing scans to fail when site redirets from http to https
Fixed issue causing incremental scans initiated from Jenkins plugin not to start
Version 14 build 14.5.211021117 for Windows, Linux and macOS – 21st October 2021
Fixes
Fixed crash when processing swagger2 file with non-existent references
Version 14 build 14.5.211008143 for Windows, Linux and macOS – 11th October 2021
New Features
New Vulnerability Checks
Updates
Export to AWS WAF is now available in all pages which allow WAF Export
Updated Pre-request scripts, making it easier to update session header value
Updated the detection of WAFs to support new WAFs
Increased the detection of development files
Improved the JavaScript Library Audit checks
Fixes
Fixed issue in Paros import
Fixed issue in scanner causing False Negatives when processing specific pages
Fixed issue in AWS WAF Export
Fixed issue in PHP Sensor not being detected when used in a large site with many files
Fixed issue causing pre-request scripts not to be loaded by scanner
Fixed 3 issues in Postman imports
Fixed False Negative in Django Debug Mode vulnerability check
Fixed issue causing high response times in UI caused by large quantity of Targets configured
Fixed false positive in “User credentials are sent in clear text” check
Version 14 build 14.4.210913167 for Windows, Linux and macOS – 14th September 2021
New vulnerability checks
Updates
Updated CORS Origin Validation check
Version 14 build 14.4.210831180 for Windows, Linux and macOS – 1st September 2021
Fixes
Fixed: Error when adding new Targets
Fixed: Scanner crash when using a Postman import file
Version 14 build 14.4.210826124 for Windows, Linux and macOS – 26th August 2021
New Vulnerability checks
Updates
“AllOf” tag is now handled for Swagger2 schemas
Improved handling of import files for sub-domains and allowed hosts
Fixes
Fixed: Inexistant paths identified by WordPress checks
Fixed: Scanner crashing on specific content
Version 14 build 14.4.210816098 for Windows, Linux and macOS – 16th August 2021
New Features
Pre-request script support
New Log Data Retention options
New Vulnerability Checks
Updates
Max items shown per page can now be configured
Updated Deepscan to process hashes in URLs
Updated Chromium to v92.0.4512.0
Updated CSV export to include text only details
JavaScript Library Audit now supports merged JavaScript files
Added support for dev tools in standalone LSR
Multiple UI updates
Multiple LSR updates
Target knowledgebase will now be reset when Target settings are changed
Updated Selenium import to support selectFrame
Updated OWASP Top 10 report to include CVSS score
Updated Compliance report to include CWE
Added option to enable debuglogs for all Targets
Optimisations to the Java and Node.js AcuSensors
Improved support for Hapi framework in Node.js AcuSensor
Add support for find-my-way HTTP router in Node.js AcuSensor
Improved ionCube Loader-wizard information disclosure check
Improved cache poisoning DOS checks
Improved detection of Apache Struts2 Remote Command Execution (S2-052)
Improved detection of Directory Traversal vulnerabilities
Added option to skip testing of login form configured for the Target
Improved handling of Custom 404 pages
Fixes
Fixed multiple crashes in the scanner
Fixed issue causing some requests to be done to restricted links
Addressed multiple Deepscan issues
Paused scans can now be Aborted
Fixed XPath Injection false positive
Fixed Bitrix Open Redirect false positive
Fixed Spring Boot Actuator false negative
Fixed issue in .NET Sensor Manager not showing buttons on lower resolutions
Version 14 build 14.3.210628104 for Windows, Linux and macOS – 28th June 2021
Updates
Target Knowledgebase will be reset when Target Settings are changed
Updated SSL/TLS Certificate expiry threshold notification from 30 days to 60 days
Fixes
Fixed: OWASP compliance report template to not be available in some Editions
Fixed: Some scripts where not observing Excluded paths configured in Target settings
Version 14 build 14.3.210615184 for Windows, Linux and macOS – 17th June 2021
New Features
New SCA (Software Composition Analysis) for PHP, JAVA, Node.js and .NET web applications. Acunetix will report vulnerable libraries used by the web application when AcuSensor is used
New Vulnerability Checks
Updates
Updated .NET AcuSensor
.NET AcuSensor can be now deployed from CLI
User is notified when imported URLs are out of scope
Scan events are not shown in json any more
New column for Continuous Scanning in the Targets page
New filter in Targets page to easily identify Targets with debug enabled
Vulnerabilities page shows if the vulnerability was detected by a web or network scan
Merged Add Target and Add Targets options in UI
Custom Field, labels and tags can be configured for Issue Trackers
Platform Admin can now unlock locked accounts
New column in CSV export showing details in text only
Updated the way that AcuSensor token can be updated in the Target Settings
PCI DSS compliance report updated to PCI DSS 3.2.1
Compliance Reports updated to make use of the Comprehensive report template
Browser Dev tools can be used when LSR is started from CLI
Updated XFO check
Multiple UI updates
Improved false positive detection of out of band RCE and argument injection vulnerabilities
Multiple updates to the Postman import implementation
Updated JavaScript Library Audit to support merged JavaScript files
Fixes
HSTS has been enabled for the AcuSensor bridge
Latest Alerts section of Scan results was not updated with AcuMonitor (OOB) vulnerabilities)
The Fragments was not clickable in the site structure
HSTS Best Practices was sometimes being reported multiple times
Fixed HSTS false negative
Fixed issue in the detection of Django 3 weak secret
Fixed issue causing GitHub labels not to be updated when changing Github issue Tracker Project
Fixed encoding issue in Node.js AcuSensor
Fixed issue causing corruption of Target knowledgebase
Fixed DeepScan timeout when processing Prototype JavaScript library
Fixed issue causing outdated JavaScript libraries check not to report external libraries
Fixed issue in Oauth password credentials grant
Version 14 build 14.2.210505179 for Windows, Linux and macOS – 6th May 2021
Fixes
Fixed validation errors when sorting vulnerabilities by Issue ID
Fixed issue causing Node.js sensor to fail to start on Node v6
Fixed issue causing some operations to be listed multiple times in Scan Statistics
Version 14 build 14.2.210503151 for Windows, Linux and macOS – 4th May 2021
New Features
Acunetix is now available on Docker
New Scan Statistics page for each Scan
Vulnerability information can now be sent to AWS WAF
New Vulnerability Checks
Updates
Full rows and column selection is now possible in the Excluded Hours page
Updated UI with new Acunetix branding
Issue Tracker ID will be shown for vulnerabilities sent to any Issue Tracker
Issue Trackers can now be restricted to a specific Target Group
Target Description will be sent to the Issue Trackers
Updated Jira integration to support Jira version 9
Multiple updates to the JAVA AcuSensor
Scanning engine will now test cookies on pages which do not have any inputs
The scanner will stop testing cookies which have been found to be vulnerable
Where possible, DOM XSS vulnerabilities will show the code snippet of the vulnerable JavaScript call
CSV Export will now show the Target Address
Maximum size for a custom cookie configured in a Target increased to 4096 characters
New date filter in the Vulnerabilities page
Vulnerability severity now shows text in addition to color coded icon
Multiple updates to the LSR
Added support for BaseUrl / Global Variables in Postman import files
Fixes
Fixed extra CR in Target CSV export
Fixed DeepScan crash
Fixed: Discovery options are only shown to users with “Access All Targets” permission
Fixed: Existing user’s details shown when adding a new user
Fixed a scanner crash
Fixed: Blind XSS check is now part of the XSS scanning profile
Fixed: AcuMonitor checks where not done when scan done by an engineonly installation
Fixed issue causing AcuMonitor not to be registered when using authenticated proxy
Fixed issue when loading vulnerabilities for a Target Group
Fixed issue with Postman importer
Fixed sporadic issue when checking for new Acunetix updates on Mac
Fixed issue in WP XMLRPC pingback check
Version 14 build 14.1.210329187 for Windows, Linux and macOS – 30th March 2021
Fixes
Fixed issue causing proxy authentication failures
Fixed scanner crash
Fixed indentation in Comprehensive report
Version 14 build 14.1.210324124 for Windows, Linux and macOS – 25th March 2021
Updates
Updated scanner so that “Restrict scans to import files” is taken into consideration for paths coming from Target knoweldgebase
Fixes
Fixed a scanner crash
Fixed issue in Swagger 3 import feature
Version 14 build 14.1.210316110 for Windows, Linux and macOS – 17th March 2021
New Features
Web Asset Discovery, allowing users to discover domains related to their organisation or web assets already configured in Acunetix
New page showing all the Target FQDNs consuming a target license
New Vulnerability Checks
Updates
Acunetix updated to fully support NTLM Authentication for proxy authentication
Multiple LSR/BLR and DeepScan updates and fixes
Updated Chromium to v88.0.4298.0
Updated Postgres database to v13.2
Engines page has been updated to show the following:
Status (online or otherwise) for each Engine
The build number for each Engine
Any license issues are reported as part of the status for each Engine
Multi-Engine setups will start to automatically update the Engine only installations when the Main installation is updated
The UI will reload after Acunetix is upgraded
‘WAF Export’ button renamed to ‘Export to’, and feature added to the Scans Page
Multiple updates to the Comprehensive report
Proxy Settings can now be specified for each Issue Tracker
Updated JavaScript Library Audit check to cover libraries not hosted on the scanned target
Users can now be created from the API
Updated CORS check
Fixes
Fixed bug in “Vulnerabilities in SharePoint could allow elevation of privilege” check
Fixed issue causing check for updates to occasionally fail on MacOS
Fixed issue causing DOM XSS sink to not always be show the in the code extract displayed in the alert
Fixed issue caused when a custom collection is used in a TFS issue tracker configuration
Fixed issue in WordPress XML-RPC pingback abuse check
Fixed Deepscan crash
Fixed False Positive in Broken Link Hijacking check
Vulnerability CSV export now includes URL where vulnerability was detected