New update introduces support for Swagger 2.0, quarterly scheduled scans, and new vulnerability checks for F5 BigIP iRule, .NET, Oracle E-Business Suite, and others

Acunetix Version 13 build 13.0.200326097 for Windows and Linux has been released.

This new build introduces support for Swagger 2.0 and quarterly scheduled scans. In addition, proof of exploit has been implemented for blind SQL Injection vulnerabilities, the scanning engine will now stop and report scans that have too many network errors, and the address of client certificates and HTTP authentication can now be configured for targets. The latest Acunetix update adds a good number of important vulnerability checks and includes various updates and fixes, which are available for all editions of Acunetix.

Here is the full set of updates:

New Features

• Introduced support for the processing of Swagger 2.0 files during scans
• Introduced support for Swagger 2.0 files as import files
• New Quarterly scheduled scan option

New Vulnerability Checks

• New check for weak key used to sign cookie in Play framework
• JavaScript library audit now supports TinyMCE
• New check for F5 BigIP iRule command injection
• New check for XSS in .NET session in URL
• New check for remote code execution (RCE) in Ruby on Rails (CVE-2019-5420)
• New Check for Oracle E-Business Suite Deserialisation RCE
• New Check for Oracle E-Business Suite SSRF (CVE-2017-10246)
• New Check for Oracle E-Business Suite SSRF (CVE-2018-3167)
• New Check for Oracle E-Business Suite SQL Injection (CVE-2017-3549)
• New checks for WordPress core and plugins, Joomla! and Drupal

Updates

• Minor UI updates
• Improved reporting for scans interrupted due to network errors
• Client certificate address can now be configured for a target
• HTTP authentication address can now be configured for a target
• Scans are now aborted after 25 network errors
• Implemented proof of exploit for blind SQL Injection vulnerabilities
• Improved display of the scan duration for long scans
• Acunetix can be installed in custom paths
• Email notifications can be configured for:
  • Product updates
  • Target notifications
  • Scan notifications
  • Report notifications
  • Monthly status updates

Fixes

• Fixed: On the Reports page, target address shows as N/A for targets that do not have a description
• Fixed issue uploading import files larger than 1 MB
• Fixed issue whereby some addresses had a missing character in the report
• Fixed false positive in possible server path disclosure
• Fixed issue causing the scanner to not follow multiple redirects
• Fixed 2 scanner crashes
• Multiple fixes in the WADL parser
• Fixed: Case sensitive paths setting was sometimes not being taken into consideration
• Fixed issue in possible sensitive directories identifying incorrect locations
• Fixed issue for users with expired passwords not given the option to change their password

Upgrade to the Latest Build

If you are already using Acunetix v13, you can initiate the automatic upgrade from the new build notification in the Acunetix UI > About page.

If you are using a previous version of Acunetix, you need to download Acunetix version 13 from here. Use your Acunetix license key to download and activate your product.

THE AUTHOR

Nicholas Sciberras
Principal Program Manager
LinkedIn

As the Principal Program Manager, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams, and provided technical training.