Version 13 (build 13.0.200624118 – Windows and Linux) 24th June 2020
New Features
- Introduced support for GraphQL
- Introduced support for OAuth2.0
- GraphQL files can be used as Import Files
- New Comprehensive Report, which includes the HTTP Response in the HTML version of the report
- HTTP Response uses syntax highlighting for improved readability
- Scans can now be restricted to paths/locations in import files
- User can choose which columns to show in all the Acunetix lists
- UI saves columns selected for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
- UI saves number of items to show on each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
- UI saves sorting order for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
New Vulnerability Checks
Updates
- Targets with Manual Intervention cannot have a Business Logic Recording
- Changed vulnerability name filter to use search as you type
- Scans will start reporting pages that require HTTP Authentication
- Acunetix UI notifications have been changed as follows:
- Moved to bottom right of Acunetix UI
- Stay longer on the page
- Can be closed by the user
- Increased name length limit of import files to 128 characters
- User can optionally specify the address to be used for Auto-login. This is useful for SSO login pages
- The scanner will try to connect to the address of the target before aborting the scan after 25 consecutive network errors
- Targets can be deleted and replaced on the license anniversary
Fixes
- Fixed: The vulnerability name filter did not always show all vulnerabilities
- Fixed incorrect error handling message when disabling the proxy settings
- Hide Business Logic Recorder for Network Only targets
- Fixed: Acunetix Online was showing an ID as the name of some network vulnerabilities
- Fixed: Acunetix Online was not always showing the HTTP Response for some vulnerabilities
- Fixed: Acunetix Online was not showing the number of licensed Targets
- Fixed issue causing paths of ignored files to be ignored too
- Fixed LSR issue on Safari browser
- Fixed issue caused when the LSR and BLR are used on certain sites
- Various minor fixes to the UI
- Fixed false positives in over 25 vulnerability checks
Version 13 (build 13.0.200519155 – Windows and Linux) 20th May 2020
Updates
- Vulnerabilities filter shows correct sorting
- User can now test notification settings
- List of Licensed Targets can now be accessed from user profile page
Fixes
- Fixed issue when using the Login Sequence Recorder remotely
- ConsultLite licenses were being shown as Standard
- Some vulnerabilities were not displayed correctly in Azure Devops Services
Version 13 (build 13.0.200508159 – Windows and Linux) 11th May 2020
New Features
- Business Logic Recorder – used to record logic used in multi-step forms
- Export to Citrix WAF
- Support for Azure DevOps Services issue tracker
- CVSS3.1 score for most Acunetix vulnerabilities
- Targets can now be exported to CSV
- New Graph in Dashboard showing Average vulnerabilities per Target
New Vulnerability Checks
Updates
- Manual Intervention (used for CAPTCHAs, OTP etc) is now using the integrated (web-based) LSR
- As a result of the previous update, Manual Intervention is now available on Linux
- Improved error reporting for network scans aborted due to network errors
- Vulnerability alerts updated to show important information at the top
- Updated Github issue tracker to support Personal Access Token (PAT) authentication
- Improved reporting of Paused scans in the UI
- Improved UI message user triggers a scan which is not allowed due to Manual Intervention
- API documentation can now be downloaded from within the Acunetix UI
- Added support for popup windows in the Login Sequence Recorder
- Improved handling of large import files
- Improved handling large requests / responses generated from import files
- Decreased false positives reported for Possible username or password disclosure
- Truncated large vulnerability alerts when sending to Jira issue tracker
Fixes
- Fixed incorrect from email address used for monthly update emails
- Fixed AcuMonitor UI notification to link to corresponding vulnerability
- Fixed issue causing vulnerability checks to not be able to send empty values
- Fixed a number of crashes
- Fixed issue causing ASP.NET sites to be processed as ASP sites
- Fixed 2 issues caused when using Swagger import files
- Improved handling of txt import files using incorrect import format
- Fixed Session Fixation false positive
- Fixed UI issue when configuring Custom Cookies
- Trend charts where not being updated for user accounts
- Fixed issue in excluded hours
- Fixed “Client Certificate Not Set” message incorrectly being reported
Version 13 (build 13.0.200409107 – Windows and Linux) 9th April 2020
New Vulnerability Checks
- New check to warn user if server sends known password to client
- New check for RCE in Liferay Portal (CVE-2020-7961)
Updates
- Improved detection of SQL Injection
Fixes
- Fixed bbcode display issue in some alerts
- Fix in Login page password-guessing attack
- Fixed licensing issue caused by different case in Target address
Version 13 (build 13.0.200401171 – Windows and Linux) 2nd April 2020
New Vulnerability Checks
- New WordPress plugin checks
Updates
- Improved XXE check
- Improved internal IP disclosure check
- Vulnerabilities detected with 100% Confidence get a Verified stamp
Fixes
- Fixed issue with response highlighting for SQL Injection alerts
- Fixed AcuMonitor alert notifications not linking to scan
- Fixed page not found UI issue when trying to generate a report from Reports page
- Fixed issue with scanner looping when parsing specific long JSON responses
Version 13 (build 13.0.200326097 – Windows and Linux) 26th March 2020
New Features
- Introduced support for processing of Swagger 2.0 files during scans
- Introduced support for Swagger 2.0 files as import files
- New Quarterly scheduled scan option
- Users can change their password from the Acunetix UI
New Vulnerability Checks
Updates
- Minor UI updates
- Better reporting of scans interrupted due to network errors
- Client Certificate address can now be configured for a Target
- HTTP Authentication address can now be configured for a Target
- Abort Scan after 25 network errors
- Implemented Proof of Exploit for Blind SQL Injection vulnerabilities
- Improved showing Scan Duration for long scans
- Acunetix can be installed in custom paths
- Scan email notifications will include a PDF report if requested at start of scan
- Email notifications can be configured for:
- Product updates
- Target notifications
- Scan notifications
- Report notifications
- Monthly status updates
Fixes
- Fixed: On Reports page, Target address shows as N/A for Targets that do not have a Description
- Fixed issue uploading import files larger than 1mb
- Fixed issue whereby some addresses had missing a character in the report
- Fixed false positive in Possible server path disclosure
- Fixed issue causing the scanner to not following multiple redirects
- Fixed 2 scanner crashes
- Multiple fixes in WADL parser
- Fixed: Case Sensitive Paths settings was sometimes not being taken into consideration
- Fixed issue in Possible Sensitive Directories identifying incorrect locations
- Fixed issue for users with expired passwords not given the option to change their password
Version 13 (build 13.0.200205121 – Windows and Linux) 5th February 2020
New Features
- New Acunetix web UI
- Improved Network Scanner integration
- Malware Detection using Windows Defender on Windows and ClamAv on Linux
- Smart Scan
- New scanning algorithm prioritises scanning tasks and reduces scanning time
- Proof of exploit is reported in the vulnerability alerts
- Incremental Scans
- Vulnerability Confidence Rating for web vulnerabilities
- New GitLab Issue Tracker Integration
- New Bugzilla Issue Tracker Integration
- New Mantis Issue Tracker Integration
- Ability to create Login Sequence from Selenium script
- New WADL import file
- New ASP.NET Webforms import file
- New Postman import file
- New Paros import file
- Ability to create custom checks
- Highlighting of vulnerability in HTTP response
- DeepScan provides better support for Angular 2, Vue and React JavaScript Frameworks
- Unlimited network scanning for Acunetix Premium customers
- Account Session Timeout settings
- Account Maximum Consecutive Login Failure settings
New Vulnerability Checks
Updates
- Improved memory consumption for the scanner
- PDF reports now have page numbers
- Generic User-agent will be used for communication with issue trackers
- All lists in Acunetix UI can be sorted
- Easier filtering options in the Acunetix UI
- Settings can now be accessed from the side-bar
- Links discovered by AcuSensor are given more prominence
- Improved processing of XML and JSON POST input schemes
- Scanner will try to replay the LSR playback actions a number of times before failing
- Improved Auto-Login
- Multiple updates in the Login Sequence Recorder
- Developer report updated to include Source file, line number and other details provided by AcuSensor
- Acunetix now supports scanning domains with international characters
- Increase page size limit to 20Mb in scanner and LSR
- Improved detection of Possible Sensitive Files
- Improved detection of email addresses
- Improved detection of Command Injection
- Improved detection of database backup files
- Improved detection of XXE
Fixes
- Fixed issue in Developer report showing incorrect parameter name for detected vulnerabilities
- Fixed: “Tester” user role will not be able to create reports
- upgrades on Linux were not removing all files from previous installation
- Fixed issue with Manual Intervention
- Fixed: Session cookies where not always collected by LSR
- Fixed: Incorrect processing of URLs with “{” character
- Fixed a number of crashes in scanner
- Fixed issue causing scanner proxy to unintentionally transform parts of the HTTP request
- Fixed false positive in the detection of Apache Tomcat Remote Code Execution
- Fixed issues causing some links not to be properly imported by the importer
- Fixed issue with license activation when proxy and authentication is used
- Fixed issue causing session to get lost when Deepscan is used