Acunetix Web Vulnerability Scanner v13 released on 5-Feb-2020. Last build was 13.0.210308088 released on 8-March-2021. It will continue with v14 that was released on 17-March-2021 (for more details for v14, please refer to our dedicated separate post).
This is very common to ask and keep an update post, latest on top, and old just behind the latest information. Instead of creating multiple posts in different dates, we combine all in one, easy for reference for the same edition and build history and feature implementations along the release. The post date will keep changing to reflect the latest changes, despite its older portion of content being posted previously, it will keep updating the post date to make it relevant for customers and for those who want to access all the information in one post.
Acunetix v13 Web Vulnerability Scanner (WVS) Latest Build and Release
Version 13 build 13.0.210308088 for Windows, Linux and macOS – 8th March 2021
New Vulnerability Checks
- New Test for Microsoft Exchange Server Server-Side Request Forgery (SSRF) vulnerability (CVE-2021-26855)
Version 13 build 13.0.210226118 for Windows, Linux and macOS – 26th February 2021
Fixes
- Fix Backend issue related to AcuSensor
Version 13 build 13.0.210129162 for Windows, Linux and macOS – 2nd February 2021
New Features
- New AcuSensor for Node.js
- New Target Knowledgebase records scan data which is used to improve future scans
- New FQDN and Target filter in Grouped Vulnerabilities page
- New FQDN column in Targets page
New Vulnerability Checks
- New test for Unrestricted access to Prometheus Interface
- New test for Unrestricted access to Prometheus Metrics
- New test for Unrestricted access to Golang expvar
- New test for Unrestricted access to Node.js status-monitor page
- New test for Unrestricted access to HAProxy stats page
- New test for Unrestricted access to Nginx stub_status page
- New test for Unrestricted access to Nginx nginx-module-vts status page
- New test for Unrestricted access to Traefik Dashboard
- New test for Unrestricted access to Kafka monitoring
- New test for Unrestricted access to Netdata Dashboard
- New test for Typo3 Admin publicly accessible
- New test for Typo3 sensitive files
- Updated WordPress Plugin checks
- Updated Drupal core checks
Updates
- Simplified User Profile page
- Improved handing of HTML comments
- Improved processing of sites using dynamic links
- Improved parsing of JavaScript for new paths
- Form input type is taken into consideration when processing forms
- Scanner now supports NTLM Authentication for proxy authentication
- multiple DeepScan updates
- Comprehensive report updated to use time zone configured for Acunetix user
- Added setting in settings.xml to choose which SSL cipher to be used by the scanner
- Integrated LSR logs are now stored for troubleshooting purposes
- Notify user when client certificate is required but not configured for Target
- Improvements in MAC installation
- PHP AcuSensor will start including Stack Trace
- Multiple LSR / BLR updates
Fixes
- Filter items sorted alphabetically
- Fixed minor UI glitch in multi-engine registration page
- Multiple fixes in SlowLoris detection
- Fixed scanner crashes
- Fixed CSV injection in Target Export
- Fixed UI issues in Target Groups page
- Fixed formatting for issues pushed to Jira
- Fixed issue when installing on Centos8
Version 13 build 13.0.201217092 for Windows, Linux and macOS – 17th December 2020
New Features
- Big improvement in handling of CSRF tokens
- Added support for ShadowRoot
- Added support for MacOS Big Sur
New Vulnerability Checks
- New test for Zabbix authentication bypass / guest user
- New test for Typo3 Admin publicly accessible
- New test for Typo3 debug mode enabled
- New test for Oracle WebLogic Remote Code Execution via IIOP
- New test for Web Cache Poisoning DoS
- New test for client-side prototype pollution
- Improved web cache poisoning test
- New test for SAP IGS XXE (CVE-2018-2392, CVE-2018-2393)
- New test for Odoo LFI (CVE-2019-14322)
- New test for Unrestricted access to Odoo DB manager
- New test for Apache Unomi MVEL RCE (CVE-2020-13942)
Updates
- Updated the UI for the multi-engine system
- Multiple updates to the PHP AcuSensor
- Multiple updates to the Login Sequence Recorder
- Scanning engine updated to support using proxy server with NTLM Authentication
Fixes
- Fixed issue causing the browser to fail to launch on Kali
- Fixed issue causing AcuSensor not found message to not be displayed
- Fixed false positive in Zend Framework LFI via XXE
- Fixed false positive in Directory Traversal
- Fixed false positive in Cookie(s) with missing, inconsistent, or contradictory properties
- Fixed false positive in Apache Struts2 Remote Command Execution (S2-052)
- Fixed issue in highlighting of vulnerability in response
- Fixed issue with Slow Loris
- Fixed issue in WADL importer
- Fixed crash in scanner
- Fixed minor issues in Comprehensive Report
- Fixed issue causing Acunetix to lose license information
Version 13 build 13.0.201126145 for Windows / Linux and 13.0.201126157 for macOS – 27th November 2020
New Features
- New user role: Platform Admin, provides full access to Acunetix
Updates
- Network Settings can now be confirmed using the new Check Settings button
- Management of Targets by Tech Admin role can now be selectively turned off
Fixes
- Fixed issue causing inability to access last continuous failed scan
- Fixed UI issues causing inability to add targets to target group when target list is filtered
- Acunetix is now correctly reporting progress for Network Scans
- UI updated to hide specific options for the different Acunetix user roles
Version 13 (build 13.0.201112128 for Windows / Linux / macOS) 12 November 2020
Updates
- Updated Telerik vulnerability checks
- The Tech Admin user role can now create new Targets
- Renamed acu_phpaspect.php to acusensor.php
- Updated Comprehensive report to indicate Verified vulnerabilities
- Logon Banner now supports multi-line banners
Fixes
- Fixed issue in SlowLoris vulnerability check
- Fixed issue LSR hang caused when closing the LSR immediately after opening it
- Fixed scan hanging issue
- Fixed a couple of issues in the CSV export
- Fixed issue causing incorrect threat level in Comprehensive report
- Fixed false positives in Outdated JS libraries and Insecure Referrer Policy checks
- Fixed UI issue with long target name causing buttons to be hidden
- Fixed issue causing double input schemes
- Fixed crash in scanner
- Fixed issue causing vulnerability count in Dashboard to not always be updated
Version 13 (build 13.0.201028153 for Windows / Linux and build 13.0.201028161 for macOS) 29th October 2020
New Features
- Logon Banner can be configured for Acunetix logon page (satisfies DOD Notice and Consent Banner requirement)
- Added ability to export vulnerabilities to CSV (available as WAF Export option)
- Added ability to export scan locations to CSV (available as WAF Export option)
New Vulnerability Checks
- New check for JavaScript Source map detected
- New check for Unauthenticated Remote Code Execution via JSONWS in Liferay 6.1 (LPS-88051)
- New check for Oracle WebLogic Server unauthenticated remote code execution (CVE-2020-14882)
- Updated WordPress plugin checks
Updates
- Improved handling of Swagger
- The scanner will try to detect differences in the site using different user-agents
- Various minor UI updates
- Added Scan Profile used in Scan results
- Business Logic Recorder cannot be used on Targets which require Manual Intervention
- Updated Jira issue tracker
- Improved error shown when checking for updates fails
- Updated import file feature to support files using BOM
- Comprehensive report tags vulnerabilities detected by AcuSensor and AcuMonitor
Fixes
- Fixed issue causing multi-line session detection not to be used during scan
- Updated Jira issue tracker to use proxy server if configured
- Fixed issue causing gzip encoded body of HTTP responses to become invalidated
- Fixed: Printing the Coverage report would not print the sitemap in the report
- Fixed issue causing some login forms not to be detected during the scan
- Fixed timing issue when scheduling a scan for a future date
- Fixed scanner crashes caused by specific import files
- Fixed issue causing DeepScan not to be used on Kali Linux
- Fixed false positive in Zend Framework LFI via XXE
- Fixed issue causing some scans to fail because of the client certificate
- Fixed issue causing LSR playback to fail for some scans
- Fixed issue in New Scan dialog for Tech Admin users
Version 13 (build 13.0.200930102 for Windows, Linux and macOS) 30th September 2020
New Features
- Export Scans to JSON (available as WAF Export option)
- Added context-sensitive help for all pages in the UI. Clicking on the ? icon will open documentation for the specific page
New Vulnerability Checks
- New test for Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496)
- New test for No HTTP Redirection
- Numerous tests related to TLS / SSL, including:
- Added support for 200 new cipher suites, bringing the total number of supported cipher suites to 360
- New test for TLS/SSL Diffie-Hellman Key Reuse (prerequisite for Raccoon Attack)
- New test for TLS/SSL LOGJAM attack (CVE-2015-4000)
- New test for TLS/SSL Sweet32 attack (CVE-2016-2183 and CVE-2016-6329
- Alert if server offers cipher suites with symmetric encryption key length <128
- Alert if server offers cipher suites using symmetric encryption algorithms RC2, DES (insecure), IDEA
- Alert if server offers cipher suites using ANON, NULL, SHA-1 for authentication
- Alert if server offers cipher suites using MD5 for HMAC
- New vulnerability checks for WordPress plugins and Drupal core
Updates
- Numerous updates to the UI
- Malware scan profile updated to check for Trojans
- Scanner updated to receive newly discovered hosts from vulnerability checks
- Updated Swagger 2 implementation to better cater for nested schemes/objects
- Updated deduplication to better cater for network scans / vulnerabilities
- Adaptive ciphersuite testing, reduces the average SSL/TLS scan duration by 90%
Fixes
- Fixed issue where no data was shown for archived scans
- Fixed some minor issues with default filters
- Fixed issue showing wrong Target count in license page
- Fixed UI issue affecting Custom Scan Profiles
- Fixed Possible Sensitive Files / Folders to use the Case Sensitive Paths setting for the Target
- Fixed issue in Reverse Proxy Detection check
Version 13 (build 13.0.200911154 for Windows and Linux and build 13.0.200911171 for macOS) 14th September 2020
New Features
- New Data Retention settings, providing the ability to:
- Keep the last 3 scans for each target and archive previous scans
- Delete archived scans which are older than 2 years
- The above data retention settings are configurable
- The above settings affect vulnerabilities detected, which are archived / deleted accordingly
- A default scan profile can be configured for each target
- Forgot Password option for Acunetix On premise, allowing users to reset their password – Email settings need to be configured
- Detect paths in JavaScript code via static method analysis
- Ability to retrieve links from several HTTP headers
- Scanner will try to auto-discover API definitions
New Vulnerability Checks
- New check for SAP NetWeaver RECON (CVE-2020-6287)
- New check for DNN (DotNetNuke) CMS Cookie Deserialization RCE (CVE-2017-9822)
- New check for Insecure Referrer Policy
- New check for Remote code execution of user-provided local names in Rails
- New check for Cisco Adaptive Security Appliance (ASA) Path Traversal (CVE-2020-3452)
- New check for Total.js Directory Traversal (CVE-2019-8903)
- New check for Envoy Metadata disclosure
- New checks for WordPress Core / Plugins / Themes, Drupal and Joomla vulnerabilities
Updates
- Vulnerabilities are now shown as grouped by Vulnerability Type and FQDNs
- Numerous improvements affecting vulnerability deduplication
- Deleted Targets will not be showing in the UI by default
- Malicious links detected will be highlighted in the vulnerability report
- Ability to scan all Targets in a Target Group
- Improved Swagger support implementation
- Updated backup files/folders and possible sensitive files checks to report alerts on parent of file detected
- Time zone can now be configured by each user account
- User accounts can now change UI to Chinese
- .NET Sensor updated to support .NET Core
- Updated Session Fixation vulnerability check to avoid possible False Positives
- Updated to Chromium v83
Fixes
- Fixed issue with offline activation
- Fixed a few crashes occurring on specific sites
- Fixed issue affecting AcuMonitor when scanning certain sites
- Various small UI fixes
- Fixed Target Deletion issue for Consult licenses
- Fixed: PDF report generation was failing in specific situations
- Fixed issue causing HTTP requests passing through a proxy to fail
- Fixed issue affecting relative HTTP redirects
- Fixed issue causing Manual Intervention not to work on Linux
- Fixed issue causing DeepScan to miss some DOMXSS vulnerabilities
- Fixed text overlapping issue in reports
- Fixed issue causing Telerik Web UI RadAsyncUpload Deserialization (CVE-2019-18935) to not always be detected
- Fixed: ‘HTTP Strict Transport Security (HSTS) not implemented’ and ‘HTTP Strict Transport Security (HSTS) Best Practices’ where using the same name
- Fixed: Sensitive files / directories checks were missing Attack details
- Fixed issue caused when sorting scans by target description
- fixed a few issues in the Login Sequence Recorder and Business Logic Recorder
Version 13 (Windows / Linux: 13.0.200807155, macOS: 13.0.200807156) 7th August 2020
New Features
- Acunetix is now available in Simplified Chinese
- Path Fragments are now shown in the site structure
New Vulnerability Checks
- New check for Insecure Inline Frames
- New check for Remote code execution of user-provided local names in Rails
- New check for SAP NetWeaver RECON auth bypass vulnerability
- New check for H2 console publicly accessible
- New check for PHP version disclosure
- New check for Atlassian JIRA ServiceDesk misconfiguration
- New test for Jolokia XML External Entity (XXE) vulnerability
- New checks for WordPress core, WordPress themes, WordPress plugins, Joomla and Drupal
Updates
- Created and Last Updated dates are available for vulnerabilities
- Order of section in Comparison report updated to be more intuitive
- Target Address is shown in full in the UI
- /users/ endpoint is now available in the API
Fixes
- Fixed issue when exporting vulnerabilities to WAF which contained CVSS3.1
- Fixed issue causing custom user-agent to not be used in all requests during a scan
- Fixed issues causing some vulnerabilities not to be well formatted when sent to JIRA issue tracker
- Fixed issue when adding JIRA Issue Tracker in Acunetix Online
- Fixed issue caused when adding Targets to an existing Target Group
- Minor fix in Comprehensive report text
- Fixed UI issue showing blank list (Scans, Targets etc) when using the browser’s back button
- Fixed issue caused by scanning Targets with complex GraphQL schemas
14-Jul-2020
Acunetix Now Available on macOS
Imagine having the easiest-to-use security scanner on an easiest-to-use operating system – now it’s possible. Acunetix is now available on macOS.
You can harness the full power of Acunetix using your operating system of choice, be it Windows, Linux, macOS, or the cloud. You can start scanning your applications in just a few clicks but Acunetix is not only simple, it is also powerful. No other web application vulnerability scanner will let you do interactive application security testing (IAST) together with out-of-band scanning, malware scanning, and much more. No other scanner will do that as fast and as efficiently, proving many vulnerabilities by providing you with examples of data that the user should not be able to access.
Acunetix is all about continuous innovation. It pioneered dynamic application security testing (DAST), was the first business-class web application security scanner on Linux, and now it is the first Mac vulnerability scanner as well. No other scanner even comes close in the range of capabilities and efficiency coupled with outstanding accuracy and depth of scans.
25-Jun-2020
Acunetix build 13.0.200624118 for Windows and Linux has been released.
The new Acunetix build introduces support for GraphQL and OAuth 2.0, allowing Acunetix to scan web applications that make use of these web technologies. It also includes multiple UI updates, a new comprehensive and interactive report, and HTTP response highlighting for better readability. In addition, there are a good number of new vulnerability checks, numerous updates, and fixes, all of which are available for all editions of Acunetix.
New Features
- Introduced support for GraphQL
- Introduced support for OAuth 2.0
- GraphQL files can be used as import files
- New Comprehensive report, which includes the HTTP response in the HTML version of the report
- HTTP response uses syntax highlighting for improved readability
- Scans can now be restricted to paths/locations in import files
- User can choose columns to show in all the Acunetix lists
- UI saves columns selected for each page/user (applies to targets, vulnerabilities, scans, and reports)
- UI saves number of items to show for each page/user (applies to targets, vulnerabilities, scans, and reports)
- UI saves sorting order for each page/user (applies to targets, vulnerabilities, scans, and reports)
New Vulnerability Checks
- New check for vBulletin 5.6.1 (and earlier) nodeId SQL injection
- New check for Cmd hijack vulnerability
- New check for PHP opcache-gui publicly accessible
- New check for Laravel debug mode enabled
- New check for Laravel Health Monitor publicly accessible
- New check for Laravel Health Horizon publicly accessible
- New check for Laravel Health LogViewer publicly accessible
- New check for Laravel Health Telescope publicly accessible
- New check for Laravel Ignition reflected cross-site scripting
- New check for Laravel framework weak secret key
- New check for HTML attribute injection
- New check for Clockwork PHP dev tool enabled
- New check for PHP debug bar enabled
- New check for broken link hijacking
- New checks for cookie misconfigurations leading to security issues
- New vulnerabilities for WordPress Core, WordPress plugins, Joomla!, and Drupal
Updates
- Targets with manual intervention cannot have a business logic recording
- Changed vulnerability name filter to search as you type
- Scans will start reporting pages that require HTTP authentication
- Acunetix UI notifications have been changed as follows:
- Moved to the bottom right of Acunetix UI
- Stay longer on the page
- Can be closed by the user
- Increased name length limit of import files to 128 characters
- The user can optionally specify the address to be used for auto-login. This is useful for SSO login pages
- The scanner will try to connect to the address of the target before aborting the scan after 25 consecutive network errors
- Targets can be deleted and replaced on the license anniversary
Fixes
- Fixed: The vulnerability name filter did not always show all vulnerabilities
- Fixed incorrect error handling message when disabling the proxy settings
- Hide Business Logic Recorder for network-only targets
- Fixed: Acunetix Online was showing an ID as the name of some network vulnerabilities
- Fixed: Acunetix Online was not always showing the HTTP response for some vulnerabilities
- Fixed: Acunetix Online was not showing the number of licensed targets
- Fixed issue causing paths of ignored files to be ignored too
- Fixed LSR issue on Safari browser
- Fixed issue caused when the LSR and BLR are used on certain sites
- Various minor fixes to the UI
- Fixed false positives in over 25 vulnerability checks
12-May-2020
Acunetix Version 13 build 13.0.200508159 for Windows and Linux has been released.
This new build introduces the Business Logic Recorder, which allows the user to record logic implemented in multi-step web forms. The Acunetix scanner will go through the multi-step form and will be able to attack each step in the form. In addition, vulnerabilities can now be sent to Citrix WAF for virtual patching or the Azure DevOps Services issue tracker for further follow-up by the team. Most vulnerabilities have been updated to include a CVSS 3.1 score. This update adds a good number of important vulnerability checks and includes various updates and fixes, which are available for all editions of Acunetix.
Here is the full set of updates:
New Features
- Business Logic Recorder – used to record logic used in multi-step forms
- Export to Citrix WAF
- Support for the Azure DevOps Services issue tracker
- CVSS3.1 score for most Acunetix vulnerabilities
- Targets can now be exported to CSV
- A new graph in the dashboard showing average vulnerabilities per target
New Vulnerability Checks
- New check for Server-Side Template Injection (SSTI) in ASP.NET Razor
- New check for Oracle BI AMF Deserialization RCE (CVE-2020-2950)
- New check for Possible Cross Site Scripting via jquery.htmlPrefilter() (CVE-2020-11023)
- New check for Stored XSS in WP theme Onetone (CVE-2019-17230 and CVE-2019-17231)
- Updated detection of phpinfo pages
- New checks in WordPress Core and WordPress plugins
Updates
- Manual intervention (used for CAPTCHAs, OTP, etc.) is now using the integrated (web-based) LSR
- As a result of the previous update, manual intervention is now available on Linux
- Improved error reporting for network scans aborted due to network errors
- Vulnerability alerts updated to show important information at the top
- Updated the Github issue tracker to support personal access token (PAT) authentication
- Improved reporting of paused scans in the UI
- Improved UI message when the user triggers a scan which is not allowed due to manual intervention
- API documentation can now be downloaded from within the Acunetix UI
- Added support for popup windows in the Login Sequence Recorder
- Improved handling of large import files
- Improved handling large requests/responses generated from import files
- Decreased false positives reported for possible username or password disclosure
- Truncated large vulnerability alerts when sending to the Jira issue tracker
Fixes
- Fixed the incorrect email address used for monthly update emails
- Fixed an AcuMonitor UI notification to link to a corresponding vulnerability
- Fixed an issue causing vulnerability checks to not be able to send empty values
- Fixed a number of crashes
- Fixed an issue causing ASP.NET sites to be processed as ASP sites
- Fixed 2 issues when using Swagger import files
- Improved handling of txt import files that use an incorrect import format
- Fixed a session fixation false positive
- Fixed a UI issue when configuring custom cookies
- Trend charts where not being updated for user accounts
- Fixed an issue in excluded hours
- Fixed a Client Certificate Not Set message that was incorrectly reported
9-Apr-2020
New Vulnerability Checks
- New check to warn user if server sends known password to client
- New check for RCE in Liferay Portal (CVE-2020-7961)
Updates
- Improved detection of SQL Injection
Fixes
- Fixed bbcode display issue in some alerts
- Fix in Login page password-guessing attack
- Fixed licensing issue caused by different case in Target address
2-Apr-2020
New Vulnerability Checks
- New WordPress plugin checks
Updates
- Improved XXE check
- Improved internal IP disclosure check
- Vulnerabilities detected with 100% Confidence get a Verified stamp
Fixes
- Fixed issue with response highlighting for SQL Injection alerts
- Fixed AcuMonitor alert notifications not linking to scan
- Fixed page not found UI issue when trying to generate a report from Reports page
- Fixed issue with scanner looping when parsing specific long JSON responses
26-Mar-2020
Version v13 (build 13.0.200326097 – Windows and Linux) 26th March 2020
New Features
- Introduced support for processing of Swagger 2.0 files during scans
- Introduced support for Swagger 2.0 files as import files
- New Quarterly scheduled scan option
New Vulnerability Checks
- New check for Weak key used to sign cookie in Play framework
- JavaScript Library Audit now supports TinyMCE
- New check for BigIP iRule command injection
- New check for XSS in .NET session in URL
- New check for Remote Code Execution (RCE) in Ruby on Rails (CVE-2019-5420)
- New Check for Oracle E-Business Suite Deserialisation RCE
- New Check for Oracle E-Business Suite SSRF (CVE-2017-10246)
- New Check for Oracle E-Business Suite SSRF (CVE-2018-3167)
- New Check for Oracle E-Business Suite SQL Injection (CVE-2017-3549)
- New checks for WordPress Core and plugins, Joomla and Drupal
Updates
- Minor UI updates
- Better reporting of scans interrupted due to network errors
- Client Certificate address can now be configured for a Target
- HTTP Authentication address can now be configured for a Target
- Abort Scan after 25 network errors
- Implemented Proof of Exploit for Blind SQL Injection vulnerabilities
- Improved showing Scan Duration for long scans
Fixes
- Fixed: On Reports page, Target address shows as N/A for Targets that do not have a Description
- Fixed issue uploading import files larger than 1mb
- Fixed issue whereby some addresses had missing a character in the report
- Fixed false positive in Possible server path disclosure
- Fixed issue causing the scanner to not following multiple redirects
- Fixed 2 scanner crashes
- Multiple fixes in WADL parser
- Fixed: Case Sensitive Paths settings was sometimes not being taken into consideration
- Fixed issue in Possible Sensitive Directories identifying incorrect locations
- Fixed issue for users with expired passwords not given the option to change their password
5-Feb-2020
Version 13 (build 13.0.200205121 – Windows and Linux) 5th February 2020
New Features
- New Acunetix web UI
- Improved Network Scanner integration
- Malware Detection using Windows Defender on Windows and ClamAv on Linux
- Smart Scan
- New scanning algorithm prioritises scanning tasks and reduces scanning time
- Proof of exploit is reported in the vulnerability alerts
- Incremental Scans
- Vulnerability Confidence Rating for web vulnerabilities
- New GitLab Issue Tracker Integration
- New Bugzilla Issue Tracker Integration
- New Mantis Issue Tracker Integration
- Ability to create Login Sequence from Selenium script
- New WADL import file
- New ASP.NET Webforms import file
- New Postman import file
- New Paros import file
- Ability to create custom checks
- Highlighting of vulnerability in HTTP response
- DeepScan provides better support for Angular 2, Vue and React JavaScript Frameworks
- Unlimited network scanning for Acunetix Premium customers
- Account Session Timeout settings
- Account Maximum Consecutive Login Failure settings
New Vulnerability Checks
- New check for publicly accessible Bitrix server test script
- New check for publicly accessible NGINX+ dashboard
- New check for unrestricted access to NGINX+ API endpoints
- New check for outdated TLS version
- New check for Citrix Netscaler Unauthenticated Remote Code Execution (CVE-2019-19781)
- New check for Kentico CMS Deserialization RCE
- New check for Cross site scripting via Bootstrap
- New check for Django weak secret key
- New check for Oracle Weblogic T3 XXE (CVE-2019-2888)
- New check for leakage of API keys
- New check for JWT weak secret key
- New check for JWT none algorithm
- New check for publicly exposed .NET HTTP Remoting
- New check for .NET BinaryFormatter Object Deseralization vulnerabilities
- New check for Apache Solr Parameter Injection
- New check for Ruby framework weak secret key
- New check for Tornado weak secret key
- New check for BottlePy weak secret key
- New WordPress Core and plugin vulnerability checks
- New Joomla Core vulnerability checks
- New Drupal Core vulnerability checks
Updates
- Improved memory consumption for the scanner
- PDF reports now have page numbers
- Generic User-agent will be used for communication with issue trackers
- All lists in Acunetix UI can be sorted
- Easier filtering options in the Acunetix UI
- Settings can now be accessed from the side-bar
- Links discovered by AcuSensor are given more prominence
- Improved processing of XML and JSON POST input schemes
- Scanner will try to replay the LSR playback actions a number of times before failing
- Improved Auto-Login
- Multiple updates in the Login Sequence Recorder
- Developer report updated to include Source file, line number and other details provided by AcuSensor
- Acunetix now supports scanning domains with international characters
- Increase page size limit to 20Mb in scanner and LSR
- Improved detection of Possible Sensitive Files
- Improved detection of email addresses
- Improved detection of Command Injection
- Improved detection of database backup files
- Improved detection of XXE
Fixes
- Fixed issue in Developer report showing incorrect parameter name for detected vulnerabilities
- Fixed: “Tester” user role will not be able to create reports
- upgrades on Linux were not removing all files from previous installation
- Fixed issue with Manual Intervention
- Fixed: Session cookies where not always collected by LSR
- Fixed: Incorrect processing of URLs with “{” character
- Fixed a number of crashes in scanner
- Fixed issue causing scanner proxy to unintentionally transform parts of the HTTP request
- Fixed false positive in the detection of Apache Tomcat Remote Code Execution
- Fixed issues causing some links not to be properly imported by the importer
- Fixed issue with license activation when proxy and authentication is used
- Fixed issue causing session to get lost when Deepscan is used