Version 13 build 13.0.210308088for Windows, Linux and macOS – 8th March 2021
New Vulnerability Checks
Version 13 build 13.0.210226118 for Windows, Linux and macOS – 26th February 2021
Fixes
- Fix Backend issue related to AcuSensor
Version 13 build 13.0.210129162 for Windows, Linux and macOS – 2nd February 2021
New Features
- New AcuSensor for Node.js
- New Target Knowledgebase records scan data which is used to improve future scans
- New FQDN and Target filter in Grouped Vulnerabilities page
- New FQDN column in Targets page
New Vulnerability Checks
Updates
- Simplified User Profile page
- Improved handing of HTML comments
- Improved processing of sites using dynamic links
- Improved parsing of JavaScript for new paths
- Form input type is taken into consideration when processing forms
- Scanner now supports NTLM Authentication for proxy authentication
- multiple DeepScan updates
- Comprehensive report updated to use time zone configured for Acunetix user
- Added setting in settings.xml to choose which SSL cipher to be used by the scanner
- Integrated LSR logs are now stored for troubleshooting purposes
- Notify user when client certificate is required but not configured for Target
- Improvements in MAC installation
- PHP AcuSensor will start including Stack Trace
- Multiple LSR / BLR updates
Fixes
- Filter items sorted alphabetically
- Fixed minor UI glitch in multi-engine registration page
- Multiple fixes in SlowLoris detection
- Fixed scanner crashes
- Fixed CSV injection in Target Export
- Fixed UI issues in Target Groups page
- Fixed formatting for issues pushed to Jira
- Fixed issue when installing on Centos8
Version 13 build 13.0.201217092 for Windows, Linux and macOS – 17th December 2020
New Features
- Big improvement in handling of CSRF tokens
- Added support for ShadowRoot
- Added support for MacOS Big Sur
New Vulnerability Checks
Updates
- Updated the UI for the multi-engine system
- Multiple updates to the PHP AcuSensor
- Multiple updates to the Login Sequence Recorder
- Scanning engine updated to support using proxy server with NTLM Authentication
Fixes
- Fixed issue causing the browser to fail to launch on Kali
- Fixed issue causing AcuSensor not found message to not be displayed
- Fixed false positive in Zend Framework LFI via XXE
- Fixed false positive in Directory Traversal
- Fixed false positive in Cookie(s) with missing, inconsistent, or contradictory properties
- Fixed false positive in Apache Struts2 Remote Command Execution (S2-052)
- Fixed issue in highlighting of vulnerability in response
- Fixed issue with Slow Loris
- Fixed issue in WADL importer
- Fixed crash in scanner
- Fixed minor issues in Comprehensive Report
- Fixed issue causing Acunetix to lose license information
Version 13 build 13.0.201126145 for Windows / Linux and 13.0.201126157 for macOS – 27th November 2020
New Features
- New user role: Platform Admin, provides full access to Acunetix
Updates
- Network Settings can now be confirmed using the new Check Settings button
- Management of Targets by Tech Admin role can now be selectively turned off
Fixes
- Fixed issue causing inability to access last continuous failed scan
- Fixed UI issues causing inability to add targets to target group when target list is filtered
- Acunetix is now correctly reporting progress for Network Scans
- UI updated to hide specific options for the different Acunetix user roles
Version 13 (build 13.0.201112128 for Windows / Linux / macOS) 12 November 2020
Updates
- Updated Telerik vulnerability checks
- The Tech Admin user role can now create new Targets
- Renamed acu_phpaspect.php to acusensor.php
- Updated Comprehensive report to indicate Verified vulnerabilities
- Logon Banner now supports multi-line banners
Fixes
- Fixed issue in SlowLoris vulnerability check
- Fixed issue LSR hang caused when closing the LSR immediately after opening it
- Fixed scan hanging issue
- Fixed a couple of issues in the CSV export
- Fixed issue causing incorrect threat level in Comprehensive report
- Fixed false positives in Outdated JS libraries and Insecure Referrer Policy checks
- Fixed UI issue with long target name causing buttons to be hidden
- Fixed issue causing double input schemes
- Fixed crash in scanner
- Fixed issue causing vulnerability count in Dashboard to not always be updated
Version 13 (build 13.0.201028153 for Windows / Linux and build 13.0.201028161 for macOS) 29th October 2020
New Features
- Logon Banner can be configured for Acunetix logon page (satisfies DOD Notice and Consent Banner requirement)
- Added ability to export vulnerabilities to CSV (available as WAF Export option)
- Added ability to export scan locations to CSV (available as WAF Export option)
New Vulnerability Checks
Updates
- Improved handling of Swagger
- The scanner will try to detect differences in the site using different user-agents
- Various minor UI updates
- Added Scan Profile used in Scan results
- Business Logic Recorder cannot be used on Targets which require Manual Intervention
- Updated Jira issue tracker
- Improved error shown when checking for updates fails
- Updated import file feature to support files using BOM
- Comprehensive report tags vulnerabilities detected by AcuSensor and AcuMonitor
Fixes
- Fixed issue causing multi-line session detection not to be used during scan
- Updated Jira issue tracker to use proxy server if configured
- Fixed issue causing gzip encoded body of HTTP responses to become invalidated
- Fixed: Printing the Coverage report would not print the sitemap in the report
- Fixed issue causing some login forms not to be detected during the scan
- Fixed timing issue when scheduling a scan for a future date
- Fixed scanner crashes caused by specific import files
- Fixed issue causing DeepScan not to be used on Kali Linux
- Fixed false positive in Zend Framework LFI via XXE
- Fixed issue causing some scans to fail because of the client certificate
- Fixed issue causing LSR playback to fail for some scans
- Fixed issue in New Scan dialog for Tech Admin users
Version 13 (build 13.0.200930102 for Windows, Linux and macOS) 30th September 2020
New Features
- Export Scans to JSON (available as WAF Export option)
- Added context-sensitive help for all pages in the UI. Clicking on the ? icon will open documentation for the specific page
New Vulnerability Checks
Updates
- Numerous updates to the UI
- Malware scan profile updated to check for Trojans
- Scanner updated to receive newly discovered hosts from vulnerability checks
- Updated Swagger 2 implementation to better cater for nested schemes/objects
- Updated deduplication to better cater for network scans / vulnerabilities
- Adaptive ciphersuite testing, reduces the average SSL/TLS scan duration by 90%
Fixes
- Fixed issue where no data was shown for archived scans
- Fixed some minor issues with default filters
- Fixed issue showing wrong Target count in license page
- Fixed UI issue affecting Custom Scan Profiles
- Fixed Possible Sensitive Files / Folders to use the Case Sensitive Paths setting for the Target
- Fixed issue in Reverse Proxy Detection check
Version 13 (build 13.0.200911154 for Windows and Linux and build 13.0.200911171 for macOS) 14th September 2020
New Features
- New Data Retention settings, providing the ability to:
- Keep the last 3 scans for each target and archive previous scans
- Delete archived scans which are older than 2 years
- The above data retention settings are configurable
- The above settings affect vulnerabilities detected, which are archived / deleted accordingly
- A default scan profile can be configured for each target
- Forgot Password option for Acunetix On premise, allowing users to reset their password – Email settings need to be configured
- Detect paths in JavaScript code via static method analysis
- Ability to retrieve links from several HTTP headers
- Scanner will try to auto-discover API definitions
New Vulnerability Checks
Updates
- Vulnerabilities are now shown as grouped by Vulnerability Type and FQDNs
- Numerous improvements affecting vulnerability deduplication
- Deleted Targets will not be showing in the UI by default
- Malicious links detected will be highlighted in the vulnerability report
- Ability to scan all Targets in a Target Group
- Improved Swagger support implementation
- Updated backup files/folders and possible sensitive files checks to report alerts on parent of file detected
- Time zone can now be configured by each user account
- User accounts can now change UI to Chinese
- .NET Sensor updated to support .NET Core
- Updated Session Fixation vulnerability check to avoid possible False Positives
- Updated to Chromium v83
Fixes
- Fixed issue with offline activation
- Fixed a few crashes occurring on specific sites
- Fixed issue affecting AcuMonitor when scanning certain sites
- Various small UI fixes
- Fixed Target Deletion issue for Consult licenses
- Fixed: PDF report generation was failing in specific situations
- Fixed issue causing HTTP requests passing through a proxy to fail
- Fixed issue affecting relative HTTP redirects
- Fixed issue causing Manual Intervention not to work on Linux
- Fixed issue causing DeepScan to miss some DOMXSS vulnerabilities
- Fixed text overlapping issue in reports
- Fixed issue causing Telerik Web UI RadAsyncUpload Deserialization (CVE-2019-18935) to not always be detected
- Fixed: ‘HTTP Strict Transport Security (HSTS) not implemented’ and ‘HTTP Strict Transport Security (HSTS) Best Practices’ where using the same name
- Fixed: Sensitive files / directories checks were missing Attack details
- Fixed issue caused when sorting scans by target description
- fixed a few issues in the Login Sequence Recorder and Business Logic Recorder
Version 13 (Windows / Linux: 13.0.200807155, macOS: 13.0.200807156) 7th August 2020
New Features
New Vulnerability Checks
Updates
- Created and Last Updated dates are available for vulnerabilities
- Order of section in Comparison report updated to be more intuitive
- Target Address is shown in full in the UI
- /users/ endpoint is now available in the API
Fixes
- Fixed issue when exporting vulnerabilities to WAF which contained CVSS3.1
- Fixed issue causing custom user-agent to not be used in all requests during a scan
- Fixed issues causing some vulnerabilities not to be well formatted when sent to JIRA issue tracker
- Fixed issue when adding JIRA Issue Tracker in Acunetix Online
- Fixed issue caused when adding Targets to an existing Target Group
- Minor fix in Comprehensive report text
- Fixed UI issue showing blank list (Scans, Targets etc) when using the browser’s back button
- Fixed issue caused by scanning Targets with complex GraphQL schemas
Version 13 (build 13.0.200715111 for Windows, Linux and build 13.0.200715153 for macOS) 15th July 2020
New Features
- Acunetix on premise is now available for macOS
New Vulnerability Checks
Updates
- Improved UI messages when scans cannot start due to Manual Intervention
- Updated interpretation and generation of XML requests / responses
- New Scanning profile for High and Medium Vulnerabilities
- Target Description is now available on the Scans page
- Incremental Scans initiated by Jenkins plugin are correctly labelled as incremental
- A number of improvements in JavaScript Libraries Audit
Fixes
- Fixed issue caused when configuring Gitlab issue tracker with Impersonation Token
- Fixed issue causing filter not to be available for Standard licenses
- Fixed Malware Scan profile to include checks for malware links
- Fixed resource allocation issue, causing scans to end unexpectedly
- Comprehensive Report was incorrectly showing High Severity Threat level
- Fixed issue affecting the CVSS score calculation of some vulnerabilities
Version 13 (build 13.0.200624118 – Windows and Linux) 24th June 2020
New Features
- Introduced support for GraphQL
- Introduced support for OAuth2.0
- GraphQL files can be used as Import Files
- New Comprehensive Report, which includes the HTTP Response in the HTML version of the report
- HTTP Response uses syntax highlighting for improved readability
- Scans can now be restricted to paths/locations in import files
- User can choose which columns to show in all the Acunetix lists
- UI saves columns selected for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
- UI saves number of items to show on each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
- UI saves sorting order for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
New Vulnerability Checks
Updates
- Targets with Manual Intervention cannot have a Business Logic Recording
- Changed vulnerability name filter to use search as you type
- Scans will start reporting pages that require HTTP Authentication
- Acunetix UI notifications have been changed as follows:
- Moved to bottom right of Acunetix UI
- Stay longer on the page
- Can be closed by the user
- Increased name length limit of import files to 128 characters
- User can optionally specify the address to be used for Auto-login. This is useful for SSO login pages
- The scanner will try to connect to the address of the target before aborting the scan after 25 consecutive network errors
- Targets can be deleted and replaced on the license anniversary
Fixes
- Fixed: The vulnerability name filter did not always show all vulnerabilities
- Fixed incorrect error handling message when disabling the proxy settings
- Hide Business Logic Recorder for Network Only targets
- Fixed: Acunetix Online was showing an ID as the name of some network vulnerabilities
- Fixed: Acunetix Online was not always showing the HTTP Response for some vulnerabilities
- Fixed: Acunetix Online was not showing the number of licensed Targets
- Fixed issue causing paths of ignored files to be ignored too
- Fixed LSR issue on Safari browser
- Fixed issue caused when the LSR and BLR are used on certain sites
- Various minor fixes to the UI
- Fixed false positives in over 25 vulnerability checks
Version 13 (build 13.0.200519155 – Windows and Linux) 20th May 2020
Updates
- Vulnerabilities filter shows correct sorting
- User can now test notification settings
- List of Licensed Targets can now be accessed from user profile page
Fixes
- Fixed issue when using the Login Sequence Recorder remotely
- ConsultLite licenses were being shown as Standard
- Some vulnerabilities were not displayed correctly in Azure Devops Services
Version 13 (build 13.0.200508159 – Windows and Linux) 11th May 2020
New Features
- Business Logic Recorder – used to record logic used in multi-step forms
- Export to Citrix WAF
- Support for Azure DevOps Services issue tracker
- CVSS3.1 score for most Acunetix vulnerabilities
- Targets can now be exported to CSV
- New Graph in Dashboard showing Average vulnerabilities per Target
New Vulnerability Checks
Updates
- Manual Intervention (used for CAPTCHAs, OTP etc) is now using the integrated (web-based) LSR
- As a result of the previous update, Manual Intervention is now available on Linux
- Improved error reporting for network scans aborted due to network errors
- Vulnerability alerts updated to show important information at the top
- Updated Github issue tracker to support Personal Access Token (PAT) authentication
- Improved reporting of Paused scans in the UI
- Improved UI message user triggers a scan which is not allowed due to Manual Intervention
- API documentation can now be downloaded from within the Acunetix UI
- Added support for popup windows in the Login Sequence Recorder
- Improved handling of large import files
- Improved handling large requests / responses generated from import files
- Decreased false positives reported for Possible username or password disclosure
- Truncated large vulnerability alerts when sending to Jira issue tracker
Fixes
- Fixed incorrect from email address used for monthly update emails
- Fixed AcuMonitor UI notification to link to corresponding vulnerability
- Fixed issue causing vulnerability checks to not be able to send empty values
- Fixed a number of crashes
- Fixed issue causing ASP.NET sites to be processed as ASP sites
- Fixed 2 issues caused when using Swagger import files
- Improved handling of txt import files using incorrect import format
- Fixed Session Fixation false positive
- Fixed UI issue when configuring Custom Cookies
- Trend charts where not being updated for user accounts
- Fixed issue in excluded hours
- Fixed “Client Certificate Not Set” message incorrectly being reported
Version 13 (build 13.0.200409107 – Windows and Linux) 9th April 2020
New Vulnerability Checks
- New check to warn user if server sends known password to client
- New check for RCE in Liferay Portal (CVE-2020-7961)
Updates
- Improved detection of SQL Injection
Fixes
- Fixed bbcode display issue in some alerts
- Fix in Login page password-guessing attack
- Fixed licensing issue caused by different case in Target address
Version 13 (build 13.0.200401171 – Windows and Linux) 2nd April 2020
New Vulnerability Checks
- New WordPress plugin checks
Updates
- Improved XXE check
- Improved internal IP disclosure check
- Vulnerabilities detected with 100% Confidence get a Verified stamp
Fixes
- Fixed issue with response highlighting for SQL Injection alerts
- Fixed AcuMonitor alert notifications not linking to scan
- Fixed page not found UI issue when trying to generate a report from Reports page
- Fixed issue with scanner looping when parsing specific long JSON responses
Version 13 (build 13.0.200326097 – Windows and Linux) 26th March 2020
New Features
- Introduced support for processing of Swagger 2.0 files during scans
- Introduced support for Swagger 2.0 files as import files
- New Quarterly scheduled scan option
- Users can change their password from the Acunetix UI
New Vulnerability Checks
Updates
- Minor UI updates
- Better reporting of scans interrupted due to network errors
- Client Certificate address can now be configured for a Target
- HTTP Authentication address can now be configured for a Target
- Abort Scan after 25 network errors
- Implemented Proof of Exploit for Blind SQL Injection vulnerabilities
- Improved showing Scan Duration for long scans
- Acunetix can be installed in custom paths
- Scan email notifications will include a PDF report if requested at start of scan
- Email notifications can be configured for:
- Product updates
- Target notifications
- Scan notifications
- Report notifications
- Monthly status updates
Fixes
- Fixed: On Reports page, Target address shows as N/A for Targets that do not have a Description
- Fixed issue uploading import files larger than 1mb
- Fixed issue whereby some addresses had missing a character in the report
- Fixed false positive in Possible server path disclosure
- Fixed issue causing the scanner to not following multiple redirects
- Fixed 2 scanner crashes
- Multiple fixes in WADL parser
- Fixed: Case Sensitive Paths settings was sometimes not being taken into consideration
- Fixed issue in Possible Sensitive Directories identifying incorrect locations
- Fixed issue for users with expired passwords not given the option to change their password
Version 13 (build 13.0.200205121 – Windows and Linux) 5th February 2020
New Features
- New Acunetix web UI
- Improved Network Scanner integration
- Malware Detection using Windows Defender on Windows and ClamAv on Linux
- Smart Scan
- New scanning algorithm prioritises scanning tasks and reduces scanning time
- Proof of exploit is reported in the vulnerability alerts
- Incremental Scans
- Vulnerability Confidence Rating for web vulnerabilities
- New GitLab Issue Tracker Integration
- New Bugzilla Issue Tracker Integration
- New Mantis Issue Tracker Integration
- Ability to create Login Sequence from Selenium script
- New WADL import file
- New ASP.NET Webforms import file
- New Postman import file
- New Paros import file
- Ability to create custom checks
- Highlighting of vulnerability in HTTP response
- DeepScan provides better support for Angular 2, Vue and React JavaScript Frameworks
- Unlimited network scanning for Acunetix Premium customers
- Account Session Timeout settings
- Account Maximum Consecutive Login Failure settings
New Vulnerability Checks
Updates
- Improved memory consumption for the scanner
- PDF reports now have page numbers
- Generic User-agent will be used for communication with issue trackers
- All lists in Acunetix UI can be sorted
- Easier filtering options in the Acunetix UI
- Settings can now be accessed from the side-bar
- Links discovered by AcuSensor are given more prominence
- Improved processing of XML and JSON POST input schemes
- Scanner will try to replay the LSR playback actions a number of times before failing
- Improved Auto-Login
- Multiple updates in the Login Sequence Recorder
- Developer report updated to include Source file, line number and other details provided by AcuSensor
- Acunetix now supports scanning domains with international characters
- Increase page size limit to 20Mb in scanner and LSR
- Improved detection of Possible Sensitive Files
- Improved detection of email addresses
- Improved detection of Command Injection
- Improved detection of database backup files
- Improved detection of XXE
Fixes
- Fixed issue in Developer report showing incorrect parameter name for detected vulnerabilities
- Fixed: “Tester” user role will not be able to create reports
- upgrades on Linux were not removing all files from previous installation
- Fixed issue with Manual Intervention
- Fixed: Session cookies where not always collected by LSR
- Fixed: Incorrect processing of URLs with “{” character
- Fixed a number of crashes in scanner
- Fixed issue causing scanner proxy to unintentionally transform parts of the HTTP request
- Fixed false positive in the detection of Apache Tomcat Remote Code Execution
- Fixed issues causing some links not to be properly imported by the importer
- Fixed issue with license activation when proxy and authentication is used
- Fixed issue causing session to get lost when Deepscan is used