Version 12 (build 12.0.191121158 – Windows and Linux) 25th November 2019
New Features
New scanning algorithm resulting in faster scans
Scanner will give higher priority to locations which are dissimilar to ones that have already been scanned
JAVA AcuSensor now supports JAVA Spring Framework
New Vulnerability Checks
Updates
Deepscan is now caching static assets. This will result in faster scans
Improved memory consumption by the scanner
Improved processing of forms and form handling
Improved detection of paths
Scanner will now process commented out html
Updated command injection payloads
Fixes
Fixed scanner crash
Fixed WAF detection false positive
Fixed: Check for Sensitive files was accessing restricted links
Fixed issue causing scanner to multi-line session validation pattern
Fixed: Some locations where incorrectly detected by DeepScan
Fixed issue causing integrated LSR to close due to Ad blocking
Fixed issue with HAR import files
Fixed issue in the detection of Weak authentication credentials
Fixed issue affecting the detection of DOM XSS vulnerabilities
Fixed issue in the detection of possible username and password disclosure
Fixed issue with recording restricted links in Internet Explorer
Fixed: Tech Admin can now configure the engine to be used for a Target
Fixed issue affecting scanning of domains with international characters
Version 12 (build 12.0.190927120 – Windows and Linux) 30th September 2019
New Features
Introduced new Scan Type: New Web Vulnerabilities to scan for new vulnerabilities introduced in the latest Acunetix update
Introduced ad-blocking in the scanner, resulting in faster scans
Implemented support for Session HTTP headers when logging in to the site
Introduced custom_settings.xml to configure settings from settings.xml , which are not overwritten on upgrade
New Vulnerability Checks
Updates
The scan will now report when an invalid Selenium script is used as an import file
Improved detection of the type of Burp import file being used
Increased limit on Custom Headers
Multiple improvements in DeepScan
The LSR Record button is disabled during Login Action playback
Acunetix will start reporting login forms when no login credentials are configured
The tester user will not be able to create or view reports
Fixes
Fixed: Directory Traversal vulnerabilities were sometimes incorrectly reported as found with AcuSensor
Fixed: Several broken references in the vulnerability alerts
Fixed: HTTP Response was not shown in some vulnerability alerts
Fixed an issue causing DeepScan to take too long to process some locations
Fix in PHP Hash Collision DOS vulnerability check
Fixed: Integrated LSR was not working on IE11
Fixed: Selenium script playback fails for some scripts
Fixed: Session Detection fails if session pattern spans multiple lines
Fixed: LSR keeps showing the spinner on some pages
Fixed: LSR Session pattern was not always saved when detected using the navigation
Fixed: LSR Session pattern check might fail for in body / not in body patterns
Fixed: On some systems, Chromium processes cannot be terminated when generating PDF reports
Fixed: Passwords were recoverable from the UI
Better handling of HTTP timeouts by vulnerability checks
Version 12 (build 12.0.190827161 – Windows and Linux) 28th August 2019
New Features
Implemented support for OpenSearch
Acunetix will try to discover hidden parameters and test them
Acunetix can now check base64 encoded JSON inputs for vulnerabilities
New Vulnerability Checks
New test for Oracle Business Intelligence Convert XXE (CVE-2019-2767 )
New test for Oracle Business Intelligence Adfresource Path traversal (CVE-2019-2588 )
New test for Oracle Business Intelligence AuthBypass (CVE-2019-2768 )
New test for Oracle Business Intelligence ReportTemplateService XXE (CVE-2019-2616 )
New test for Jira RCE (CVE-2019-11581 )
New test for Test for Atlassian Crowd RCE (CVE-2019-11580 )
New tests for Python Code Injection
New test for Apache Spark RCE [https://spark.apache.org/security.html] (CVE-2018-11770 )
New test for ColdFusion Deserialization RCE (CVE-2019-7091 )
Implemented support for OpenID Connect Discovery
Detect and report Apple application association files
Added new checks for WordPress plugins, Drupal core and Joomla core
Updates
Updated UI to accept IPv6 addresses
Multiple improvements to DeepScan
Improved the Directory Traversal check
Updated the scan limits, reducing repeated requests to larger sites
Acunetix will now extract and process gzipped files
Multiple updates to parsing and heuristic crawler features
Improved the vulnerability deduplication – similar vulnerabilities will be reported once
Improved reporting of the cause of scan failures (e.g. website is unresponsive, invalid import file etc)
Credentials provided to Auto-Login or LSR will not be used for vulnerability tests
Improved processing of Selenium scripts
Improved login form detection by Auto-Login feature
Improved WebLogic detection, and testing for default WebLogic credentials
Improved detection of Vulnerable JavaScript libraries check
Fixes
Fixed a number of issues causing the scanner to stop unexpectedly
Fixed issue causing AcuMonitor checks to be done when AcuMonitor is not enabled
Fixed issue with WSDL parsing
Fixed: Reflected tests (e.g. reflected XSS) was not done on JSON inputs
Fixed issue causing 100% CPU usage when processing certain pages
Fixed hang in the Acunetix Administrative Password utility on Windows
Fixed: DeepScan was not processing XHTML pages
Fixed issue causing Chromiumn process to remain active after PDF report generation
Fixed issue caused by background requests when recording a login sequence
Fixed issue when recording a login sequence on a site that uses cross-domain iframes
Fixed issue when parsing WADL
Fixed issue causing Host Header Attack false negatives
Version 12 (build 12.0.190703137 – Windows and Linux) 4th July 2019
New Vulnerability Checks
New test for Joomla! Core CSV Injection vulnerability check [CVE-2019-12765]
New test for Joomla! Core XSS vulnerability check (CVE-2019-12766 )
New test for Joomla! Core Security bypass (CVE-2019-12764 )
New test for Oracle Weblogic XXE (CVE-2019-2647 )
Added the detection of CDNs
Added the detection of reverse proxies
Updates
Auto-Login is now using the LSR functionality – this will improve auto-login in general
Improved detection of DOM XSS
Improved handling of invalid Selenium scripts
Improved handling of email addresses fields in web forms
Improved parsing of WSDL files
Implemented support for Proxy-Authenticate header
Improved crawling of Spring-based web applications
Updated LSR to automatically dismiss modal dialogs during playback
Reduced false positives in checks looking for sensitive and backup files
Reduced false positives in SSN number detection
Reduced false positives in XSS in URIs
Improved the detection of WAFs
LSR can now record actions within <iframe> elements
Jira Issue Tracker integration now supports HTTP Authentication with API key
Fixes
Fixed a crash when parsing SOAP messages
Fixed issue in interpretation of some Selenium scripts
Fixed a number of broken links in the Vulnerability Alerts
Autologin was recording the password in the log file
Fixed crash caused when reading specific swagger files
Fixed crash caused when reading specific large files
Fixed issue causing the scanner to go into a loop
Fixed issue causing crawler to not interpret correctly certain locations in JavaScript
Fixed issue in Manual Intervention
Fixed issue affecting sites using euc-kr encoding
Fixed Chromium issue caused when window.chrome is used by the site
Fixed issue causing Chromium not to load on Kali Linux
Fixed LSR playback issue caused when input field contained predefined text
SRI not implemented was being reported multiple times per host
Version 12 (build 12.0.190515149 – Windows and Linux) 14th May 2019
New Features
Network Scanning via OpenVAS integration Introduced support for IPv6 domains (IPv6 addresses not supported yet)
Dynamic resource allocation for when multiple scanners are started on the same machine
Improved resource usage for string comparison functions
Selenium scripts can now be used as import files
New Vulnerability Checks
Updates
Multiple improvements to the detection of Blind SQL Injection
Improved the Error Messages vulnerability check
Improved the Adobe Experience Manager tests
Improved detection of Java Deserialization and Mongo alert deduplication
Improved detection of Rails accept file content disclosure
Updated alert details for Oracle WebLogic Remote Code Execution via T3 (CVE-2018-3245)
Improved detection of Confluence
Improved PHP AcuSensor when used on nginx
Improved detection of PHP code injection
Updated Directory Traversal Check to make fewer requests
Multiple improvements to DeepScan and the LSR
Implemented support for WebSockets in LSR and Deepscan
Fixes
Fixed a few crashes
Fixed issue causing Postcrawl scripts to not be executed on folders
Fixed: Custom cookies could be used twice when the application sets the same cookies
Cookie processing now ignores leading . in domain
Fixed issue with LSR when used on Internet Explorer
Fixed issue with HTTP Authentication
Fixed false positive in Struts_RCE_S2-052_CVE-2017-9805
Fixed severity level for CSRF vulnerability check
Fixed False Negative in Mercurial repository found check
Fixed issue causing site structure not to be updated with locations identified by vulnerability scripts
Version 12 (build 12.0.190404166 – Windows and Linux) – 5th April 2019
New Vulnerability Checks
Updates
Minor update improving efficiency of PerFolder checks
LSR: Disabled spellcheck for fields loaded
Deepscan: Improved exclusion of clicks on logout elements
LSR: clicks on some SVG elements where not being recorded
LSR: Session Pattern Detection now uses session headers provided by webapp
Fixes
Fixed 2 issues causing the scanner to stop unexpectedly
Scan progress was not always correctly saved when scan is paused
Session Pattern Detection was not always using the session headers provided by the webapp
Version 12 (build 12.0.190325161 – Windows and Linux) – 26th March 2019
New Features
Verified vulnerabilities are now indicated by Acunetix
New Vulnerability Checks
Updates
Updated Directory Traversal vulnerability check
Improved detection of Blind SQL Injection
On Linux, OOM Killer will now stop less important processes
Improve handling of XHR requests in Deepscan
Multiple improvements to the LSR and Session detection
Scan Stats are now retained between Pause/Resume
Improved the detection of paths from JSON and XML
Improve techniques used to detect type of input in web form
Multiple minor UI updates
Fixes
Fixed multiple instances of scanner stopping unexpectedly
Fixed false positive reported by WordPress plugin All in One SEO Pack privielege escalation check
Fixed issue causing the same web application to be detected multiple times
Some vulnerability alerts did not show the HTTP Response
Fixed issue causing incorrect processing of default values in forms
HTTP redirects were not being detected
Fixed issue in File Upload XSS vulnerability check
Fixed issue causing PerFolder scripts not to be executed on all folders
Fixed issue causing HAR file importing to fail
Fixed issue causing LSR to fail to load Target with uppercase address
Fixed issue causing SharePoint Reflected Cross-Site Scripting (CVE-2017-8514) not to be reported
Version 12 (build 12.0.190227132 – Windows and Linux) – 27th February 2019
New Vulnerability Checks
Updates
Update Source Code Disclosure checks to prevent False Positives
Unused paths are filtered out from AcuSensor data
Fixes
Fixed false positive in Expression Language Injection vulnerability check
Fixed issue in LSR / Deepscan when processing scripts overriding toJSON on Object
Version 12 (build 12.0.190214162 – Windows and Linux) – 15th February 2019
Updates
Improved scanning of .NET web applications
Improved processing of CSS files
40% speed improvement when parsing pages
Various updates to WSDL processing
Fixes
Some invalid URLs were being incorrectly reported as external hosts
Fixed issue causing communication problem between scanner and backend
Allowed hosts were not always being scanned
Integrated LSR was not always working on Internet Explorer 11
Fixed LSR display problem when browser window is zoomed or resized
Fixed issue when importing Burp State file
Version 12 (build 12.0.190206130 – Windows and Linux) – 7th February 2019
New Features
New Integrated Login Sequence Recorder – Login Sequences can be recorded directly from the Acunetix UI
Swagger (JSON and YAML) and WSDL can be used as import files
New Vulnerability checks
New checks for a number of WebBackdoors
New checks for elmah.axd information disclosure
New test for Stack Trace Disclosure in Django
New test for Stack Trace Disclosure in ASP.NET
New test for Stack Trace Disclosure in ColdFusion
New test for Stack Trace Disclosure in Python
New test for Stack Trace Disclosure in Ruby
New test for Stack Trace Disclosure in Tomcat
New test for Stack Trace Disclosure in Grails
New test for Stack Trace Disclosure in Apache MyFaces
New test for Stack Trace Disclosure in Java
New test for Stack Trace Disclosure in GWT
New test for Stack Trace Disclosure in Laravel
New test for Stack Trace Disclosure in Rails
New test for Stack Trace Disclosure in CakePHP
New test for Stack Trace Disclosure in CherryPy
New Directory Listing vulnerability checks
New Error Message vulnerability checks
New test for Oracle Reports RWServlet showenv
New test for Docker Engine API publicly accessible
New test for Docker Registry API publicly accessible
New test for Jenkins server user enumeration
New test for Jenkins server weak credentials
Added the following new tests for Adobe Experience Manager
Day CQ WCM Debug Filter enabled
LoginStatusServlet exposed (allows to bruteforce credentials)
Bruteforce a set of default AEM credentials if LoginStatusServlet is exposed
QueryBuilderFeedServlet public accessible, sensitive information might be exposed
Implemented tests for a bunch of SWF files that are exposed by AEM code that are vulnerable to Reflected XSS
Test if the AEM Groovy Console is publicly accessible. Permits RCE
Added a test for exposed AEM ACS Tools (a set of tools for AEM developers) – RCE is possible
Test if GQLServlet is publicly accessible. Sensitive information could be exposed
Test if Adobe Experience Manager AuditLogServlet is publicly accessible. Audit log records could be exposed
Test for Server Side Request Forgery (SSRF) via SalesforceSecretServlet (CVE-2018-5006 )
Test for Server Side Request Forgery (SSRF) via ReportingServicesServlet
Test for Server Side Request Forgery (SSRF) via SiteCatalystServlet was detected
Updates
Improved the scanning of sites using SOAP
Improved parsing of paths
TXT import now takes precedence over excluded paths
Improved the adherence of the scan scope
Improved the detection of the version of WordPress plugins
Improved the automatic session pattern detection in the LSR
LocalStorage / SessionStorage is retained between LSR and Deepscan Sessions
Fixes
Fixed: Scan scope was not always respected
Technology detected during the scan was not being reported
Fixed several scanner unexpected termination issues
Fixed issue causing large PDF reports not to be generated
Fixed: AcuSensor file data is better filtered by scanner
Version 12 (build 12.0.190121124 – Windows and Linux) – 22nd January 2019
Updates
HTTP response size limit has been increased to 20Mb
Swagger parser now supports yml files
Fixes
Fixed a scanner crash
Fixed: Login Sequence Recorder was not using the User-Agent configured for the Target
Fixed issue causing false positives in ‘User controllable charset’ and ‘User controllable script source’
Fixed issue with BURP state file importer
Fixed: Users could not update an expired POC license
Version 12 (build 12.0.181218140 – Windows and Linux) – 18th December 2018
New Vulnerability checks
New test for Apache Solr XXE (CVE-2017-12629 )
New test for RCE in Spring Security OAuth (CVE-2016-4977 )
New test for Apache mod_jk access control bypass (CVE-2018-11759 )
New test for Unauthenticated Stored XSS in WordPress Plugin WPML (CVE-2018-18069 )
New test for ACME mini_httpd (web server) arbitrary file read (CVE-2018-18778 )
New test for OSGi Management Console Default Credentials
New test for Flex BlazeDS AMF Deserialization RCE (CVE-2017-5641 )
New test for common misconfigurations in ColdFusion
New test for AMF Deserialization RCE in ColdFusion (CVE-2017-3066 )
New test for JNDI injection in ColdFusion (CVE-2018-15957 )
New test for unauthenticated File uploading in ColdFusion (CVE-2018-15961 )
New WordPress / WordPress plugin vulnerability checks
Updates
Improved the injection of payloads and other improvements in the handling of JSON data
Updated Chromium to fix Chromium vulnerability
Improved web application detection
Fixes
Corrected LSR launch message for Linux installations
Fixed Update License issue on Internet Explorer
Fixed several memory leaks/scanner closing unexpectedly
Fixed issue affecting the processing of some content types
Some cookies were being added multiple times during the scan
Some redirects were not being correctly handled
Some requests generated by the scanner incorrectly contained two backslashes (‘//’)
Fixed issue in the Backup Folders checks going out of scope
Several minor fixes
Version 12 (Windows build 12.0.181203110, Linux build 12.0.181204095) – 4th December 2018
New features
Deepscan has been updated to make use of Chromium (Windows only – already included in Linux)
Login Sequence Recorder has been updated to make use of Chromium (Windows only – already included in Linux)
Acunetix can now test APIs document using Swagger (Windows only – already included in Linux)
Introduced support for NTLM HTTP Authentication on Linux release (already included on Windows)
Introduced support for Kerberos HTTP Authentication (Windows only)
New vulnerability checks
A huge update increasing the detection of Stored XSS
New test for possible file creation using the HTTP PUT method
New test for Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12615 )
New test for Ektron Content Management System (CMS) 9.20 SP2, remote re-enabling users (CVE-2018–12596 )
New test for httpoxy vulnerability
New test checks if CouchDB REST API is publicly accessible
New test checks if CouchDB is vulnerable to Remote Privilege Escalation resulting in Remote Code Execution (CVE-2017-12635 )
New test for Apache ActiveMQ default credentials
New test for Node.js Path validation vulnerability (CVE-2017-14849 )
New test for GoAhead web server RCE via unsafe environment initialization of forked CGI scripts (CVE-2017-17562 )
New test for publicly accessible Hadoop YARN ResourceManager WebUI
New test for jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
New test looks for Google Firebase Databases URLs in the response and checks if the Firebase Databases are accessible without authentication
New test for Oracle WebLogic Remote Code Execution vulnerability via T3 (CVE-2018-3245 )
New test for Oracle WebLogic Authentication Bypass vulnerability (CVE-2018-2894 )
New test checks if Jupyter Notebook is publicly accessible
New test for Apache Log4j socket receiver deserialization vulnerability
New test for NGINX range filter integer overflow (CVE-2017-7529 )
New test for Xdebug remote code execution via xdebug.remote_connect_back
Numerous new checks for WordPress Core, WordPress plugins, Joomla Core and Drupal Core.
Updates
Numerous memory management improvements
Multiple updates to LSR and session detection improving scanning of restricted areas
Improved speed of SQL Injection vulnerability checks
The new LSR / Deepscan will improve support of JavaScript rich sites
Added mock geo-location support to support scanning sites that require geo-location
Improved analysis of XML and JSON
Fixes
Fixed scanner crash when scan was resumed from paused state
Fixed some issues in the handling of cookies
Custom cookies were not always used
Content-Type header was not always being sent. This affected the detection of some vulnerabilities
Fixed a false positive in SSL weak key length vulnerability check
Fixed issue in the Social Security Number and Credit Card number check
Fixed issue with AcuSensor download on Linux release
Fixed issue causing scans to be aborted when server returns an invalid charset
Fixed a number of other issues causing the scanner to close unexpectedly
Sensitive and Backup files were not being checked for in the site root
Fixed issue with jquery version extractor
Fixed 2 internally reported security issues
Fixed issue with re-installation of Linux installations
Version 12 (Linux release build 12.0.181115088) – 15th November 2018
New Features
Acunetix release for Linux Acunetix can now test APIs document using Swagger
Deepscan has been updated to make use of Chromium
Login Sequence Recorder has been updated to make use of Chromium
Version 12 (build 12.0.181012141) – 12th October 2018
New Vulnerability Checks
Updates
License keys can now be updated via the Acunetix web UI
Additional memory improvements
Improved exclusion of parameters
Multiple updates to existing vulnerability checks
Improved CORS origin validation failure checks
Improved Pickle Serialization check
Fixes
Manual Intervention was not working after a paused scan is resumed
Scans for some sites using Digest HTTP Authentication were stopping unexpectedly
Additional fixes for issues causing scans exiting unexpectedly
Fixed issue causing many product update requests when proxy authentication is incorrectly configured
Fixed: Some backup files / folders were not being identified
Some vulnerabilities were incorrectly reported in the site root
Fixed issue in similar page detection causing scans to take longer than expected
Fixed issue causing valid sessions not to be identified correctly during the scan
Version 12 (build 12.0.180911134) – 11th September 2018
New Vulnerability Checks
Updates
Multiple updates to the SSL checks
Various memory optimisations
Less requests required to verify AcuMontior checks
Fixes
Fixed bug in testing of cookie values
Fixed memory issues, causing some scans to exit unexpectedly
Fixed bug causing some scans to crash when paused and resumed
Fixed issue causing some scans to be aborted immediately because of error status on initial response
Fixed issue causing some locations to get omitted from site structure
Multiple fixes to import file feature
Fixed issue which caused DeepScan not to use all cookies
Custom headers were added twice on redirect
Fixed issue affecting some sites using SSO
Version 12 (build 12.0.180821106) – 22nd August 2018
New Vulnerability checks
Updates
Reduced the number of requests required for Web Application Detection
Improved the JSON and the Generic document parser
Improved handling of non-responsive sites
Fixes
Fixed a few infrequent crashes
Fixed Malware link checking vulnerability test
Fixed issue causing scan to be aborted on redirect to different FQDN for login
Fixed issue causing Scan Comparison reports to fail
Fixed issue causing the scanner not to crawl certain HTTPs sites correctly when using proxy
Version 12 (build 12.0.180801120) – 1st August 2018
Fixes
Fixed the detection of some DOMXSS variants
Fixed scanner crash
Version 12 (build 12.0.180725167) – 26th July 2018
New Features
HTTP response is now shown for vulnerabilities detected (only affects new scans)
Manual Intervention has been implemented in v12
New Vulnerability checks
Added detection of Java Object Deserialization vulnerabilities
Added detection for Cisco ASA Path Traversal (CVE-2018-0296 )
Added tests for misconfigured nginx aliases that can lead to a path traversal
Added detection of Spring Security Authentication Bypass Vulnerability (CVE-2016-5007 )
Added detection of weak/insecure permissions for Atlassian Jira REST interface
Added detection of Apache Tomcat Information Disclosure (CVE-2017-12616 )
Added detection of Spring Data REST Remote Code Execution (CVE-2017-8046 )
Added detection of Insecure Odoo Web Database Manager
Added detection of JBoss Remote Code Execution (CVE-2015-7501 and CVE-2017-7504 )
Added detection of WebSphere Remote Code Execution (CVE-2015-7450 )
Updated WordPress Plugin vulnerability detection
Updates
Password is no longer required when configuring client certificate for a Target
Additional memory optimizations
Scanner will now report when the LSR cannot login
Application Error Message vulnerability check updated to provide more details on the error
Reports, XML exports and WAF exports now use a more meaningful filename
Reports now show the status of a scan
Scan debug logs now include imported files
Increase maximum number of issues trackers that can be configured
Fixes
multiple crashes while scanning
Scanner will now re-authenticate when website invalidates authentication during scan (applies to HTTP authentication only)
Scanner sometimes fails to decode LSR output, leading to an unauthenticated scan
Fixed many issues causing vulnerabilities not to be detected or to be detected incorrectly
Two fixes affecting the setting of Cookies
Fixed issue in RSS parsing
Fields with certain characters in the name (such as $) were not being tested
Some out of scope paths were still being crawled
Fix in the Autologin
Upon upgrade, user is asked to “Logout from Other Session”
Target and Vulnerabilities reports were failing
Recurrent scans for Standard licenses were being disabled
some reports were generated without file extension
Version 12 (build 12.0.180709159) – 9th July 2018
New Features and Vulnerability tests
Added vulnerability checks for the following WordPress plugins
Updates
Scanner will automatically continue scanning when http redirects to https
Improvement in memory usage
Acunetix will now hand over DNS resolution to Proxy Server when configured
Improved messaging during installation
Fixes
Scanner crash in DeepScan
Scanner hang when certain LSR files are used
Incomplete scans in certain situations, such as when using import files
Version 12 (build 12.0.180628131) – 28th June 2018
New Features and Vulnerability tests
Fixes
Fixed issue with NTLM HTTP Authentication
Fixed issue causing some pages not to load correctly in the LSR
Fixed 2 false positives for “User controllable charset” and “User controllable script source”
Fixed issue in handling HAR import files
Version 12 (build 12.0.180619111) – 19th June 2018
New Features and Vulnerability tests
Fixes
Crash dump was sometimes not being created
Version 12 (build 12.0.180615105) – 15th June 2018
Updates
More improvements to Web Application Detection
Reports not show if a scan has failed
Fixes
Scanner was not parsing all AcuSensor data, causing some vulnerabilities not to be reported when AcuSensor is used
Some reqeusts to HTTPs sites were being downgraded to HTTP
Version 12 (build 12.0.180611183) – 11th June 2018
New Features and Vulnerability tests
Introduced system to automatically avoid testing similar pages
New check for Oracle Weblogic WLS-WSAT Component Deserialization RCE affecting versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 (CVE-2017-10271 )
New check for PHPUnit RCE affecting versions 4.8.28 and 5.x before 5.6.3 (CVE-2017-9841 )
New check for Edge Side Include Injection vulnerabilities
New check for Dotenv (.env and variants) files
New check for Joe Text Editor DEADJOE file
New check for Symfony configuration file
New check for Laravel (PHP framework) log files
New check for publicly accessible backup directory in Drupal Backup Migrate
Updates
Updated timeout and retries for HTTP requests done by some vulnerability checks
Updated Web Application Detection checks to make less HTTP requests resulting in faster scans
Various minor updates to the UI
Improved parsing of robots.txt
Improved detection of default index files
Acunetix now shows the number of licensed Targets in the License section of the UI
Fixes
Some addresses were not parsed correctly, resulting in incorrect paths
Some addresses were not detected, resulting in missing paths
Some paths where being detected incorrectly
Scanner crash when allowed hosts are used
Scanner crash when parsing some pages
Scanner hang when crawling caused by DeepScan
No links parsed from pages without Content-Type header
Some vulnerability checks duplicated the query values
Sitemap was always being detected
Fixed validation issues in Security Settings > Account Lockout > Lockout timeout
License checks was failing for some installations
Version 12 (build 12.0.180521161) – 22nd May 2018
Updates
DeepScan has been updated to ignore images resulting in faster scans
Fixes
Excluded paths not taken into consideration
Parts of the scan were not using the Custom 404
Some paths where not identified correctly
Version 12 (build 12.0.180517125) – 17th May 2018
New Features and Vulnerability tests
Updates
Updated detection of Drupal installations
Changed to a more moderate definition of a Target for licensing purposes
Number of Targets and Users configured are now shown in the UI > Licensing section
UI now shows if the latest build is being used, and allows the user to check for updates manually
Fixes
Multiple updates and fixes to the HTML parser
Multiple updates and fixes to the Acunetix UI
Auto-login was making unnecessary requests
Some vulnerabilities were showing ‘null’ URL
Data from AcuSensor was not being interpreted correctly
Account lockout settings were not being saved
Fix in the scanner which was making some vulnerability checks not to work
Some vulnerability checks making unnecessary requests
Some vulnerability details where not being encoded correctly
Custom 404 detection was not working
Fix in AcuMonitor affecting some tests
DeepScan was not interpreting correctly paths containing a dot
Version 12 (build 12.0.180509176) – 10th May 2018
New Features
New faster Engine
Scans can now be Paused and Resumed
Targets can be imported from CSV
New JAVA AcuSensor
Support for latest JavaScript (ES6 and ES7) in DeepScan and Login Sequence Recorder
Configurable Password Policies including Password History, Auto Password Expiry and Account Lockout
2 Factor Authentication in the Acunetix UI
Exclude what to scan directly from Crawl results or previous scans
Updates and Fixes
Too many to enumerate
Multiple updates to the vulnerability checks
Version 11 (build 11.0.173271618) – 24th November 2017
New Features
Added new OWASP Top Ten 2017 report
Fixes
Fixed: DeepScan was processing ignored scripts
Version 11 (build 11.0.173131028) – 9th November 2017
New Features and Vulnerability Tests
Added support for Selenium scripts as Target Import files
Introduced various vulnerability checks for CMS Made Simple including:
Improvements
Various minor UI updates
Improved handling of aborted scans for Targets with Continuous scanning enabled
Increased Custom Cookie size limit from 512 bytes to 10Kb (2Kb for Acunetix Online)
Added new email templates
Email notification now indicates if a scan has failed
Multiple minor updates to the reports
Updated the Error Message script to show full JAVA error messages
Tech Admin role can now create and alter Scan types.
Fixes
Scan Comparison was incorrectly switching the order of the scans
Scan Comparison was incorrectly comparing with Allowed host
Fixed bug in the licensed user limit
Fixed bug causing scans to fail when the LSR contains Unicode characters
Multiple fixes in XML export
Multiple fixes in F5 WAF rules export
Fixed 2 minor security issues in web interface
2 fixes affecting incorrect vulnerability count in Dashboard
Fixed the retesting of vulnerabilities for Targets requiring manual intervention
Fixed the Targets page incorrectly showing that the Target is being scanned, when an ongoing scan is deleted.
Version 11 (build 11.0.172901635) – 17th October 2017
New Features and Vulnerability Tests
Improvements
Updated the Joomla and WordPress vulnerability checks
Fixes
Fixed bug causing scans to fail because of certain characters in the LSR file
Version 11 (build 11.0.172641450) – 22nd September 2017
New Features and Vulnerability Tests
Improvements
Improved the detection of Blind SQL Injection
Better support for large JavaScript files
JAVA error detection now includes the full JAVA error returned by the server
Improved the Remote File Inclusion XSS checks
Updated the Joomla and WordPress vulnerability checks
Fixes
Fixed bug causing the downloading of a Target’s LSR file to fail
Fixed bug in HTTP Digest Authentication
Version 11 (build 11.0.172371608) – 25th August 2017
Fixes
Fixed issue causing automatic updates to fail. Updates need to be downloaded manually from https://www.acunetix.com/download/fullver11/
Version 11 (build 11.0.172351036) – 23rd August 2017
New Features and Vulnerability Tests
Detection of Apache Struts 2 Showcase RCE (CVE-2017-9791 )
Check for .hgignore (Mercurial SCM configuration file)
Check for Atlassian Confluence Stored XSS (CVE-2016-6283 )
Check for private key files with names based on ScanHost, e.g. “www.example.org.key”, “example.org.key”
Check for moment.js Denial of Service (CVE-2016-4055 )
Various updates to the WordPress and Joomla checks
Introduction of Multi-Engine functionality for Enterprise customers
Improvements
Updated the Database backup file checks
Improved Jquery version fingerprinting
Updated detection of HttpOnly and Secure cookie flags
Updated default Target list sorting
Fixes
Fixed XSS detection issue
Minor fix to the allow_url_fopen enabled check
Fixed F5 BIP-AP ASM WAF XML export
Fixed issue causing Acunetix not to be able to install on Chinese OS
Version 11 (build 11.0.171721334) – 21st June 2017
New Vulnerability Tests
Improvements
Improved detection of WordPress version
Various updates to the WordPress and Joomla checks
Updated description for Broken links alert.
Fixes
Fixed issue causing a crash in the scanning engine
Fix affecting the processing of xml files, resulting in scan performance improvement
Fix in the High Risk Scan Type, resulting in scan performance improvement
Various updates and fixes in the Acunetix web UI.
Version 11 (build 11.0.171381251) – 18th May 2017
New Vulnerability Tests
Version 11 (build 11.0.171251523) – 5th May 2017
New Vulnerability Tests
Version 11 (build 11.0.171181742) – 27th April 2017
New Vulnerability Tests
Improvements
Various improvements to the WordPress checks
Bug Fixes
Fixed issue affecting checks on REST APIs
Fixed issue with Export to Imperva SecureSphere WAF
Version 11 (build 11.0.171101535) – 20th April 2017
New Vulnerability Tests
Improvements
Improved Backup file checks
Various improvements to the WordPress checks
Added support for various JavaScript libraries in the Login Sequence Recorder and DeepScan
Bug Fixes
Virtual Host Audit check was not taking into consideration the Target Port and Scheme
Fixed DeepScan issue which caused infinite loop during auto-authentication for some web applications
Fixed issue in Login Sequence Recorder causing it not to load settings from the correct location
Version 11 (build 11.0.170941159) – 4th April 2017
Improvements
The IP address or hostname of the Acunetix machine can be specified during the installation. This information is used to generate the SSL certificates used for the UI. This is required to avoid SSL errors
Update to Login Sequence Recorder and DeepScan improving compatibility with modern web applications
Target information is shown in “Scan Done” UI notifications
Various minor updates to the UI
Scan email notifications now include links to the scan results. Report email notifications include links to the report
Multiple updates to the WordPress and Joomla vulnerability checks
Bug Fixes
Fixed false positives caused by the PHP AcuSensor
Fixed 2 privilege escalation issues reported privately to Acunetix
Fixed false positive in WAF detection
Fixed UI issue caused by certain characters in the Target Description field
Version 11 (build 11.0.170751531) – 16th March 2017
Updates
Check for Remote Code Execution (RCE) vulnerability in Apache Struts 2 (CVE-2017-5638 )
Version 11 (build 11.0.170611402) – 3rd March 2017
Updates
Multiple updates to the WordPress and Joomla vulnerability checks
Fixes
Fixed issue caused by UTF-8 characters in the login sequence filename
Fixed issue with Target address validation
Version 11 (build 11.0. 170540920) – 23rd February 2017
Updates
AcuMonitor registration setting is now remembered between license activations
Various updates to the WordPress and Joomla vulnerability checks
Acunetix now accepts .der, .p12 and .pfx file extensions for client certificates
Login Sequence Recorder (LSR) now better supports sites using ES6 features
Fixes
In certain situations, the auto-login details for a Target were not correctly stored, resulting the login credentials not being used during a scan
Fixed issue with parsing of addresses
Fixed issue causing auto-updating of the product to not be done for some licenses. Affected customers will be notified by email.
Version 11 (build 11.0.170461052) – 15th February 2017
Updates
Creation of custom scanning profiles is possible from the Acunetix web UI.
Manual Intervention events can be configured as part of a Login Sequence for Captchas and two factor authentication
Retesting of vulnerabilities discovered by Acunetix
The ability to disable AcuMonitor at license activation
Comparison report for two scans of the same Target
Reports are now available in both PDF and HTML
The site structure is now shown in a hierarchical tree view
Excluded hours can be configured per Target, in which no scans will be performed by Acunetix
Added information on weak SSL key ciphers
The Acunetix license activation allows the user to opt out of AcuMonitor registration
Various updates to the WordPress and Joomla vulnerability checks
Fixes
Notifications for vulnerabilities discovered by AcuMonitor now include a link taking the user to the vulnerability identified
Various bug fixes in the UI
Changed scan status message when scanned target is not responsive
Fix in Relative Path Overwrite vulnerability check
Various updates and fixes related to AcuMonitor
Improved URL validation
Version 11 (build 11.0.170341008) – 3rd February 2017
New Vulnerability Test
Version 11 (build 11.0.163541031) – 19th December 2016
New Features
Acunetix Enterprise users can now generate their API key to be used for the Acunetix API (contact sales@acunetix.com for more information on the API)
Selenium IDE files are now supported as Import files in Acunetix v11
The Acunetix Login Sequence Recorder can now edit login sequence files.
New Vulnerability Tests
Improvements
The Acunetix UI will show a message when the license is not activated.
The Login Sequence Recorder will make use of the proxy settings configured for the Target.
Better handling of cookies.
Bug Fixes
Fixed reports generated for targets that have not been scanned
Fixed allowance of empty Import Files to be uploaded for a Target
Some information returned by AcuSensor was not reflected in the vulnerability details
Fixed false positive in the ASP.NET debug mode check
Various minor updates and fixes
Version 11 (build 11.0.163221044) – 17th November 2016
New Features
New web-based user interface
Targets are now stored in Acunetix with their individual settings, and can be easily re-scanned.
Targets can be classified by their Business Criticality
Reports are stored in the central interface
Users can choose between “Target reports”, “Scan reports” or “All vulnerabilities reports”
Role-based multi-user system, allowing users to be assigned the security scanning of specific targets.
All vulnerabilities for all the targets are now shown in one list which can be easily filtered.
Export vulnerabilities to F5 BIG-IP ASM and Fortinet FortiWeb Web Application Firewalls directly from within Acunetix
Acunetix now supports sending vulnerabilities to these Issue trackers: Github, JIRA and Microsoft Team Foundation Service (TFS)
Documentation is now inbuilt into the new interface
New Dashboard, providing an instant overview of the security status of your assets.
Improvements