Acunetix introduces support for the detection of HTTP/2 vulnerabilities and improves handling of Laravel CSRF tokens

A new Acunetix Premium update has been released for Windows, Linux, and macOS: 14.6.211207099.

This Acunetix release introduces support for the detection of HTTP/2 vulnerabilities. HTTP/2 is an upgrade to the HTTP protocol and is used more and more frequently. It does however introduce a new class of vulnerabilities, which can only be detected by a scanner that can understand HTTP/2.

The latest Acunetix update also improves handling of Laravel CSRF tokens, enables you to configure blocking of requests to ad services for each target, and includes updates to DeepScan and the PHP IAST AcuSensor. It also introduces 4 new HTTP/2 vulnerability checks, new checks for Ghost CMS, GitLab ExifTool, Jira Software, and Sitecore, as well as numerous improvements, updates, and product fixes.

New features

• The scanner supports detecting HTTP/2 vulnerabilities

New vulnerability checks

• New check for reverse proxy misrouting through HTTP/2 pseudo-headers (SSRF)
• New check for HTTP/2 pseudo-header server-side request forgery
• New check for web cache poisoning DoS through HTTP/2 headers
• New check for HTTP/2 web cache poisoning
• New check for Ghost CMS theme preview XSS (CVE-2021-29484)
• New check for GitLab ExifTool RCE (CVE-2021-22205)
• New check for limited remote file read/include in Jira software server (CVE-2021-26086)
• New check for Sitecore XP deserialization RCE (CVE-2021-42237)

Updates

• Improved handling of Laravel CSRF tokens
• Added possibility to restrict scanning a target using the main installation’s scanning engine
• Added ability to configure blocking of requests to ad services
• Multiple UI updates
• Multiple DeepScan updates
• Multiple updates to the PHP AcuSensor

Fixes

• Fixed: SQLi false negative caused when AcuSensor is installed
• Fixed: Incremental scans not starting when scheduled via Jenkins plugin
• Fixed: 2 issues in .NET sensor injector CLI
• Fixed: Node.js sensor not working on HTTPS sites
• Fixed: Not all paths are imported from specific Burp state files
• Fixed: Scanner crashes when parsing specific GraphQL and Swagger 2 files
• Fixed: Some excluded paths can cause the scanner to hang
• Fixed: Multiple scanner hangs
• Fixed: Race condition between LSR and BLR
• Fixed: Imported URLs ignored when a site redirects from HTTP to HTTPS
• Fixed: Incorrect permissions for some Acunetix files/folders on Linux/Mac

Upgrade to the latest build

If you are already using Acunetix build 14.x, you can initiate the automatic upgrade from the new build notification in the Acunetix UI > About page.

If you are using Acunetix build 13.x or earlier, you need to download Acunetix from here. Use your Acunetix license key to download and activate your product.

THE AUTHOR

Nicholas Sciberras
Principal Program Manager
LinkedIn

As the Principal Program Manager, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams, and provided technical training.