Changelogs

Acunetix Standard & Premium

RSS Feed

v12.0.190827161 - 28 Aug 2019

Copy Link Copy Link
Version 12 (build 12.0.190827161 - Windows and Linux) 28th August 2019

New Features

  • Implemented support for OpenSearch
  • Acunetix will try to discover hidden parameters and test them
  • Acunetix can now check base64 encoded JSON inputs for vulnerabilities

New Vulnerability Checks

  • New test for Oracle Business Intelligence Convert XXE (CVE-2019-2767)
  • New test for Oracle Business Intelligence Adfresource Path traversal (CVE-2019-2588)
  • New test for Oracle Business Intelligence AuthBypass (CVE-2019-2768)
  • New test for Oracle Business Intelligence ReportTemplateService XXE (CVE-2019-2616)
  • New test for Jira RCE (CVE-2019-11581)
  • New test for Test for Atlassian Crowd RCE (CVE-2019-11580)
  • New tests for Python Code Injection
  • New test for Apache Spark RCE [https://spark.apache.org/security.html] (CVE-2018-11770)
  • New test for ColdFusion Deserialization RCE (CVE-2019-7091)
  • Implemented support for OpenID Connect Discovery
  • Detect and report Apple application association files
  • Added new checks for WordPress plugins, Drupal core and Joomla core

Updates

  • Updated UI to accept IPv6 addresses
  • Multiple improvements to DeepScan
  • Improved the Directory Traversal check
  • Updated the scan limits, reducing repeated requests to larger sites
  • Acunetix will now extract and process gzipped files
  • Multiple updates to parsing and heuristic crawler features
  • Improved the vulnerability deduplication – similar vulnerabilities will be reported once
  • Improved reporting of the cause of scan failures (e.g. website is unresponsive, invalid import file etc)
  • Credentials provided to Auto-Login or LSR will not be used for vulnerability tests
  • Improved processing of Selenium scripts
  • Improved login form detection by Auto-Login feature
  • Improved WebLogic detection, and testing for default WebLogic credentials
  • Improved detection of Vulnerable JavaScript libraries check

Fixes

  • Fixed a number of issues causing the scanner to stop unexpectedly
  • Fixed issue causing AcuMonitor checks to be done when AcuMonitor is not enabled
  • Fixed issue with WSDL parsing
  • Fixed: Reflected tests (e.g. reflected XSS) was not done on JSON inputs
  • Fixed issue causing 100% CPU usage when processing certain pages
  • Fixed hang in the Acunetix Administrative Password utility on Windows
  • Fixed: DeepScan was not processing XHTML pages
  • Fixed issue causing Chromiumn process to remain active after PDF report generation
  • Fixed issue caused by background requests when recording a login sequence
  • Fixed issue when recording a login sequence on a site that uses cross-domain iframes
  • Fixed issue when parsing WADL
  • Fixed issue causing Host Header Attack false negatives

v12.0.190703137 - 04 Jul 2019

Copy Link Copy Link
Version 12 (build 12.0.190703137 - Windows and Linux) 4th July 2019

New Vulnerability Checks

  • New test for Joomla! Core CSV Injection vulnerability check [CVE-2019-12765]
  • New test for Joomla! Core XSS vulnerability check (CVE-2019-12766)
  • New test for Joomla! Core Security bypass (CVE-2019-12764)
  • New test for Oracle Weblogic XXE (CVE-2019-2647)
  • Added the detection of CDNs
  • Added the detection of reverse proxies

Updates

  • Auto-Login is now using the LSR functionality – this will improve auto-login in general
  • Improved detection of DOM XSS
  • Improved handling of invalid Selenium scripts
  • Improved handling of email addresses fields in web forms
  • Improved parsing of WSDL files
  • Implemented support for Proxy-Authenticate header
  • Improved crawling of Spring-based web applications
  • Updated LSR to automatically dismiss modal dialogs during playback
  • Reduced false positives in checks looking for sensitive and backup files
  • Reduced false positives in SSN number detection
  • Reduced false positives in XSS in URIs
  • Improved the detection of WAFs
  • LSR can now record actions within <iframe> elements
  • Jira Issue Tracker integration now supports HTTP Authentication with API key

Fixes

  • Fixed a crash when parsing SOAP messages
  • Fixed issue in interpretation of some Selenium scripts
  • Fixed a number of broken links in the Vulnerability Alerts
  • Autologin was recording the password in the log file
  • Fixed crash caused when reading specific swagger files
  • Fixed crash caused when reading specific large files
  • Fixed issue causing the scanner to go into a loop
  • Fixed issue causing crawler to not interpret correctly certain locations in JavaScript
  • Fixed issue in Manual Intervention
  • Fixed issue affecting sites using euc-kr encoding
  • Fixed Chromium issue caused when window.chrome is used by the site
  • Fixed issue causing Chromium not to load on Kali Linux
  • Fixed LSR playback issue caused when input field contained predefined text
  • SRI not implemented was being reported multiple times per host

v12.0.190515149 - 14 May 2019

Copy Link Copy Link
Version 12 (build 12.0.190515149 - Windows and Linux) 14th May 2019

New Features

  • Network Scanning via OpenVAS integration
  • Introduced support for IPv6 domains (IPv6 addresses not supported yet)
  • Dynamic resource allocation for when multiple scanners are started on the same machine
  • Improved resource usage for string comparison functions
  • Selenium scripts can now be used as import files

New Vulnerability Checks

Updates

  • Multiple improvements to the detection of Blind SQL Injection
  • Improved the Error Messages vulnerability check
  • Improved the Adobe Experience Manager tests
  • Improved detection of Java Deserialization and Mongo alert deduplication
  • Improved detection of Rails accept file content disclosure
  • Updated alert details for Oracle WebLogic Remote Code Execution via T3 (CVE-2018-3245)
  • Improved detection of Confluence
  • Improved PHP AcuSensor when used on nginx
  • Improved detection of PHP code injection
  • Updated Directory Traversal Check to make fewer requests
  • Multiple improvements to DeepScan and the LSR
  • Implemented support for WebSockets in LSR and Deepscan

Fixes

  • Fixed a few crashes
  • Fixed issue causing Postcrawl scripts to not be executed on folders
  • Fixed: Custom cookies could be used twice when the application sets the same cookies
  • Cookie processing now ignores leading . in domain
  • Fixed issue with LSR when used on Internet Explorer
  • Fixed issue with HTTP Authentication
  • Fixed false positive in Struts_RCE_S2-052_CVE-2017-9805
  • Fixed severity level for CSRF vulnerability check
  • Fixed False Negative in Mercurial repository found check
  • Fixed issue causing site structure not to be updated with locations identified by vulnerability scripts

v12.0.190404166 - 05 Apr 2019

Copy Link Copy Link
Version 12 (build 12.0.190404166 - Windows and Linux) – 5th April 2019

New Vulnerability Checks

Updates

  • Minor update improving efficiency of PerFolder checks
  • LSR: Disabled spellcheck for fields loaded
  • Deepscan: Improved exclusion of clicks on logout elements
  • LSR: clicks on some SVG elements where not being recorded
  • LSR: Session Pattern Detection now uses session headers provided by webapp

Fixes

  • Fixed 2 issues causing the scanner to stop unexpectedly
  • Scan progress was not always correctly saved when scan is paused
  • Session Pattern Detection was not always using the session headers provided by the webapp

v12.0.190325161 - 26 Mar 2019

Copy Link Copy Link
Version 12 (build 12.0.190325161 - Windows and Linux) – 26th March 2019

New Features

  • Verified vulnerabilities are now indicated by Acunetix

New Vulnerability Checks

Updates

  • Updated Directory Traversal vulnerability check
  • Improved detection of Blind SQL Injection
  • On Linux, OOM Killer will now stop less important processes
  • Improve handling of XHR requests in Deepscan
  • Multiple improvements to the LSR and Session detection
  • Scan Stats are now retained between Pause/Resume
  • Improved the detection of paths from JSON and XML
  • Improve techniques used to detect type of input in web form
  • Multiple minor UI updates

Fixes

  • Fixed multiple instances of scanner stopping unexpectedly
  • Fixed false positive reported by WordPress plugin All in One SEO Pack privielege escalation check
  • Fixed issue causing the same web application to be detected multiple times
  • Some vulnerability alerts did not show the HTTP Response
  • Fixed issue causing incorrect processing of default values in forms
  • HTTP redirects were not being detected
  • Fixed issue in File Upload XSS vulnerability check
  • Fixed issue causing PerFolder scripts not to be executed on all folders
  • Fixed issue causing HAR file importing to fail
  • Fixed issue causing LSR to fail to load Target with uppercase address
  • Fixed issue causing SharePoint Reflected Cross-Site Scripting (CVE-2017-8514) not to be reported

v12.0.190227132 - 27 Feb 2019

Copy Link Copy Link
Version 12 (build 12.0.190227132 - Windows and Linux) – 27th February 2019

New Vulnerability Checks

Updates

  • Update Source Code Disclosure checks to prevent False Positives
  • Unused paths are filtered out from AcuSensor data

Fixes

  • Fixed false positive in Expression Language Injection vulnerability check
  • Fixed issue in LSR / Deepscan when processing scripts overriding toJSON on Object

v12.0.190214162 - 15 Feb 2019

Copy Link Copy Link
Version 12 (build 12.0.190214162 - Windows and Linux) – 15th February 2019

Updates

  • Improved scanning of .NET web applications
  • Improved processing of CSS files
  • 40% speed improvement when parsing pages
  • Various updates to WSDL processing

Fixes

  • Some invalid URLs were being incorrectly reported as external hosts
  • Fixed issue causing communication problem between scanner and backend
  • Allowed hosts were not always being scanned
  • Integrated LSR was not always working on Internet Explorer 11
  • Fixed LSR display problem when browser window is zoomed or resized
  • Fixed issue when importing Burp State file

v12.0.190206130 - 07 Feb 2019

Copy Link Copy Link
Version 12 (build 12.0.190206130 - Windows and Linux) – 7th February 2019

New Features

  • New Integrated Login Sequence Recorder – Login Sequences can be recorded directly from the Acunetix UI
  • Swagger (JSON and YAML) and WSDL can be used as import files

New Vulnerability checks

  • New checks for a number of WebBackdoors
  • New checks for elmah.axd information disclosure
  • New test for Stack Trace Disclosure in Django
  • New test for Stack Trace Disclosure in ASP.NET
  • New test for Stack Trace Disclosure in ColdFusion
  • New test for Stack Trace Disclosure in Python
  • New test for Stack Trace Disclosure in Ruby
  • New test for Stack Trace Disclosure in Tomcat
  • New test for Stack Trace Disclosure in Grails
  • New test for Stack Trace Disclosure in Apache MyFaces
  • New test for Stack Trace Disclosure in Java
  • New test for Stack Trace Disclosure in GWT
  • New test for Stack Trace Disclosure in Laravel
  • New test for Stack Trace Disclosure in Rails
  • New test for Stack Trace Disclosure in CakePHP
  • New test for Stack Trace Disclosure in CherryPy
  • New Directory Listing vulnerability checks
  • New Error Message vulnerability checks
  • New test for Oracle Reports RWServlet showenv
  • New test for Docker Engine API publicly accessible
  • New test for Docker Registry API publicly accessible
  • New test for Jenkins server user enumeration
  • New test for Jenkins server weak credentials
  • Added the following new tests for Adobe Experience Manager
    • Day CQ WCM Debug Filter enabled
    • LoginStatusServlet exposed (allows to bruteforce credentials)
    • Bruteforce a set of default AEM credentials if LoginStatusServlet is exposed
    • QueryBuilderFeedServlet public accessible, sensitive information might be exposed
    • Implemented tests for a bunch of SWF files that are exposed by AEM code that are vulnerable to Reflected XSS
    • Test if the AEM Groovy Console is publicly accessible. Permits RCE
    • Added a test for exposed AEM ACS Tools (a set of tools for AEM developers) – RCE is possible
    • Test if GQLServlet is publicly accessible. Sensitive information could be exposed
    • Test if Adobe Experience Manager AuditLogServlet is publicly accessible. Audit log records could be exposed
    • Test for Server Side Request Forgery (SSRF) via SalesforceSecretServlet (CVE-2018-5006)
    • Test for Server Side Request Forgery (SSRF) via ReportingServicesServlet
    • Test for Server Side Request Forgery (SSRF) via SiteCatalystServlet was detected

Updates

  • Improved the scanning of sites using SOAP
  • Improved parsing of paths
  • TXT import now takes precedence over excluded paths
  • Improved the adherence of the scan scope
  • Improved the detection of the version of WordPress plugins
  • Improved the automatic session pattern detection in the LSR
  • LocalStorage / SessionStorage is retained between LSR and Deepscan Sessions

Fixes

  • Fixed: Scan scope was not always respected
  • Technology detected during the scan was not being reported
  • Fixed several scanner unexpected termination issues
  • Fixed issue causing large PDF reports not to be generated
  • Fixed: AcuSensor file data is better filtered by scanner

v12.0.190121124 - 22 Jan 2019

Copy Link Copy Link
Version 12 (build 12.0.190121124 - Windows and Linux) – 22nd January 2019

Updates

  • HTTP response size limit has been increased to 20Mb
  • Swagger parser now supports yml files

Fixes

  • Fixed a scanner crash
  • Fixed: Login Sequence Recorder was not using the User-Agent configured for the Target
  • Fixed issue causing false positives in ‘User controllable charset’ and ‘User controllable script source’
  • Fixed issue with BURP state file importer
  • Fixed: Users could not update an expired POC license
1 9 10 11 24