Acunetix version 12 (build 12.0.190827161) has been released. This new build introduces a number of updates including support for OpenSearch, support for base64 encoded JSON inputs, and discovery and testing of hidden parameters. In addition, new vulnerability checks have been developed for Oracle Business Intelligence, Atlassian Jira, Atlassian Crowd, Apache Spark, ColdFusion, and Python Code Injection. The new build also includes a number of updates and fixes, all of which are available for Acunetix on-premise for Windows and Linux and Acunetix Online.
Here is a full set of updates:
New Features
- Implemented support for OpenSearch
- Acunetix will try to discover hidden parameters and test them
- Acunetix can now check base64-encoded JSON inputs for vulnerabilities
New Vulnerability Checks
- New test for Oracle Business Intelligence Convert XXE (CVE-2019-2767)
- New test for Oracle Business Intelligence Adfresource Path traversal (CVE-2019-2588)
- New test for Oracle Business Intelligence AuthBypass (CVE-2019-2768)
- New test for Oracle Business Intelligence ReportTemplateService XXE (CVE-2019-2616)
- New test for Jira RCE (CVE-2019-11581)
- New test for Test for Atlassian Crowd RCE (CVE-2019-11580)
- New tests for Python Code Injection
- New test for Apache Spark RCE (CVE-2018-11770)
- New test for ColdFusion Deserialization RCE (CVE-2019-7091)
- Implemented support for OpenID Connect Discovery
- Detect and report Apple application association files
- Added new checks for WordPress plugins, Drupal core, and Joomla core
Updates
- Updated UI to accept IPv6 addresses
- Multiple improvements to DeepScan
- Improved the Directory Traversal check
- Updated the scan limits, reducing repeated requests to larger sites
- Acunetix will now extract and process gzipped files
- Multiple updates to parsing and heuristic crawler features
- Improved the vulnerability deduplication – similar vulnerabilities will be reported once
- Improved reporting of the cause of scan failures (e.g. website is unresponsive, invalid import file, etc.)
- Credentials provided to Auto-Login or LSR will not be used for vulnerability tests
- Improved processing of Selenium scripts
- Improved login form detection by Auto-Login feature
- Improved WebLogic detection and testing for default WebLogic credentials
- Improved detection of Vulnerable JavaScript libraries check
Fixes
- Fixed a number of issues causing the scanner to stop unexpectedly
- Fixed issue causing AcuMonitor checks to be done when AcuMonitor is not enabled
- Fixed issue with WSDL parsing
- Fixed: Reflected tests (e.g. reflected XSS) was not done on JSON inputs
- Fixed issue causing 100% CPU usage when processing certain pages
- Fixed hang in the Acunetix Administrative Password utility on Windows
- Fixed: DeepScan was not processing XHTML pages
- Fixed issue causing Chromium process to remain active after PDF report generation
- Fixed issue caused by background requests when recording a login sequence
- Fixed issue when recording a login sequence on a site that uses cross-domain iframes
- Fixed issue when parsing WADL
- Fixed issue causing Host Header Attack false negatives
Upgrade to the latest build
If you are already using Acunetix v12, you can initiate the automatic upgrade from the new build notification in the Acunetix UI > Settings page.
If you are using a previous version of Acunetix, you need to download Acunetix version 12 from here. Use your Acunetix License Key to download and activate your product.
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Principal Program Manager
