Acunetix Build History

Version 12 (build 12.0.190927120 – Windows and Linux) 30th September 2019

New Features

  • Introduced new Scan Type: New Web Vulnerabilities to scan for new vulnerabilities introduced in the latest Acunetix update
  • Introduced ad-blocking in the scanner, resulting in faster scans
  • Implemented support for Session HTTP headers when logging in to the site
  • Introduced custom_settings.xml to configure settings from settings.xml, which are not overwritten on upgrade

New Vulnerability Checks

Updates

  • The scan will now report when an invalid Selenium script is used as an import file
  • Improved detection of the type of Burp import file being used
  • Increased limit on Custom Headers
  • Multiple improvements in DeepScan
  • The LSR Record button is disabled during Login Action playback
  • Acunetix will start reporting login forms when no login credentials are configured
  • The tester user will not be able to create or view reports

Fixes

  • Fixed: Directory Traversal vulnerabilities were sometimes incorrectly reported as found with AcuSensor
  • Fixed: Several broken references in the vulnerability alerts
  • Fixed: HTTP Response was not shown in some vulnerability alerts
  • Fixed an issue causing DeepScan to take too long to process some locations
  • Fix in PHP Hash Collision DOS vulnerability check
  • Fixed: Integrated LSR was not working on IE11
  • Fixed: Selenium script playback fails for some scripts
  • Fixed: Session Detection fails if session pattern spans multiple lines
  • Fixed: LSR keeps showing the spinner on some pages
  • Fixed: LSR Session pattern was not always saved when detected using the navigation
  • Fixed: LSR Session pattern check might fail for in body / not in body patterns
  • Fixed: On some systems, Chromium processes cannot be terminated when generating PDF reports
  • Fixed: Passwords were recoverable from the UI
  • Better handling of HTTP timeouts by vulnerability checks

Version 12 (build 12.0.190827161 – Windows and Linux) 28th August 2019

New Features

  • Implemented support for OpenSearch
  • Acunetix will try to discover hidden parameters and test them
  • Acunetix can now check base64 encoded JSON inputs for vulnerabilities

New Vulnerability Checks

  • New test for Oracle Business Intelligence Convert XXE (CVE-2019-2767)
  • New test for Oracle Business Intelligence Adfresource Path traversal (CVE-2019-2588)
  • New test for Oracle Business Intelligence AuthBypass (CVE-2019-2768)
  • New test for Oracle Business Intelligence ReportTemplateService XXE (CVE-2019-2616)
  • New test for Jira RCE (CVE-2019-11581)
  • New test for Test for Atlassian Crowd RCE (CVE-2019-11580)
  • New tests for Python Code Injection
  • New test for Apache Spark RCE [https://spark.apache.org/security.html] (CVE-2018-11770)
  • New test for ColdFusion Deserialization RCE (CVE-2019-7091)
  • Implemented support for OpenID Connect Discovery
  • Detect and report Apple application association files
  • Added new checks for WordPress plugins, Drupal core and Joomla core

Updates

  • Updated UI to accept IPv6 addresses
  • Multiple improvements to DeepScan
  • Improved the Directory Traversal check
  • Updated the scan limits, reducing repeated requests to larger sites
  • Acunetix will now extract and process gzipped files
  • Multiple updates to parsing and heuristic crawler features
  • Improved the vulnerability deduplication – similar vulnerabilities will be reported once
  • Improved reporting of the cause of scan failures (e.g. website is unresponsive, invalid import file etc)
  • Credentials provided to Auto-Login or LSR will not be used for vulnerability tests
  • Improved processing of Selenium scripts
  • Improved login form detection by Auto-Login feature
  • Improved WebLogic detection, and testing for default WebLogic credentials
  • Improved detection of Vulnerable JavaScript libraries check

Fixes

  • Fixed a number of issues causing the scanner to stop unexpectedly
  • Fixed issue causing AcuMonitor checks to be done when AcuMonitor is not enabled
  • Fixed issue with WSDL parsing
  • Fixed: Reflected tests (e.g. reflected XSS) was not done on JSON inputs
  • Fixed issue causing 100% CPU usage when processing certain pages
  • Fixed hang in the Acunetix Administrative Password utility on Windows
  • Fixed: DeepScan was not processing XHTML pages
  • Fixed issue causing Chromiumn process to remain active after PDF report generation
  • Fixed issue caused by background requests when recording a login sequence
  • Fixed issue when recording a login sequence on a site that uses cross-domain iframes
  • Fixed issue when parsing WADL
  • Fixed issue causing Host Header Attack false negatives

Version 12 (build 12.0.190703137 – Windows and Linux) 4th July 2019

New Vulnerability Checks

  • New test for Joomla! Core CSV Injection vulnerability check [CVE-2019-12765]
  • New test for Joomla! Core XSS vulnerability check (CVE-2019-12766)
  • New test for Joomla! Core Security bypass (CVE-2019-12764)
  • New test for Oracle Weblogic XXE (CVE-2019-2647)
  • Added the detection of CDNs
  • Added the detection of reverse proxies

Updates

  • Auto-Login is now using the LSR functionality – this will improve auto-login in general
  • Improved detection of DOM XSS
  • Improved handling of invalid Selenium scripts
  • Improved handling of email addresses fields in web forms
  • Improved parsing of WSDL files
  • Implemented support for Proxy-Authenticate header
  • Improved crawling of Spring-based web applications
  • Updated LSR to automatically dismiss modal dialogs during playback
  • Reduced false positives in checks looking for sensitive and backup files
  • Reduced false positives in SSN number detection
  • Reduced false positives in XSS in URIs
  • Improved the detection of WAFs
  • LSR can now record actions within <iframe> elements
  • Jira Issue Tracker integration now supports HTTP Authentication with API key

Fixes

  • Fixed a crash when parsing SOAP messages
  • Fixed issue in interpretation of some Selenium scripts
  • Fixed a number of broken links in the Vulnerability Alerts
  • Autologin was recording the password in the log file
  • Fixed crash caused when reading specific swagger files
  • Fixed crash caused when reading specific large files
  • Fixed issue causing the scanner to go into a loop
  • Fixed issue causing crawler to not interpret correctly certain locations in JavaScript
  • Fixed issue in Manual Intervention
  • Fixed issue affecting sites using euc-kr encoding
  • Fixed Chromium issue caused when window.chrome is used by the site
  • Fixed issue causing Chromium not to load on Kali Linux
  • Fixed LSR playback issue caused when input field contained predefined text
  • SRI not implemented was being reported multiple times per host

Version 12 (build 12.0.190515149 – Windows and Linux) 14th May 2019

New Features

  • Network Scanning via OpenVAS integration
  • Introduced support for IPv6 domains (IPv6 addresses not supported yet)
  • Dynamic resource allocation for when multiple scanners are started on the same machine
  • Improved resource usage for string comparison functions
  • Selenium scripts can now be used as import files

New Vulnerability Checks

Updates

  • Multiple improvements to the detection of Blind SQL Injection
  • Improved the Error Messages vulnerability check
  • Improved the Adobe Experience Manager tests
  • Improved detection of Java Deserialization and Mongo alert deduplication
  • Improved detection of Rails accept file content disclosure
  • Updated alert details for Oracle WebLogic Remote Code Execution via T3 (CVE-2018-3245)
  • Improved detection of Confluence
  • Improved PHP AcuSensor when used on nginx
  • Improved detection of PHP code injection
  • Updated Directory Traversal Check to make fewer requests
  • Multiple improvements to DeepScan and the LSR
  • Implemented support for WebSockets in LSR and Deepscan

Fixes

  • Fixed a few crashes
  • Fixed issue causing Postcrawl scripts to not be executed on folders
  • Fixed: Custom cookies could be used twice when the application sets the same cookies
  • Cookie processing now ignores leading . in domain
  • Fixed issue with LSR when used on Internet Explorer
  • Fixed issue with HTTP Authentication
  • Fixed false positive in Struts_RCE_S2-052_CVE-2017-9805
  • Fixed severity level for CSRF vulnerability check
  • Fixed False Negative in Mercurial repository found check
  • Fixed issue causing site structure not to be updated with locations identified by vulnerability scripts

Version 12 (build 12.0.190404166 – Windows and Linux) – 5th April 2019

New Vulnerability Checks

Updates

  • Minor update improving efficiency of PerFolder checks
  • LSR: Disabled spellcheck for fields loaded
  • Deepscan: Improved exclusion of clicks on logout elements
  • LSR: clicks on some SVG elements where not being recorded
  • LSR: Session Pattern Detection now uses session headers provided by webapp

Fixes

  • Fixed 2 issues causing the scanner to stop unexpectedly
  • Scan progress was not always correctly saved when scan is paused
  • Session Pattern Detection was not always using the session headers provided by the webapp

Version 12 (build 12.0.190325161 – Windows and Linux) – 26th March 2019

New Features

  • Verified vulnerabilities are now indicated by Acunetix

New Vulnerability Checks

Updates

  • Updated Directory Traversal vulnerability check
  • Improved detection of Blind SQL Injection
  • On Linux, OOM Killer will now stop less important processes
  • Improve handling of XHR requests in Deepscan
  • Multiple improvements to the LSR and Session detection
  • Scan Stats are now retained between Pause/Resume
  • Improved the detection of paths from JSON and XML
  • Improve techniques used to detect type of input in web form
  • Multiple minor UI updates

Fixes

  • Fixed multiple instances of scanner stopping unexpectedly
  • Fixed false positive reported by WordPress plugin All in One SEO Pack privielege escalation check
  • Fixed issue causing the same web application to be detected multiple times
  • Some vulnerability alerts did not show the HTTP Response
  • Fixed issue causing incorrect processing of default values in forms
  • HTTP redirects were not being detected
  • Fixed issue in File Upload XSS vulnerability check
  • Fixed issue causing PerFolder scripts not to be executed on all folders
  • Fixed issue causing HAR file importing to fail
  • Fixed issue causing LSR to fail to load Target with uppercase address
  • Fixed issue causing SharePoint Reflected Cross-Site Scripting (CVE-2017-8514) not to be reported

Version 12 (build 12.0.190227132 – Windows and Linux) – 27th February 2019

New Vulnerability Checks

Updates

  • Update Source Code Disclosure checks to prevent False Positives
  • Unused paths are filtered out from AcuSensor data

Fixes

  • Fixed false positive in Expression Language Injection vulnerability check
  • Fixed issue in LSR / Deepscan when processing scripts overriding toJSON on Object

Version 12 (build 12.0.190214162 – Windows and Linux) – 15th February 2019

Updates

  • Improved scanning of .NET web applications
  • Improved processing of CSS files
  • 40% speed improvement when parsing pages
  • Various updates to WSDL processing

Fixes

  • Some invalid URLs were being incorrectly reported as external hosts
  • Fixed issue causing communication problem between scanner and backend
  • Allowed hosts were not always being scanned
  • Integrated LSR was not always working on Internet Explorer 11
  • Fixed LSR display problem when browser window is zoomed or resized
  • Fixed issue when importing Burp State file

Version 12 (build 12.0.190206130 – Windows and Linux) – 7th February 2019

New Features

  • New Integrated Login Sequence Recorder – Login Sequences can be recorded directly from the Acunetix UI
  • Swagger (JSON and YAML) and WSDL can be used as import files

New Vulnerability checks

  • New checks for a number of WebBackdoors
  • New checks for elmah.axd information disclosure
  • New test for Stack Trace Disclosure in Django
  • New test for Stack Trace Disclosure in ASP.NET
  • New test for Stack Trace Disclosure in ColdFusion
  • New test for Stack Trace Disclosure in Python
  • New test for Stack Trace Disclosure in Ruby
  • New test for Stack Trace Disclosure in Tomcat
  • New test for Stack Trace Disclosure in Grails
  • New test for Stack Trace Disclosure in Apache MyFaces
  • New test for Stack Trace Disclosure in Java
  • New test for Stack Trace Disclosure in GWT
  • New test for Stack Trace Disclosure in Laravel
  • New test for Stack Trace Disclosure in Rails
  • New test for Stack Trace Disclosure in CakePHP
  • New test for Stack Trace Disclosure in CherryPy
  • New Directory Listing vulnerability checks
  • New Error Message vulnerability checks
  • New test for Oracle Reports RWServlet showenv
  • New test for Docker Engine API publicly accessible
  • New test for Docker Registry API publicly accessible
  • New test for Jenkins server user enumeration
  • New test for Jenkins server weak credentials
  • Added the following new tests for Adobe Experience Manager
    • Day CQ WCM Debug Filter enabled
    • LoginStatusServlet exposed (allows to bruteforce credentials)
    • Bruteforce a set of default AEM credentials if LoginStatusServlet is exposed
    • QueryBuilderFeedServlet public accessible, sensitive information might be exposed
    • Implemented tests for a bunch of SWF files that are exposed by AEM code that are vulnerable to Reflected XSS
    • Test if the AEM Groovy Console is publicly accessible. Permits RCE
    • Added a test for exposed AEM ACS Tools (a set of tools for AEM developers) – RCE is possible
    • Test if GQLServlet is publicly accessible. Sensitive information could be exposed
    • Test if Adobe Experience Manager AuditLogServlet is publicly accessible. Audit log records could be exposed
    • Test for Server Side Request Forgery (SSRF) via SalesforceSecretServlet (CVE-2018-5006)
    • Test for Server Side Request Forgery (SSRF) via ReportingServicesServlet
    • Test for Server Side Request Forgery (SSRF) via SiteCatalystServlet was detected

Updates

  • Improved the scanning of sites using SOAP
  • Improved parsing of paths
  • TXT import now takes precedence over excluded paths
  • Improved the adherence of the scan scope
  • Improved the detection of the version of WordPress plugins
  • Improved the automatic session pattern detection in the LSR
  • LocalStorage / SessionStorage is retained between LSR and Deepscan Sessions

Fixes

  • Fixed: Scan scope was not always respected
  • Technology detected during the scan was not being reported
  • Fixed several scanner unexpected termination issues
  • Fixed issue causing large PDF reports not to be generated
  • Fixed: AcuSensor file data is better filtered by scanner

Version 12 (build 12.0.190121124 – Windows and Linux) – 22nd January 2019

Updates

  • HTTP response size limit has been increased to 20Mb
  • Swagger parser now supports yml files

Fixes

  • Fixed a scanner crash
  • Fixed: Login Sequence Recorder was not using the User-Agent configured for the Target
  • Fixed issue causing false positives in ‘User controllable charset’ and ‘User controllable script source’
  • Fixed issue with BURP state file importer
  • Fixed: Users could not update an expired POC license

Version 12 (build 12.0.181218140 – Windows and Linux) – 18th December 2018

New Vulnerability checks

  • New test for Apache Solr XXE (CVE-2017-12629)
  • New test for RCE in Spring Security OAuth (CVE-2016-4977)
  • New test for Apache mod_jk access control bypass (CVE-2018-11759)
  • New test for Unauthenticated Stored XSS in WordPress Plugin WPML (CVE-2018-18069)
  • New test for ACME mini_httpd (web server) arbitrary file read (CVE-2018-18778)
  • New test for OSGi Management Console Default Credentials
  • New test for Flex BlazeDS AMF Deserialization RCE (CVE-2017-5641)
  • New test for common misconfigurations in ColdFusion
  • New test for AMF Deserialization RCE in ColdFusion (CVE-2017-3066)
  • New test for JNDI injection in ColdFusion (CVE-2018-15957)
  • New test for unauthenticated File uploading in ColdFusion (CVE-2018-15961)
  • New WordPress / WordPress plugin vulnerability checks

Updates

  • Improved the injection of payloads and other improvements in the handling of JSON data
  • Updated Chromium to fix Chromium vulnerability
  • Improved web application detection

Fixes

  • Corrected LSR launch message for Linux installations
  • Fixed Update License issue on Internet Explorer
  • Fixed several memory leaks/scanner closing unexpectedly
  • Fixed issue affecting the processing of some content types
  • Some cookies were being added multiple times during the scan
  • Some redirects were not being correctly handled
  • Some requests generated by the scanner incorrectly contained two backslashes (‘//’)
  • Fixed issue in the Backup Folders checks going out of scope
  • Several minor fixes

Version 12 (Windows build 12.0.181203110, Linux build 12.0.181204095) – 4th December 2018

New features

  • Deepscan has been updated to make use of Chromium (Windows only – already included in Linux)
  • Login Sequence Recorder has been updated to make use of Chromium (Windows only – already included in Linux)
  • Acunetix can now test APIs document using Swagger (Windows only – already included in Linux)
  • Introduced support for NTLM HTTP Authentication on Linux release (already included on Windows)
  • Introduced support for Kerberos HTTP Authentication (Windows only)

New vulnerability checks

  • A huge update increasing the detection of Stored XSS
  • New test for possible file creation using the HTTP PUT method
  • New test for Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12615)
  • New test for Ektron Content Management System (CMS) 9.20 SP2, remote re-enabling users (CVE-2018–12596)
  • New test for httpoxy vulnerability
  • New test checks if CouchDB REST API is publicly accessible
  • New test checks if CouchDB is vulnerable to Remote Privilege Escalation resulting in Remote Code Execution (CVE-2017-12635)
  • New test for Apache ActiveMQ default credentials
  • New test for Node.js Path validation vulnerability (CVE-2017-14849)
  • New test for GoAhead web server RCE via unsafe environment initialization of forked CGI scripts (CVE-2017-17562)
  • New test for publicly accessible Hadoop YARN ResourceManager WebUI
  • New test for jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
  • New test looks for Google Firebase Databases URLs in the response and checks if the Firebase Databases are accessible without authentication
  • New test for Oracle WebLogic Remote Code Execution vulnerability via T3 (CVE-2018-3245)
  • New test for Oracle WebLogic Authentication Bypass vulnerability (CVE-2018-2894)
  • New test checks if Jupyter Notebook is publicly accessible
  • New test for Apache Log4j socket receiver deserialization vulnerability
  • New test for NGINX range filter integer overflow (CVE-2017-7529)
  • New test for Xdebug remote code execution via xdebug.remote_connect_back
  • Numerous new checks for WordPress Core, WordPress plugins, Joomla Core and Drupal Core.

Updates

  • Numerous memory management improvements
  • Multiple updates to LSR and session detection improving scanning of restricted areas
  • Improved speed of SQL Injection vulnerability checks
  • The new LSR / Deepscan will improve support of JavaScript rich sites
  • Added mock geo-location support to support scanning sites that require geo-location
  • Improved analysis of XML and JSON

Fixes

  • Fixed scanner crash when scan was resumed from paused state
  • Fixed some issues in the handling of cookies
  • Custom cookies were not always used
  • Content-Type header was not always being sent. This affected the detection of some vulnerabilities
  • Fixed a false positive in SSL weak key length vulnerability check
  • Fixed issue in the Social Security Number and Credit Card number check
  • Fixed issue with AcuSensor download on Linux release
  • Fixed issue causing scans to be aborted when server returns an invalid charset
  • Fixed a number of other issues causing the scanner to close unexpectedly
  • Sensitive and Backup files were not being checked for in the site root
  • Fixed issue with jquery version extractor
  • Fixed 2 internally reported security issues
  • Fixed issue with re-installation of Linux installations

Version 12 (Linux release build 12.0.181115088) – 15th November 2018

New Features

  • Acunetix release for Linux
  • Acunetix can now test APIs document using Swagger
  • Deepscan has been updated to make use of Chromium
  • Login Sequence Recorder has been updated to make use of Chromium

Version 12 (build 12.0.181012141) – 12th October 2018

New Vulnerability Checks

Updates

  • License keys can now be updated via the Acunetix web UI
  • Additional memory improvements
  • Improved exclusion of parameters
  • Multiple updates to existing vulnerability checks
  • Improved CORS origin validation failure checks
  • Improved Pickle Serialization check

Fixes

  • Manual Intervention was not working after a paused scan is resumed
  • Scans for some sites using Digest HTTP Authentication were stopping unexpectedly
  • Additional fixes for issues causing scans exiting unexpectedly
  • Fixed issue causing many product update requests when proxy authentication is incorrectly configured
  • Fixed: Some backup files / folders were not being identified
  • Some vulnerabilities were incorrectly reported in the site root
  • Fixed issue in similar page detection causing scans to take longer than expected
  • Fixed issue causing valid sessions not to be identified correctly during the scan

Version 12 (build 12.0.180911134) – 11th September 2018

New Vulnerability Checks

Updates

  • Multiple updates to the SSL checks
  • Various memory optimisations
  • Less requests required to verify AcuMontior checks

Fixes

  • Fixed bug in testing of cookie values
  • Fixed memory issues, causing some scans to exit unexpectedly
  • Fixed bug causing some scans to crash when paused and resumed
  • Fixed issue causing some scans to be aborted immediately because of error status on initial response
  • Fixed issue causing some locations to get omitted from site structure
  • Multiple fixes to import file feature
  • Fixed issue which caused DeepScan not to use all cookies
  • Custom headers were added twice on redirect
  • Fixed issue affecting some sites using SSO

Version 12 (build 12.0.180821106) – 22nd August 2018

New Vulnerability checks

Updates

  • Reduced the number of requests required for Web Application Detection
  • Improved the JSON and the Generic document parser
  • Improved handling of non-responsive sites

Fixes

  • Fixed a few infrequent crashes
  • Fixed Malware link checking vulnerability test
  • Fixed issue causing scan to be aborted on redirect to different FQDN for login
  • Fixed issue causing Scan Comparison reports to fail
  • Fixed issue causing the scanner not to crawl certain HTTPs sites correctly when using proxy

Version 12 (build 12.0.180801120) – 1st August 2018

Fixes

  • Fixed the detection of some DOMXSS variants
  • Fixed scanner crash

Version 12 (build 12.0.180725167) – 26th July 2018

New Features

  • HTTP response is now shown for vulnerabilities detected (only affects new scans)
  • Manual Intervention has been implemented in v12

New Vulnerability checks

  • Added detection of Java Object Deserialization vulnerabilities
  • Added detection for Cisco ASA Path Traversal (CVE-2018-0296)
  • Added tests for misconfigured nginx aliases that can lead to a path traversal
  • Added detection of Spring Security Authentication Bypass Vulnerability (CVE-2016-5007)
  • Added detection of weak/insecure permissions for Atlassian Jira REST interface
  • Added detection of Apache Tomcat Information Disclosure (CVE-2017-12616)
  • Added detection of Spring Data REST Remote Code Execution (CVE-2017-8046)
  • Added detection of Insecure Odoo Web Database Manager
  • Added detection of JBoss Remote Code Execution (CVE-2015-7501 and CVE-2017-7504)
  • Added detection of WebSphere Remote Code Execution (CVE-2015-7450)
  • Updated WordPress Plugin vulnerability detection

Updates

  • Password is no longer required when configuring client certificate for a Target
  • Additional memory optimizations
  • Scanner will now report when the LSR cannot login
  • Application Error Message vulnerability check updated to provide more details on the error
  • Reports, XML exports and WAF exports now use a more meaningful filename
  • Reports now show the status of a scan
  • Scan debug logs now include imported files
  • Increase maximum number of issues trackers that can be configured

Fixes

  • multiple crashes while scanning
  • Scanner will now re-authenticate when website invalidates authentication during scan (applies to HTTP authentication only)
  • Scanner sometimes fails to decode LSR output, leading to an unauthenticated scan
  • Fixed many issues causing vulnerabilities not to be detected or to be detected incorrectly
  • Two fixes affecting the setting of Cookies
  • Fixed issue in RSS parsing
  • Fields with certain characters in the name (such as $) were not being tested
  • Some out of scope paths were still being crawled
  • Fix in the Autologin
  • Upon upgrade, user is asked to “Logout from Other Session”
  • Target and Vulnerabilities reports were failing
  • Recurrent scans for Standard licenses were being disabled
  • some reports were generated without file extension

Version 12 (build 12.0.180709159) – 9th July 2018

New Features and Vulnerability tests

Updates

  • Scanner will automatically continue scanning when http redirects to https
  • Improvement in memory usage
  • Acunetix will now hand over DNS resolution to Proxy Server when configured
  • Improved messaging during installation

Fixes

  • Scanner crash in DeepScan
  • Scanner hang when certain LSR files are used
  • Incomplete scans in certain situations, such as when using import files

Version 12 (build 12.0.180628131) – 28th June 2018

New Features and Vulnerability tests

Fixes

  • Fixed issue with NTLM HTTP Authentication
  • Fixed issue causing some pages not to load correctly in the LSR
  • Fixed 2 false positives for “User controllable charset” and “User controllable script source”
  • Fixed issue in handling HAR import files

Version 12 (build 12.0.180619111) – 19th June 2018

New Features and Vulnerability tests

Fixes

  • Crash dump was sometimes not being created

Version 12 (build 12.0.180615105) – 15th June 2018

Updates

  • More improvements to Web Application Detection
  • Reports not show if a scan has failed

Fixes

  • Scanner was not parsing all AcuSensor data, causing some vulnerabilities not to be reported when AcuSensor is used
  • Some reqeusts to HTTPs sites were being downgraded to HTTP

Version 12 (build 12.0.180611183) – 11th June 2018

New Features and Vulnerability tests

  • Introduced system to automatically avoid testing similar pages
  • New check for Oracle Weblogic WLS-WSAT Component Deserialization RCE affecting versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0 and 12.2.1.2.0 (CVE-2017-10271)
  • New check for PHPUnit RCE affecting versions 4.8.28 and 5.x before 5.6.3 (CVE-2017-9841)
  • New check for Edge Side Include Injection vulnerabilities
  • New check for Dotenv (.env and variants) files
  • New check for Joe Text Editor DEADJOE file
  • New check for Symfony configuration file
  • New check for Laravel (PHP framework) log files
  • New check for publicly accessible backup directory in Drupal Backup Migrate

Updates

  • Updated timeout and retries for HTTP requests done by some vulnerability checks
  • Updated Web Application Detection checks to make less HTTP requests resulting in faster scans
  • Various minor updates to the UI
  • Improved parsing of robots.txt
  • Improved detection of default index files
  • Acunetix now shows the number of licensed Targets in the License section of the UI

Fixes

  • Some addresses were not parsed correctly, resulting in incorrect paths
  • Some addresses were not detected, resulting in missing paths
  • Some paths where being detected incorrectly
  • Scanner crash when allowed hosts are used
  • Scanner crash when parsing some pages
  • Scanner hang when crawling caused by DeepScan
  • No links parsed from pages without Content-Type header
  • Some vulnerability checks duplicated the query values
  • Sitemap was always being detected
  • Fixed validation issues in Security Settings > Account Lockout > Lockout timeout
  • License checks was failing for some installations

Version 12 (build 12.0.180521161) – 22nd May 2018

Updates

  • DeepScan has been updated to ignore images resulting in faster scans

Fixes

  • Excluded paths not taken into consideration
  • Parts of the scan were not using the Custom 404
  • Some paths where not identified correctly

Version 12 (build 12.0.180517125) – 17th May 2018

New Features and Vulnerability tests

Updates

  • Updated detection of Drupal installations
  • Changed to a more moderate definition of a Target for licensing purposes
  • Number of Targets and Users configured are now shown in the UI > Licensing section
  • UI now shows if the latest build is being used, and allows the user to check for updates manually

Fixes

  • Multiple updates and fixes to the HTML parser
  • Multiple updates and fixes to the Acunetix UI
  • Auto-login was making unnecessary requests
  • Some vulnerabilities were showing ‘null’ URL
  • Data from AcuSensor was not being interpreted correctly
  • Account lockout settings were not being saved
  • Fix in the scanner which was making some vulnerability checks not to work
  • Some vulnerability checks making unnecessary requests
  • Some vulnerability details where not being encoded correctly
  • Custom 404 detection was not working
  • Fix in AcuMonitor affecting some tests
  • DeepScan was not interpreting correctly paths containing a dot

Version 12 (build 12.0.180509176) – 10th May 2018

New Features

  • New faster Engine
  • Scans can now be Paused and Resumed
  • Targets can be imported from CSV
  • New JAVA AcuSensor
  • Support for latest JavaScript (ES6 and ES7) in DeepScan and Login Sequence Recorder
  • Configurable Password Policies including Password History, Auto Password Expiry and Account Lockout
  • 2 Factor Authentication in the Acunetix UI
  • Exclude what to scan directly from Crawl results or previous scans

Updates and Fixes

  • Too many to enumerate
  • Multiple updates to the vulnerability checks

Version 11 (build 11.0.173271618) – 24th November 2017

New Features

  • Added new OWASP Top Ten 2017 report

Fixes

  • Fixed: DeepScan was processing ignored scripts

Version 11 (build 11.0.173131028) – 9th November 2017

New Features and Vulnerability Tests

  • Added support for Selenium scripts as Target Import files
  • Introduced various vulnerability checks for CMS Made Simple including:

Improvements

  • Various minor UI updates
  • Improved handling of aborted scans for Targets with Continuous scanning enabled
  • Increased Custom Cookie size limit from 512 bytes to 10Kb (2Kb for Acunetix Online)
  • Added new email templates
  • Email notification now indicates if a scan has failed
  • Multiple minor updates to the reports
  • Updated the Error Message script to show full JAVA error messages
  • Tech Admin role can now create and alter Scan types.

Fixes

  • Scan Comparison was incorrectly switching the order of the scans
  • Scan Comparison was incorrectly comparing with Allowed host
  • Fixed bug in the licensed user limit
  • Fixed bug causing scans to fail when the LSR contains Unicode characters
  • Multiple fixes in XML export
  • Multiple fixes in F5 WAF rules export
  • Fixed 2 minor security issues in web interface
  • 2 fixes affecting incorrect vulnerability count in Dashboard
  • Fixed the retesting of vulnerabilities for Targets requiring manual intervention
  • Fixed the Targets page incorrectly showing that the Target is being scanned, when an ongoing scan is deleted.

Version 11 (build 11.0.172901635) – 17th October 2017

New Features and Vulnerability Tests

Improvements

  • Updated the Joomla and WordPress vulnerability checks

Fixes

  • Fixed bug causing scans to fail because of certain characters in the LSR file

Version 11 (build 11.0.172641450) – 22nd September 2017

New Features and Vulnerability Tests

Improvements

  • Improved the detection of Blind SQL Injection
  • Better support for large JavaScript files
  • JAVA error detection now includes the full JAVA error returned by the server
  • Improved the Remote File Inclusion XSS checks
  • Updated the Joomla and WordPress vulnerability checks

Fixes

  • Fixed bug causing the downloading of a Target’s LSR file to fail
  • Fixed bug in HTTP Digest Authentication

Version 11 (build 11.0.172371608) – 25th August 2017

Fixes

  • Fixed issue causing automatic updates to fail. Updates need to be downloaded manually from https://www.acunetix.com/download/fullver11/

Version 11 (build 11.0.172351036) – 23rd August 2017

New Features and Vulnerability Tests

  • Detection of Apache Struts 2 Showcase RCE (CVE-2017-9791)
  • Check for .hgignore (Mercurial SCM configuration file)
  • Check for Atlassian Confluence Stored XSS (CVE-2016-6283)
  • Check for private key files with names based on ScanHost, e.g. “www.example.org.key”, “example.org.key”
  • Check for moment.js Denial of Service (CVE-2016-4055)
  • Various updates to the WordPress and Joomla checks
  • Introduction of Multi-Engine functionality for Enterprise customers

Improvements

  • Updated the Database backup file checks
  • Improved Jquery version fingerprinting
  • Updated detection of HttpOnly and Secure cookie flags
  • Updated default Target list sorting

Fixes

  • Fixed XSS detection issue
  • Minor fix to the allow_url_fopen enabled check
  • Fixed F5 BIP-AP ASM WAF XML export
  • Fixed issue causing Acunetix not to be able to install on Chinese OS

Version 11 (build 11.0.171721334) – 21st June 2017

New Vulnerability Tests

Improvements

  • Improved detection of WordPress version
  • Various updates to the WordPress and Joomla checks
  • Updated description for Broken links alert.

Fixes

  • Fixed issue causing a crash in the scanning engine
  • Fix affecting the processing of xml files, resulting in scan performance improvement
  • Fix in the High Risk Scan Type, resulting in scan performance improvement
  • Various updates and fixes in the Acunetix web UI.

Version 11 (build 11.0.171381251) – 18th May 2017

New Vulnerability Tests

Version 11 (build 11.0.171251523) – 5th May 2017

New Vulnerability Tests

Version 11 (build 11.0.171181742) – 27th April 2017

New Vulnerability Tests

Improvements

  • Various improvements to the WordPress checks

Bug Fixes

  • Fixed issue affecting checks on REST APIs
  • Fixed issue with Export to Imperva SecureSphere WAF

Version 11 (build 11.0.171101535) – 20th April 2017

New Vulnerability Tests

Improvements

  • Improved Backup file checks
  • Various improvements to the WordPress checks
  • Added support for various JavaScript libraries in the Login Sequence Recorder and DeepScan

Bug Fixes

  • Virtual Host Audit check was not taking into consideration the Target Port and Scheme
  • Fixed DeepScan issue which caused infinite loop during auto-authentication for some web applications
  • Fixed issue in Login Sequence Recorder causing it not to load settings from the correct location

Version 11 (build 11.0.170941159) – 4th April 2017

Improvements

  • The IP address or hostname of the Acunetix machine can be specified during the installation. This information is used to generate the SSL certificates used for the UI. This is required to avoid SSL errors
  • Update to Login Sequence Recorder and DeepScan improving compatibility with modern web applications
  • Target information is shown in “Scan Done” UI notifications
  • Various minor updates to the UI
  • Scan email notifications now include links to the scan results. Report email notifications include links to the report
  • Multiple updates to the WordPress and Joomla vulnerability checks

Bug Fixes

  • Fixed false positives caused by the PHP AcuSensor
  • Fixed 2 privilege escalation issues reported privately to Acunetix
  • Fixed false positive in WAF detection
  • Fixed UI issue caused by certain characters in the Target Description field

Version 11 (build 11.0.170751531) – 16th March 2017

Updates

  • Check for Remote Code Execution (RCE) vulnerability in Apache Struts 2 (CVE-2017-5638)

Version 11 (build 11.0.170611402) – 3rd March 2017

Updates

  • Multiple updates to the WordPress and Joomla vulnerability checks

Fixes

  • Fixed issue caused by UTF-8 characters in the login sequence filename
  • Fixed issue with Target address validation

Version 11 (build 11.0. 170540920) – 23rd February 2017

Updates

  • AcuMonitor registration setting is now remembered between license activations
  • Various updates to the WordPress and Joomla vulnerability checks
  • Acunetix now accepts .der, .p12 and .pfx file extensions for client certificates
  • Login Sequence Recorder (LSR) now better supports sites using ES6 features

Fixes

  • In certain situations, the auto-login details for a Target were not correctly stored, resulting the login credentials not being used during a scan
  • Fixed issue with parsing of addresses
  • Fixed issue causing auto-updating of the product to not be done for some licenses. Affected customers will be notified by email.

Version 11 (build 11.0.170461052) – 15th February 2017

Updates

  • Creation of custom scanning profiles is possible from the Acunetix web UI.
  • Manual Intervention events can be configured as part of a Login Sequence for Captchas and two factor authentication
  • Retesting of vulnerabilities discovered by Acunetix
  • The ability to disable AcuMonitor at license activation
  • Comparison report for two scans of the same Target
  • Reports are now available in both PDF and HTML
  • The site structure is now shown in a hierarchical tree view
  • Excluded hours can be configured per Target, in which no scans will be performed by Acunetix
  • Added information on weak SSL key ciphers
  • The Acunetix license activation allows the user to opt out of AcuMonitor registration
  • Various updates to the WordPress and Joomla vulnerability checks

Fixes

  • Notifications for vulnerabilities discovered by AcuMonitor now include a link taking the user to the vulnerability identified
  • Various bug fixes in the UI
  • Changed scan status message when scanned target is not responsive
  • Fix in Relative Path Overwrite vulnerability check
  • Various updates and fixes related to AcuMonitor
  • Improved URL validation

Version 11 (build 11.0.170341008) – 3rd February 2017

New Vulnerability Test

Version 11 (build 11.0.163541031) – 19th December 2016

New Features

  • Acunetix Enterprise users can now generate their API key to be used for the Acunetix API (contact sales@acunetix.com for more information on the API)
  • Selenium IDE files are now supported as Import files in Acunetix v11
  • The Acunetix Login Sequence Recorder can now edit login sequence files.

New Vulnerability Tests

Improvements

  • The Acunetix UI will show a message when the license is not activated.
  • The Login Sequence Recorder will make use of the proxy settings configured for the Target.
  • Better handling of cookies.

Bug Fixes

  • Fixed reports generated for targets that have not been scanned
  • Fixed allowance of empty Import Files to be uploaded for a Target
  • Some information returned by AcuSensor was not reflected in the vulnerability details
  • Fixed false positive in the ASP.NET debug mode check
  • Various minor updates and fixes

Version 11 (build 11.0.163221044) – 17th November 2016

New Features

  • New web-based user interface
  • Targets are now stored in Acunetix with their individual settings, and can be easily re-scanned.
  • Targets can be classified by their Business Criticality
  • Reports are stored in the central interface
  • Users can choose between “Target reports”, “Scan reports” or “All vulnerabilities reports”
  • Role-based multi-user system, allowing users to be assigned the security scanning of specific targets.
  • All vulnerabilities for all the targets are now shown in one list which can be easily filtered.
  • Export vulnerabilities to F5 BIG-IP ASM and Fortinet FortiWeb Web Application Firewalls directly from within Acunetix
  • Acunetix now supports sending vulnerabilities to these Issue trackers: Github, JIRA and Microsoft Team Foundation Service (TFS)
  • Documentation is now inbuilt into the new interface
  • New Dashboard, providing an instant overview of the security status of your assets.

Improvements