Acunetix Build History

Version 12 (build 12.0.191121158 – Windows and Linux) 25th November 2019

New Features

  • New scanning algorithm resulting in faster scans
  • Scanner will give higher priority to locations which are dissimilar to ones that have already been scanned
  • JAVA AcuSensor now supports JAVA Spring Framework

New Vulnerability Checks

Updates

  • Deepscan is now caching static assets. This will result in faster scans
  • Improved memory consumption by the scanner
  • Improved processing of forms and form handling
  • Improved detection of paths
  • Scanner will now process commented out html
  • Updated command injection payloads

Fixes

  • Fixed scanner crash
  • Fixed WAF detection false positive
  • Fixed: Check for Sensitive files was accessing restricted links
  • Fixed issue causing scanner to multi-line session validation pattern
  • Fixed: Some locations where incorrectly detected by DeepScan
  • Fixed issue causing integrated LSR to close due to Ad blocking
  • Fixed issue with HAR import files
  • Fixed issue in the detection of Weak authentication credentials
  • Fixed issue affecting the detection of DOM XSS vulnerabilities
  • Fixed issue in the detection of possible username and password disclosure
  • Fixed issue with recording restricted links in Internet Explorer
  • Fixed: Tech Admin can now configure the engine to be used for a Target
  • Fixed issue affecting scanning of domains with international characters

Version 12 (build 12.0.190927120 – Windows and Linux) 30th September 2019

New Features

  • Introduced new Scan Type: New Web Vulnerabilities to scan for new vulnerabilities introduced in the latest Acunetix update
  • Introduced ad-blocking in the scanner, resulting in faster scans
  • Implemented support for Session HTTP headers when logging in to the site
  • Introduced custom_settings.xml to configure settings from settings.xml, which are not overwritten on upgrade

New Vulnerability Checks

Updates

  • The scan will now report when an invalid Selenium script is used as an import file
  • Improved detection of the type of Burp import file being used
  • Increased limit on Custom Headers
  • Multiple improvements in DeepScan
  • The LSR Record button is disabled during Login Action playback
  • Acunetix will start reporting login forms when no login credentials are configured
  • The tester user will not be able to create or view reports

Fixes

  • Fixed: Directory Traversal vulnerabilities were sometimes incorrectly reported as found with AcuSensor
  • Fixed: Several broken references in the vulnerability alerts
  • Fixed: HTTP Response was not shown in some vulnerability alerts
  • Fixed an issue causing DeepScan to take too long to process some locations
  • Fix in PHP Hash Collision DOS vulnerability check
  • Fixed: Integrated LSR was not working on IE11
  • Fixed: Selenium script playback fails for some scripts
  • Fixed: Session Detection fails if session pattern spans multiple lines
  • Fixed: LSR keeps showing the spinner on some pages
  • Fixed: LSR Session pattern was not always saved when detected using the navigation
  • Fixed: LSR Session pattern check might fail for in body / not in body patterns
  • Fixed: On some systems, Chromium processes cannot be terminated when generating PDF reports
  • Fixed: Passwords were recoverable from the UI
  • Better handling of HTTP timeouts by vulnerability checks

Version 12 (build 12.0.190827161 – Windows and Linux) 28th August 2019

New Features

  • Implemented support for OpenSearch
  • Acunetix will try to discover hidden parameters and test them
  • Acunetix can now check base64 encoded JSON inputs for vulnerabilities

New Vulnerability Checks

  • New test for Oracle Business Intelligence Convert XXE (CVE-2019-2767)
  • New test for Oracle Business Intelligence Adfresource Path traversal (CVE-2019-2588)
  • New test for Oracle Business Intelligence AuthBypass (CVE-2019-2768)
  • New test for Oracle Business Intelligence ReportTemplateService XXE (CVE-2019-2616)
  • New test for Jira RCE (CVE-2019-11581)
  • New test for Test for Atlassian Crowd RCE (CVE-2019-11580)
  • New tests for Python Code Injection
  • New test for Apache Spark RCE [https://spark.apache.org/security.html] (CVE-2018-11770)
  • New test for ColdFusion Deserialization RCE (CVE-2019-7091)
  • Implemented support for OpenID Connect Discovery
  • Detect and report Apple application association files
  • Added new checks for WordPress plugins, Drupal core and Joomla core

Updates

  • Updated UI to accept IPv6 addresses
  • Multiple improvements to DeepScan
  • Improved the Directory Traversal check
  • Updated the scan limits, reducing repeated requests to larger sites
  • Acunetix will now extract and process gzipped files
  • Multiple updates to parsing and heuristic crawler features
  • Improved the vulnerability deduplication – similar vulnerabilities will be reported once
  • Improved reporting of the cause of scan failures (e.g. website is unresponsive, invalid import file etc)
  • Credentials provided to Auto-Login or LSR will not be used for vulnerability tests
  • Improved processing of Selenium scripts
  • Improved login form detection by Auto-Login feature
  • Improved WebLogic detection, and testing for default WebLogic credentials
  • Improved detection of Vulnerable JavaScript libraries check

Fixes

  • Fixed a number of issues causing the scanner to stop unexpectedly
  • Fixed issue causing AcuMonitor checks to be done when AcuMonitor is not enabled
  • Fixed issue with WSDL parsing
  • Fixed: Reflected tests (e.g. reflected XSS) was not done on JSON inputs
  • Fixed issue causing 100% CPU usage when processing certain pages
  • Fixed hang in the Acunetix Administrative Password utility on Windows
  • Fixed: DeepScan was not processing XHTML pages
  • Fixed issue causing Chromiumn process to remain active after PDF report generation
  • Fixed issue caused by background requests when recording a login sequence
  • Fixed issue when recording a login sequence on a site that uses cross-domain iframes
  • Fixed issue when parsing WADL
  • Fixed issue causing Host Header Attack false negatives

Version 12 (build 12.0.190703137 – Windows and Linux) 4th July 2019

New Vulnerability Checks

  • New test for Joomla! Core CSV Injection vulnerability check [CVE-2019-12765]
  • New test for Joomla! Core XSS vulnerability check (CVE-2019-12766)
  • New test for Joomla! Core Security bypass (CVE-2019-12764)
  • New test for Oracle Weblogic XXE (CVE-2019-2647)
  • Added the detection of CDNs
  • Added the detection of reverse proxies

Updates

  • Auto-Login is now using the LSR functionality – this will improve auto-login in general
  • Improved detection of DOM XSS
  • Improved handling of invalid Selenium scripts
  • Improved handling of email addresses fields in web forms
  • Improved parsing of WSDL files
  • Implemented support for Proxy-Authenticate header
  • Improved crawling of Spring-based web applications
  • Updated LSR to automatically dismiss modal dialogs during playback
  • Reduced false positives in checks looking for sensitive and backup files
  • Reduced false positives in SSN number detection
  • Reduced false positives in XSS in URIs
  • Improved the detection of WAFs
  • LSR can now record actions within <iframe> elements
  • Jira Issue Tracker integration now supports HTTP Authentication with API key

Fixes

  • Fixed a crash when parsing SOAP messages
  • Fixed issue in interpretation of some Selenium scripts
  • Fixed a number of broken links in the Vulnerability Alerts
  • Autologin was recording the password in the log file
  • Fixed crash caused when reading specific swagger files
  • Fixed crash caused when reading specific large files
  • Fixed issue causing the scanner to go into a loop
  • Fixed issue causing crawler to not interpret correctly certain locations in JavaScript
  • Fixed issue in Manual Intervention
  • Fixed issue affecting sites using euc-kr encoding
  • Fixed Chromium issue caused when window.chrome is used by the site
  • Fixed issue causing Chromium not to load on Kali Linux
  • Fixed LSR playback issue caused when input field contained predefined text
  • SRI not implemented was being reported multiple times per host

Version 12 (build 12.0.190515149 – Windows and Linux) 14th May 2019

New Features

  • Network Scanning via OpenVAS integration
  • Introduced support for IPv6 domains (IPv6 addresses not supported yet)
  • Dynamic resource allocation for when multiple scanners are started on the same machine
  • Improved resource usage for string comparison functions
  • Selenium scripts can now be used as import files

New Vulnerability Checks

Updates

  • Multiple improvements to the detection of Blind SQL Injection
  • Improved the Error Messages vulnerability check
  • Improved the Adobe Experience Manager tests
  • Improved detection of Java Deserialization and Mongo alert deduplication
  • Improved detection of Rails accept file content disclosure
  • Updated alert details for Oracle WebLogic Remote Code Execution via T3 (CVE-2018-3245)
  • Improved detection of Confluence
  • Improved PHP AcuSensor when used on nginx
  • Improved detection of PHP code injection
  • Updated Directory Traversal Check to make fewer requests
  • Multiple improvements to DeepScan and the LSR
  • Implemented support for WebSockets in LSR and Deepscan

Fixes

  • Fixed a few crashes
  • Fixed issue causing Postcrawl scripts to not be executed on folders
  • Fixed: Custom cookies could be used twice when the application sets the same cookies
  • Cookie processing now ignores leading . in domain
  • Fixed issue with LSR when used on Internet Explorer
  • Fixed issue with HTTP Authentication
  • Fixed false positive in Struts_RCE_S2-052_CVE-2017-9805
  • Fixed severity level for CSRF vulnerability check
  • Fixed False Negative in Mercurial repository found check
  • Fixed issue causing site structure not to be updated with locations identified by vulnerability scripts

Version 12 (build 12.0.190404166 – Windows and Linux) – 5th April 2019

New Vulnerability Checks

Updates

  • Minor update improving efficiency of PerFolder checks
  • LSR: Disabled spellcheck for fields loaded
  • Deepscan: Improved exclusion of clicks on logout elements
  • LSR: clicks on some SVG elements where not being recorded
  • LSR: Session Pattern Detection now uses session headers provided by webapp

Fixes

  • Fixed 2 issues causing the scanner to stop unexpectedly
  • Scan progress was not always correctly saved when scan is paused
  • Session Pattern Detection was not always using the session headers provided by the webapp

Version 12 (build 12.0.190325161 – Windows and Linux) – 26th March 2019

New Features

  • Verified vulnerabilities are now indicated by Acunetix

New Vulnerability Checks

Updates

  • Updated Directory Traversal vulnerability check
  • Improved detection of Blind SQL Injection
  • On Linux, OOM Killer will now stop less important processes
  • Improve handling of XHR requests in Deepscan
  • Multiple improvements to the LSR and Session detection
  • Scan Stats are now retained between Pause/Resume
  • Improved the detection of paths from JSON and XML
  • Improve techniques used to detect type of input in web form
  • Multiple minor UI updates

Fixes

  • Fixed multiple instances of scanner stopping unexpectedly
  • Fixed false positive reported by WordPress plugin All in One SEO Pack privielege escalation check
  • Fixed issue causing the same web application to be detected multiple times
  • Some vulnerability alerts did not show the HTTP Response
  • Fixed issue causing incorrect processing of default values in forms
  • HTTP redirects were not being detected
  • Fixed issue in File Upload XSS vulnerability check
  • Fixed issue causing PerFolder scripts not to be executed on all folders
  • Fixed issue causing HAR file importing to fail
  • Fixed issue causing LSR to fail to load Target with uppercase address
  • Fixed issue causing SharePoint Reflected Cross-Site Scripting (CVE-2017-8514) not to be reported

Version 12 (build 12.0.190227132 – Windows and Linux) – 27th February 2019

New Vulnerability Checks

Updates

  • Update Source Code Disclosure checks to prevent False Positives
  • Unused paths are filtered out from AcuSensor data

Fixes

  • Fixed false positive in Expression Language Injection vulnerability check
  • Fixed issue in LSR / Deepscan when processing scripts overriding toJSON on Object

Version 12 (build 12.0.190214162 – Windows and Linux) – 15th February 2019

Updates

  • Improved scanning of .NET web applications
  • Improved processing of CSS files
  • 40% speed improvement when parsing pages
  • Various updates to WSDL processing

Fixes

  • Some invalid URLs were being incorrectly reported as external hosts
  • Fixed issue causing communication problem between scanner and backend
  • Allowed hosts were not always being scanned
  • Integrated LSR was not always working on Internet Explorer 11
  • Fixed LSR display problem when browser window is zoomed or resized
  • Fixed issue when importing Burp State file

Version 12 (build 12.0.190206130 – Windows and Linux) – 7th February 2019

New Features

  • New Integrated Login Sequence Recorder – Login Sequences can be recorded directly from the Acunetix UI
  • Swagger (JSON and YAML) and WSDL can be used as import files

New Vulnerability checks

  • New checks for a number of WebBackdoors
  • New checks for elmah.axd information disclosure
  • New test for Stack Trace Disclosure in Django
  • New test for Stack Trace Disclosure in ASP.NET
  • New test for Stack Trace Disclosure in ColdFusion
  • New test for Stack Trace Disclosure in Python
  • New test for Stack Trace Disclosure in Ruby
  • New test for Stack Trace Disclosure in Tomcat
  • New test for Stack Trace Disclosure in Grails
  • New test for Stack Trace Disclosure in Apache MyFaces
  • New test for Stack Trace Disclosure in Java
  • New test for Stack Trace Disclosure in GWT
  • New test for Stack Trace Disclosure in Laravel
  • New test for Stack Trace Disclosure in Rails
  • New test for Stack Trace Disclosure in CakePHP
  • New test for Stack Trace Disclosure in CherryPy
  • New Directory Listing vulnerability checks
  • New Error Message vulnerability checks
  • New test for Oracle Reports RWServlet showenv
  • New test for Docker Engine API publicly accessible
  • New test for Docker Registry API publicly accessible
  • New test for Jenkins server user enumeration
  • New test for Jenkins server weak credentials
  • Added the following new tests for Adobe Experience Manager
    • Day CQ WCM Debug Filter enabled
    • LoginStatusServlet exposed (allows to bruteforce credentials)
    • Bruteforce a set of default AEM credentials if LoginStatusServlet is exposed
    • QueryBuilderFeedServlet public accessible, sensitive information might be exposed
    • Implemented tests for a bunch of SWF files that are exposed by AEM code that are vulnerable to Reflected XSS
    • Test if the AEM Groovy Console is publicly accessible. Permits RCE
    • Added a test for exposed AEM ACS Tools (a set of tools for AEM developers) – RCE is possible
    • Test if GQLServlet is publicly accessible. Sensitive information could be exposed
    • Test if Adobe Experience Manager AuditLogServlet is publicly accessible. Audit log records could be exposed
    • Test for Server Side Request Forgery (SSRF) via SalesforceSecretServlet (CVE-2018-5006)
    • Test for Server Side Request Forgery (SSRF) via ReportingServicesServlet
    • Test for Server Side Request Forgery (SSRF) via SiteCatalystServlet was detected

Updates

  • Improved the scanning of sites using SOAP
  • Improved parsing of paths
  • TXT import now takes precedence over excluded paths
  • Improved the adherence of the scan scope
  • Improved the detection of the version of WordPress plugins
  • Improved the automatic session pattern detection in the LSR
  • LocalStorage / SessionStorage is retained between LSR and Deepscan Sessions

Fixes

  • Fixed: Scan scope was not always respected
  • Technology detected during the scan was not being reported
  • Fixed several scanner unexpected termination issues
  • Fixed issue causing large PDF reports not to be generated
  • Fixed: AcuSensor file data is better filtered by scanner

Version 12 (build 12.0.190121124 – Windows and Linux) – 22nd January 2019

Updates

  • HTTP response size limit has been increased to 20Mb
  • Swagger parser now supports yml files

Fixes

  • Fixed a scanner crash
  • Fixed: Login Sequence Recorder was not using the User-Agent configured for the Target
  • Fixed issue causing false positives in ‘User controllable charset’ and ‘User controllable script source’
  • Fixed issue with BURP state file importer
  • Fixed: Users could not update an expired POC license

Version 12 (build 12.0.181218140 – Windows and Linux) – 18th December 2018

New Vulnerability checks

  • New test for Apache Solr XXE (CVE-2017-12629)
  • New test for RCE in Spring Security OAuth (CVE-2016-4977)
  • New test for Apache mod_jk access control bypass (CVE-2018-11759)
  • New test for Unauthenticated Stored XSS in WordPress Plugin WPML (CVE-2018-18069)
  • New test for ACME mini_httpd (web server) arbitrary file read (CVE-2018-18778)
  • New test for OSGi Management Console Default Credentials
  • New test for Flex BlazeDS AMF Deserialization RCE (CVE-2017-5641)
  • New test for common misconfigurations in ColdFusion
  • New test for AMF Deserialization RCE in ColdFusion (CVE-2017-3066)
  • New test for JNDI injection in ColdFusion (CVE-2018-15957)
  • New test for unauthenticated File uploading in ColdFusion (CVE-2018-15961)
  • New WordPress / WordPress plugin vulnerability checks

Updates

  • Improved the injection of payloads and other improvements in the handling of JSON data
  • Updated Chromium to fix Chromium vulnerability
  • Improved web application detection

Fixes

  • Corrected LSR launch message for Linux installations
  • Fixed Update License issue on Internet Explorer
  • Fixed several memory leaks/scanner closing unexpectedly
  • Fixed issue affecting the processing of some content types
  • Some cookies were being added multiple times during the scan
  • Some redirects were not being correctly handled
  • Some requests generated by the scanner incorrectly contained two backslashes (‘//’)
  • Fixed issue in the Backup Folders checks going out of scope
  • Several minor fixes

Version 12 (Windows build 12.0.181203110, Linux build 12.0.181204095) – 4th December 2018

New features

  • Deepscan has been updated to make use of Chromium (Windows only – already included in Linux)
  • Login Sequence Recorder has been updated to make use of Chromium (Windows only – already included in Linux)
  • Acunetix can now test APIs document using Swagger (Windows only – already included in Linux)
  • Introduced support for NTLM HTTP Authentication on Linux release (already included on Windows)
  • Introduced support for Kerberos HTTP Authentication (Windows only)

New vulnerability checks

  • A huge update increasing the detection of Stored XSS
  • New test for possible file creation using the HTTP PUT method
  • New test for Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12615)
  • New test for Ektron Content Management System (CMS) 9.20 SP2, remote re-enabling users (CVE-2018–12596)
  • New test for httpoxy vulnerability
  • New test checks if CouchDB REST API is publicly accessible
  • New test checks if CouchDB is vulnerable to Remote Privilege Escalation resulting in Remote Code Execution (CVE-2017-12635)
  • New test for Apache ActiveMQ default credentials
  • New test for Node.js Path validation vulnerability (CVE-2017-14849)
  • New test for GoAhead web server RCE via unsafe environment initialization of forked CGI scripts (CVE-2017-17562)
  • New test for publicly accessible Hadoop YARN ResourceManager WebUI
  • New test for jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
  • New test looks for Google Firebase Databases URLs in the response and checks if the Firebase Databases are accessible without authentication
  • New test for Oracle WebLogic Remote Code Execution vulnerability via T3 (CVE-2018-3245)
  • New test for Oracle WebLogic Authentication Bypass vulnerability (CVE-2018-2894)
  • New test checks if Jupyter Notebook is publicly accessible
  • New test for Apache Log4j socket receiver deserialization vulnerability
  • New test for NGINX range filter integer overflow (CVE-2017-7529)
  • New test for Xdebug remote code execution via xdebug.remote_connect_back
  • Numerous new checks for WordPress Core, WordPress plugins, Joomla Core and Drupal Core.

Updates

  • Numerous memory management improvements
  • Multiple updates to LSR and session detection improving scanning of restricted areas
  • Improved speed of SQL Injection vulnerability checks
  • The new LSR / Deepscan will improve support of JavaScript rich sites
  • Added mock geo-location support to support scanning sites that require geo-location
  • Improved analysis of XML and JSON

Fixes

  • Fixed scanner crash when scan was resumed from paused state
  • Fixed some issues in the handling of cookies
  • Custom cookies were not always used
  • Content-Type header was not always being sent. This affected the detection of some vulnerabilities
  • Fixed a false positive in SSL weak key length vulnerability check
  • Fixed issue in the Social Security Number and Credit Card number check
  • Fixed issue with AcuSensor download on Linux release
  • Fixed issue causing scans to be aborted when server returns an invalid charset
  • Fixed a number of other issues causing the scanner to close unexpectedly
  • Sensitive and Backup files were not being checked for in the site root
  • Fixed issue with jquery version extractor
  • Fixed 2 internally reported security issues
  • Fixed issue with re-installation of Linux installations

Version 12 (Linux release build 12.0.181115088) – 15th November 2018

New Features

  • Acunetix release for Linux
  • Acunetix can now test APIs document using Swagger
  • Deepscan has been updated to make use of Chromium
  • Login Sequence Recorder has been updated to make use of Chromium

Version 12 (build 12.0.181012141) – 12th October 2018

New Vulnerability Checks

Updates

  • License keys can now be updated via the Acunetix web UI
  • Additional memory improvements
  • Improved exclusion of parameters
  • Multiple updates to existing vulnerability checks
  • Improved CORS origin validation failure checks
  • Improved Pickle Serialization check

Fixes

  • Manual Intervention was not working after a paused scan is resumed
  • Scans for some sites using Digest HTTP Authentication were stopping unexpectedly
  • Additional fixes for issues causing scans exiting unexpectedly
  • Fixed issue causing many product update requests when proxy authentication is incorrectly configured
  • Fixed: Some backup files / folders were not being identified
  • Some vulnerabilities were incorrectly reported in the site root
  • Fixed issue in similar page detection causing scans to take longer than expected
  • Fixed issue causing valid sessions not to be identified correctly during the scan

Version 12 (build 12.0.180911134) – 11th September 2018

New Vulnerability Checks

Updates

  • Multiple updates to the SSL checks
  • Various memory optimisations
  • Less requests required to verify AcuMontior checks

Fixes

  • Fixed bug in testing of cookie values
  • Fixed memory issues, causing some scans to exit unexpectedly
  • Fixed bug causing some scans to crash when paused and resumed
  • Fixed issue causing some scans to be aborted immediately because of error status on initial response
  • Fixed issue causing some locations to get omitted from site structure
  • Multiple fixes to import file feature
  • Fixed issue which caused DeepScan not to use all cookies
  • Custom headers were added twice on redirect
  • Fixed issue affecting some sites using SSO

Version 12 (build 12.0.180821106) – 22nd August 2018

New Vulnerability checks

Updates

  • Reduced the number of requests required for Web Application Detection
  • Improved the JSON and the Generic document parser
  • Improved handling of non-responsive sites

Fixes

  • Fixed a few infrequent crashes
  • Fixed Malware link checking vulnerability test
  • Fixed issue causing scan to be aborted on redirect to different FQDN for login
  • Fixed issue causing Scan Comparison reports to fail
  • Fixed issue causing the scanner not to crawl certain HTTPs sites correctly when using proxy

Version 12 (build 12.0.180801120) – 1st August 2018

Fixes

  • Fixed the detection of some DOMXSS variants
  • Fixed scanner crash

Version 12 (build 12.0.180725167) – 26th July 2018

New Features

  • HTTP response is now shown for vulnerabilities detected (only affects new scans)
  • Manual Intervention has been implemented in v12

New Vulnerability checks

  • Added detection of Java Object Deserialization vulnerabilities
  • Added detection for Cisco ASA Path Traversal (CVE-2018-0296)
  • Added tests for misconfigured nginx aliases that can lead to a path traversal
  • Added detection of Spring Security Authentication Bypass Vulnerability (CVE-2016-5007)
  • Added detection of weak/insecure permissions for Atlassian Jira REST interface
  • Added detection of Apache Tomcat Information Disclosure (CVE-2017-12616)
  • Added detection of Spring Data REST Remote Code Execution (CVE-2017-8046)
  • Added detection of Insecure Odoo Web Database Manager
  • Added detection of JBoss Remote Code Execution (CVE-2015-7501 and CVE-2017-7504)
  • Added detection of WebSphere Remote Code Execution (CVE-2015-7450)
  • Updated WordPress Plugin vulnerability detection

Updates

  • Password is no longer required when configuring client certificate for a Target
  • Additional memory optimizations
  • Scanner will now report when the LSR cannot login
  • Application Error Message vulnerability check updated to provide more details on the error
  • Reports, XML exports and WAF exports now use a more meaningful filename
  • Reports now show the status of a scan
  • Scan debug logs now include imported files
  • Increase maximum number of issues trackers that can be configured

Fixes

  • multiple crashes while scanning
  • Scanner will now re-authenticate when website invalidates authentication during scan (applies to HTTP authentication only)
  • Scanner sometimes fails to decode LSR output, leading to an unauthenticated scan
  • Fixed many issues causing vulnerabilities not to be detected or to be detected incorrectly
  • Two fixes affecting the setting of Cookies
  • Fixed issue in RSS parsing
  • Fields with certain characters in the name (such as $) were not being tested
  • Some out of scope paths were still being crawled
  • Fix in the Autologin
  • Upon upgrade, user is asked to “Logout from Other Session”
  • Target and Vulnerabilities reports were failing
  • Recurrent scans for Standard licenses were being disabled
  • some reports were generated without file extension

Version 12 (build 12.0.180709159) – 9th July 2018

New Features and Vulnerability tests

Updates

  • Scanner will automatically continue scanning when http redirects to https
  • Improvement in memory usage
  • Acunetix will now hand over DNS resolution to Proxy Server when configured
  • Improved messaging during installation

Fixes

  • Scanner crash in DeepScan
  • Scanner hang when certain LSR files are used
  • Incomplete scans in certain situations, such as when using import files

Version 12 (build 12.0.180628131) – 28th June 2018

New Features and Vulnerability tests

Fixes

  • Fixed issue with NTLM HTTP Authentication
  • Fixed issue causing some pages not to load correctly in the LSR
  • Fixed 2 false positives for “User controllable charset” and “User controllable script source”
  • Fixed issue in handling HAR import files

Version 12 (build 12.0.180619111) – 19th June 2018

New Features and Vulnerability tests

Fixes

  • Crash dump was sometimes not being created

Version 12 (build 12.0.180615105) – 15th June 2018

Updates

  • More improvements to Web Application Detection
  • Reports not show if a scan has failed

Fixes

  • Scanner was not parsing all AcuSensor data, causing some vulnerabilities not to be reported when AcuSensor is used
  • Some reqeusts to HTTPs sites were being downgraded to HTTP

Version 12 (build 12.0.180611183) – 11th June 2018

New Features and Vulnerability tests

  • Introduced system to automatically avoid testing similar pages
  • New check for Oracle Weblogic WLS-WSAT Component Deserialization RCE affecting versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 (CVE-2017-10271)
  • New check for PHPUnit RCE affecting versions 4.8.28 and 5.x before 5.6.3 (CVE-2017-9841)
  • New check for Edge Side Include Injection vulnerabilities
  • New check for Dotenv (.env and variants) files
  • New check for Joe Text Editor DEADJOE file
  • New check for Symfony configuration file
  • New check for Laravel (PHP framework) log files
  • New check for publicly accessible backup directory in Drupal Backup Migrate

Updates

  • Updated timeout and retries for HTTP requests done by some vulnerability checks
  • Updated Web Application Detection checks to make less HTTP requests resulting in faster scans
  • Various minor updates to the UI
  • Improved parsing of robots.txt
  • Improved detection of default index files
  • Acunetix now shows the number of licensed Targets in the License section of the UI

Fixes

  • Some addresses were not parsed correctly, resulting in incorrect paths
  • Some addresses were not detected, resulting in missing paths
  • Some paths where being detected incorrectly
  • Scanner crash when allowed hosts are used
  • Scanner crash when parsing some pages
  • Scanner hang when crawling caused by DeepScan
  • No links parsed from pages without Content-Type header
  • Some vulnerability checks duplicated the query values
  • Sitemap was always being detected
  • Fixed validation issues in Security Settings > Account Lockout > Lockout timeout
  • License checks was failing for some installations

Version 12 (build 12.0.180521161) – 22nd May 2018

Updates

  • DeepScan has been updated to ignore images resulting in faster scans

Fixes

  • Excluded paths not taken into consideration
  • Parts of the scan were not using the Custom 404
  • Some paths where not identified correctly

Version 12 (build 12.0.180517125) – 17th May 2018

New Features and Vulnerability tests

Updates

  • Updated detection of Drupal installations
  • Changed to a more moderate definition of a Target for licensing purposes
  • Number of Targets and Users configured are now shown in the UI > Licensing section
  • UI now shows if the latest build is being used, and allows the user to check for updates manually

Fixes

  • Multiple updates and fixes to the HTML parser
  • Multiple updates and fixes to the Acunetix UI
  • Auto-login was making unnecessary requests
  • Some vulnerabilities were showing ‘null’ URL
  • Data from AcuSensor was not being interpreted correctly
  • Account lockout settings were not being saved
  • Fix in the scanner which was making some vulnerability checks not to work
  • Some vulnerability checks making unnecessary requests
  • Some vulnerability details where not being encoded correctly
  • Custom 404 detection was not working
  • Fix in AcuMonitor affecting some tests
  • DeepScan was not interpreting correctly paths containing a dot

Version 12 (build 12.0.180509176) – 10th May 2018

New Features

  • New faster Engine
  • Scans can now be Paused and Resumed
  • Targets can be imported from CSV
  • New JAVA AcuSensor
  • Support for latest JavaScript (ES6 and ES7) in DeepScan and Login Sequence Recorder
  • Configurable Password Policies including Password History, Auto Password Expiry and Account Lockout
  • 2 Factor Authentication in the Acunetix UI
  • Exclude what to scan directly from Crawl results or previous scans

Updates and Fixes

  • Too many to enumerate
  • Multiple updates to the vulnerability checks