Changelogs

Acunetix Standard & Premium

RSS Feed

v13.0.200508159 - 11 May 2020

Version 13 (build 13.0.200508159 – Windows and Linux) 11th May 2020

New Features

  • Business Logic Recorder – used to record logic used in multi-step forms
  • Export to Citrix WAF
  • Support for Azure DevOps Services issue tracker
  • CVSS3.1 score for most Acunetix vulnerabilities
  • Targets can now be exported to CSV
  • New Graph in Dashboard showing Average vulnerabilities per Target

New Vulnerability Checks

Updates

  • Manual Intervention (used for CAPTCHAs, OTP etc) is now using the integrated (web-based) LSR
  • As a result of the previous update, Manual Intervention is now available on Linux
  • Improved error reporting for network scans aborted due to network errors
  • Vulnerability alerts updated to show important information at the top
  • Updated Github issue tracker to support Personal Access Token (PAT) authentication
  • Improved reporting of Paused scans in the UI
  • Improved UI message user triggers a scan which is not allowed due to Manual Intervention
  • API documentation can now be downloaded from within the Acunetix UI
  • Added support for popup windows in the Login Sequence Recorder
  • Improved handling of large import files
  • Improved handling large requests / responses generated from import files
  • Decreased false positives reported for Possible username or password disclosure
  • Truncated large vulnerability alerts when sending to Jira issue tracker

Fixes

  • Fixed incorrect from email address used for monthly update emails
  • Fixed AcuMonitor UI notification to link to corresponding vulnerability
  • Fixed issue causing vulnerability checks to not be able to send empty values
  • Fixed a number of crashes
  • Fixed issue causing ASP.NET sites to be processed as ASP sites
  • Fixed 2 issues caused when using Swagger import files
  • Improved handling of txt import files using incorrect import format
  • Fixed Session Fixation false positive
  • Fixed UI issue when configuring Custom Cookies
  • Trend charts where not being updated for user accounts
  • Fixed issue in excluded hours
  • Fixed “Client Certificate Not Set” message incorrectly being reported

v13.0.200409107 - 09 Apr 2020

Version 13 (build 13.0.200409107 – Windows and Linux) 9th April 2020

New Vulnerability Checks

  • New check to warn user if server sends known password to client
  • New check for RCE in Liferay Portal (CVE-2020-7961)

Updates

  • Improved detection of SQL Injection

Fixes

  • Fixed bbcode display issue in some alerts
  • Fix in Login page password-guessing attack
  • Fixed licensing issue caused by different case in Target address

v13.0.200401171 - 02 Apr 2020

Version 13 (build 13.0.200401171 - Windows and Linux) 2nd April 2020

New Vulnerability Checks

  • New WordPress plugin checks

Updates

  • Improved XXE check
  • Improved internal IP disclosure check
  • Vulnerabilities detected with 100% Confidence get a Verified stamp

Fixes

  • Fixed issue with response highlighting for SQL Injection alerts
  • Fixed AcuMonitor alert notifications not linking to scan
  • Fixed page not found UI issue when trying to generate a report from Reports page
  • Fixed issue with scanner looping when parsing specific long JSON responses

v13.0.200326097 - 26 Mar 2020

Version 13 (build 13.0.200326097 - Windows and Linux) 26th March 2020

New Features

  • Introduced support for processing of Swagger 2.0 files during scans
  • Introduced support for Swagger 2.0 files as import files
  • New Quarterly scheduled scan option
  • Users can change their password from the Acunetix UI

New Vulnerability Checks

Updates

  • Minor UI updates
  • Better reporting of scans interrupted due to network errors
  • Client Certificate address can now be configured for a Target
  • HTTP Authentication address can now be configured for a Target
  • Abort Scan after 25 network errors
  • Implemented Proof of Exploit for Blind SQL Injection vulnerabilities
  • Improved showing Scan Duration for long scans
  • Acunetix can be installed in custom paths
  • Scan email notifications will include a PDF report if requested at start of scan
  • Email notifications can be configured for:
    • Product updates
    • Target notifications
    • Scan notifications
    • Report notifications
    • Monthly status updates

Fixes

  • Fixed: On Reports page, Target address shows as N/A for Targets that do not have a Description
  • Fixed issue uploading import files larger than 1mb
  • Fixed issue whereby some addresses had missing a character in the report
  • Fixed false positive in Possible server path disclosure
  • Fixed issue causing the scanner to not following multiple redirects
  • Fixed 2 scanner crashes
  • Multiple fixes in WADL parser
  • Fixed: Case Sensitive Paths settings was sometimes not being taken into consideration
  • Fixed issue in Possible Sensitive Directories identifying incorrect locations
  • Fixed issue for users with expired passwords not given the option to change their password

v13.0.200205121 - 05 Feb 2020

Version 13 (build 13.0.200205121 - Windows and Linux) 5th February 2020

New Features

  • New Acunetix web UI
  • Improved Network Scanner integration
  • Malware Detection using Windows Defender on Windows and ClamAv on Linux
  • Smart Scan
  • New scanning algorithm prioritises scanning tasks and reduces scanning time
  • Proof of exploit is reported in the vulnerability alerts
  • Incremental Scans
  • Vulnerability Confidence Rating for web vulnerabilities
  • New GitLab Issue Tracker Integration
  • New Bugzilla Issue Tracker Integration
  • New Mantis Issue Tracker Integration
  • Ability to create Login Sequence from Selenium script
  • New WADL import file
  • New ASP.NET Webforms import file
  • New Postman import file
  • New Paros import file
  • Ability to create custom checks
  • Highlighting of vulnerability in HTTP response
  • DeepScan provides better support for Angular 2, Vue and React JavaScript Frameworks
  • Unlimited network scanning for Acunetix Premium customers
  • Account Session Timeout settings
  • Account Maximum Consecutive Login Failure settings

New Vulnerability Checks

Updates

  • Improved memory consumption for the scanner
  • PDF reports now have page numbers
  • Generic User-agent will be used for communication with issue trackers
  • All lists in Acunetix UI can be sorted
  • Easier filtering options in the Acunetix UI
  • Settings can now be accessed from the side-bar
  • Links discovered by AcuSensor are given more prominence
  • Improved processing of XML and JSON POST input schemes
  • Scanner will try to replay the LSR playback actions a number of times before failing
  • Improved Auto-Login
  • Multiple updates in the Login Sequence Recorder
  • Developer report updated to include Source file, line number and other details provided by AcuSensor
  • Acunetix now supports scanning domains with international characters
  • Increase page size limit to 20Mb in scanner and LSR
  • Improved detection of Possible Sensitive Files
  • Improved detection of email addresses
  • Improved detection of Command Injection
  • Improved detection of database backup files
  • Improved detection of XXE

Fixes

  • Fixed issue in Developer report showing incorrect parameter name for detected vulnerabilities
  • Fixed: “Tester” user role will not be able to create reports
  • upgrades on Linux were not removing all files from previous installation
  • Fixed issue with Manual Intervention
  • Fixed: Session cookies where not always collected by LSR
  • Fixed: Incorrect processing of URLs with “{” character
  • Fixed a number of crashes in scanner
  • Fixed issue causing scanner proxy to unintentionally transform parts of the HTTP request
  • Fixed false positive in the detection of Apache Tomcat Remote Code Execution
  • Fixed issues causing some links not to be properly imported by the importer
  • Fixed issue with license activation when proxy and authentication is used
  • Fixed issue causing session to get lost when Deepscan is used

v12.0.191121158 - 25 Nov 2019

Version 12 (build 12.0.191121158 - Windows and Linux) 25th November 2019

New Features

  • New scanning algorithm resulting in faster scans
  • Scanner will give higher priority to locations which are dissimilar to ones that have already been scanned
  • JAVA AcuSensor now supports JAVA Spring Framework

New Vulnerability Checks

Updates

  • Deepscan is now caching static assets. This will result in faster scans
  • Improved memory consumption by the scanner
  • Improved processing of forms and form handling
  • Improved detection of paths
  • Scanner will now process commented out html
  • Updated command injection payloads

Fixes

  • Fixed scanner crash
  • Fixed WAF detection false positive
  • Fixed: Check for Sensitive files was accessing restricted links
  • Fixed issue causing scanner to multi-line session validation pattern
  • Fixed: Some locations where incorrectly detected by DeepScan
  • Fixed issue causing integrated LSR to close due to Ad blocking
  • Fixed issue with HAR import files
  • Fixed issue in the detection of Weak authentication credentials
  • Fixed issue affecting the detection of DOM XSS vulnerabilities
  • Fixed issue in the detection of possible username and password disclosure
  • Fixed issue with recording restricted links in Internet Explorer
  • Fixed: Tech Admin can now configure the engine to be used for a Target
  • Fixed issue affecting scanning of domains with international characters

v12.0.190927120 - 30 Sep 2019

Version 12 (build 12.0.190927120 - Windows and Linux) 30th September 2019

New Features

  • Introduced new Scan Type: New Web Vulnerabilities to scan for new vulnerabilities introduced in the latest Acunetix update
  • Introduced ad-blocking in the scanner, resulting in faster scans
  • Implemented support for Session HTTP headers when logging in to the site
  • Introduced custom_settings.xml to configure settings from settings.xml, which are not overwritten on upgrade

New Vulnerability Checks

Updates

  • The scan will now report when an invalid Selenium script is used as an import file
  • Improved detection of the type of Burp import file being used
  • Increased limit on Custom Headers
  • Multiple improvements in DeepScan
  • The LSR Record button is disabled during Login Action playback
  • Acunetix will start reporting login forms when no login credentials are configured
  • The tester user will not be able to create or view reports

Fixes

  • Fixed: Directory Traversal vulnerabilities were sometimes incorrectly reported as found with AcuSensor
  • Fixed: Several broken references in the vulnerability alerts
  • Fixed: HTTP Response was not shown in some vulnerability alerts
  • Fixed an issue causing DeepScan to take too long to process some locations
  • Fix in PHP Hash Collision DOS vulnerability check
  • Fixed: Integrated LSR was not working on IE11
  • Fixed: Selenium script playback fails for some scripts
  • Fixed: Session Detection fails if session pattern spans multiple lines
  • Fixed: LSR keeps showing the spinner on some pages
  • Fixed: LSR Session pattern was not always saved when detected using the navigation
  • Fixed: LSR Session pattern check might fail for in body / not in body patterns
  • Fixed: On some systems, Chromium processes cannot be terminated when generating PDF reports
  • Fixed: Passwords were recoverable from the UI
  • Better handling of HTTP timeouts by vulnerability checks

v12.0.190827161 - 28 Aug 2019

Version 12 (build 12.0.190827161 - Windows and Linux) 28th August 2019

New Features

  • Implemented support for OpenSearch
  • Acunetix will try to discover hidden parameters and test them
  • Acunetix can now check base64 encoded JSON inputs for vulnerabilities

New Vulnerability Checks

  • New test for Oracle Business Intelligence Convert XXE (CVE-2019-2767)
  • New test for Oracle Business Intelligence Adfresource Path traversal (CVE-2019-2588)
  • New test for Oracle Business Intelligence AuthBypass (CVE-2019-2768)
  • New test for Oracle Business Intelligence ReportTemplateService XXE (CVE-2019-2616)
  • New test for Jira RCE (CVE-2019-11581)
  • New test for Test for Atlassian Crowd RCE (CVE-2019-11580)
  • New tests for Python Code Injection
  • New test for Apache Spark RCE [https://spark.apache.org/security.html] (CVE-2018-11770)
  • New test for ColdFusion Deserialization RCE (CVE-2019-7091)
  • Implemented support for OpenID Connect Discovery
  • Detect and report Apple application association files
  • Added new checks for WordPress plugins, Drupal core and Joomla core

Updates

  • Updated UI to accept IPv6 addresses
  • Multiple improvements to DeepScan
  • Improved the Directory Traversal check
  • Updated the scan limits, reducing repeated requests to larger sites
  • Acunetix will now extract and process gzipped files
  • Multiple updates to parsing and heuristic crawler features
  • Improved the vulnerability deduplication – similar vulnerabilities will be reported once
  • Improved reporting of the cause of scan failures (e.g. website is unresponsive, invalid import file etc)
  • Credentials provided to Auto-Login or LSR will not be used for vulnerability tests
  • Improved processing of Selenium scripts
  • Improved login form detection by Auto-Login feature
  • Improved WebLogic detection, and testing for default WebLogic credentials
  • Improved detection of Vulnerable JavaScript libraries check

Fixes

  • Fixed a number of issues causing the scanner to stop unexpectedly
  • Fixed issue causing AcuMonitor checks to be done when AcuMonitor is not enabled
  • Fixed issue with WSDL parsing
  • Fixed: Reflected tests (e.g. reflected XSS) was not done on JSON inputs
  • Fixed issue causing 100% CPU usage when processing certain pages
  • Fixed hang in the Acunetix Administrative Password utility on Windows
  • Fixed: DeepScan was not processing XHTML pages
  • Fixed issue causing Chromiumn process to remain active after PDF report generation
  • Fixed issue caused by background requests when recording a login sequence
  • Fixed issue when recording a login sequence on a site that uses cross-domain iframes
  • Fixed issue when parsing WADL
  • Fixed issue causing Host Header Attack false negatives

v12.0.190703137 - 04 Jul 2019

Version 12 (build 12.0.190703137 - Windows and Linux) 4th July 2019

New Vulnerability Checks

  • New test for Joomla! Core CSV Injection vulnerability check [CVE-2019-12765]
  • New test for Joomla! Core XSS vulnerability check (CVE-2019-12766)
  • New test for Joomla! Core Security bypass (CVE-2019-12764)
  • New test for Oracle Weblogic XXE (CVE-2019-2647)
  • Added the detection of CDNs
  • Added the detection of reverse proxies

Updates

  • Auto-Login is now using the LSR functionality – this will improve auto-login in general
  • Improved detection of DOM XSS
  • Improved handling of invalid Selenium scripts
  • Improved handling of email addresses fields in web forms
  • Improved parsing of WSDL files
  • Implemented support for Proxy-Authenticate header
  • Improved crawling of Spring-based web applications
  • Updated LSR to automatically dismiss modal dialogs during playback
  • Reduced false positives in checks looking for sensitive and backup files
  • Reduced false positives in SSN number detection
  • Reduced false positives in XSS in URIs
  • Improved the detection of WAFs
  • LSR can now record actions within <iframe> elements
  • Jira Issue Tracker integration now supports HTTP Authentication with API key

Fixes

  • Fixed a crash when parsing SOAP messages
  • Fixed issue in interpretation of some Selenium scripts
  • Fixed a number of broken links in the Vulnerability Alerts
  • Autologin was recording the password in the log file
  • Fixed crash caused when reading specific swagger files
  • Fixed crash caused when reading specific large files
  • Fixed issue causing the scanner to go into a loop
  • Fixed issue causing crawler to not interpret correctly certain locations in JavaScript
  • Fixed issue in Manual Intervention
  • Fixed issue affecting sites using euc-kr encoding
  • Fixed Chromium issue caused when window.chrome is used by the site
  • Fixed issue causing Chromium not to load on Kali Linux
  • Fixed LSR playback issue caused when input field contained predefined text
  • SRI not implemented was being reported multiple times per host
1 8 9 10 24