Acunetix introduces IAST updates improving vulnerability and misconfiguration detection as well as scan coverage

A new Acunetix Premium update has been released for Windows, Linux, and macOS: 14.7.220228146

This Acunetix release introduces multiple IAST updates that will help detect several high severity vulnerabilities, provide full coverage for the newly supported web frameworks, and improve the detection of server-side misconfigurations. It also introduces new vulnerability checks for well-known web applications, includes a number of updates to the CSRF token handling, and provides numerous improvements, updates, and product fixes.

New features

• The .NET IAST sensor (AcuSensor) can now be installed on .NET Core v3 and v5 on Windows (with the Kestrel server)
• The Acunetix scanner was updated to support routes for frameworks supported by the IAST sensors (AcuSensor)
• Added support for the Laravel framework in the PHP IAST sensor (AcuSensor)
• Added support for the CodeIgnitor framework in the PHP IAST sensor (AcuSensor)
• Added support for the Symphony framework in the PHP IAST sensor (AcuSensor)
• Added support for the ASP.NET MVC in the .NET Core IAST sensor (AcuSensor)
• Added support for Razor Pages in the .NET Core IAST sensor (AcuSensor)
• Added support for Web API in the .NET Framework and the .NET Core IAST sensors (AcuSensor)
• Added support for Spring MVC in the JAVA IAST sensor (AcuSensor)
• Added support for Spring Struts2 in the JAVA IAST sensor (AcuSensor)

New vulnerability checks

• Acunetix has been updated to detect the following vulnerabilities using IAST:
  • LDAP Injection
  • Unsafe Reflection of Untrusted Data
  • XPath Injection
  • Email Header Injection
  • Deserialization of Untrusted Data
  • MongoDB Injection
  • Server-side template injection (SSTI)
  • Server-side request forgery (SSRF)
• Acunetix IAST (AcuSensor) has been updated to detect over 30 new server-side misconfigurations across all sensors
• New check for Magento config file disclosure
• New check for BillQuick Web Suite SQL injection (CVE-2021-42258)
• New check for Apache Airflow experimental API auth bypass (CVE-2020-13927)
• New check for Apache Airflow default credentials
• New check for Apache Airflow exposed configuration
• New check for Apache Airflow unauthorized access vulnerability
• New check for GoCD information disclosure (CVE-2021-43287)
• New check for Grafana plugin directory traversal (CVE-2021-43798)
• New check for NodeBB arbitrary JSON file read (CVE-2021-43788)
• New check for ManageEngine Desktop Central deserialization RCE (CVE-2020–10189)
• New check for SolarWinds Orion API auth bypass (CVE-2020-10148)
• New check for Citrix ADC NetScaler local file inclusion (CVE-2020-8193)
• New check for VMware vCenter vcavbootstrap arbitrary file read
• New check for Pentaho API auth bypass (CVE-2021-31602)
• New check for Sonicwall SMA 100 unintended proxy (CVE-2021-20042)
• New check for VMware vCenter Log4Shell RCE
• New check for VMware Horizon Log4Shell RCE
• New check for MobileIron Log4Shell RCE
• New check for Ubiquiti Unifi Log4Shell RCE
• New check for Apache OFBiz Log4Shell RCE
• New check for Apache Struts2 Log4Shell RCE
• New check for Apache Solr Log4Shell RCE
• New check for Apache JSPWiki Log4Shell RCE
• New WordPress Core and WordPress plugins checks

Updates

• IAST sensors (AcuSensor) capabilities have been updated to improve the detection of:
  • Arbitrary file creation
  • Directory traversal
  • SQL injection
  • Remote code execution
• Acunetix will start reporting if an old version of the IAST sensor (AcuSensor) is installed on the web application
• Considerable update to the handling of CSRF tokens
• The Vulnerabilities page now includes a unique vulnerability ID
• Multiple UI updates
• Multiple DeepScan updates

Fixes

• Fixed an issue with GitLab issue types not showing in the UI
• Fixed an issue with Amazon AWS WAF export
• Fixed several scanner crashes
• Fixed an issue with .NET IAST AcuSensor not working on IIS prior to version 10
• Fixed an issue with Node.js IAST AcuSensor causing the web application to stop working
• Fixed an ordering issue in PDF comprehensive reports for multiple scans
• Fixed a timeout issue causing IAST data not to reach the Acunetix scanner

Upgrade to the latest build

If you are already using Acunetix build 14.x, you can initiate the automatic upgrade from the new build notification in the Acunetix UI > About page.

If you are using Acunetix build 13.x or earlier, you need to download Acunetix from here. Use your Acunetix license key to download and activate your product.

THE AUTHOR

Nicholas Sciberras
Principal Program Manager
LinkedIn

As the Principal Program Manager, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams, and provided technical training.