Acunetix version 12 (Windows build 12.0.181203110, Linux build 12.0.181204095) has been released. This new build includes updates to DeepScan and Login Sequence Recorder (LSR). It also introduces support for Swagger and Kerberos HTTP Authentication in the Windows version and introduces support for NTLM HTTP Authentication in the Linux version. Also added a good number of new vulnerability checks, including a huge update increasing the detection of stored XSS, and vulnerability checks in major products such as Apache Tomcat, CouchDB, Apach ActiveMQ, Node.js, Oracle WebLogic, nginx, and others. The new build also includes a good number of updates and fixes.

Unless otherwise stated, the new features / checks, updates and fixes are available for both Windows and Linux.

New features

  • Deepscan has been updated to make use of Chromium (Windows only – already included in Linux)
  • Login Sequence Recorder has been updated to make use of Chromium (Windows only – already included in Linux)
  • Acunetix can now test APIs document using Swagger (Windows only – already included in Linux)
  • Introduced support for NTLM HTTP Authentication on Linux release (already included on Windows)
  • Introduced support for Kerberos HTTP Authentication (Windows only)

New vulnerability checks

  • A huge update increasing the detection of Stored XSS
  • New test for possible file creation using the HTTP PUT method
  • New test for Apache Tomcat Remote Code Execution Vulnerability (CVE-2017-12615)
  • New test for Ektron Content Management System (CMS) 9.20 SP2, remote re-enabling users (CVE-2018–12596)
  • New test for httpoxy vulnerability
  • New test checks if CouchDB REST API is publicly accessible
  • New test checks if CouchDB is vulnerable to Remote Privilege Escalation resulting in Remote Code Execution (CVE-2017-12635)
  • New test for Apache ActiveMQ default credentials
  • New test for Node.js Path validation vulnerability (CVE-2017-14849)
  • New test for GoAhead web server RCE via unsafe environment initialization of forked CGI scripts (CVE-2017-17562)
  • New test for publicly accessible Hadoop YARN ResourceManager WebUI
  • New test for jQuery-File-Upload <= v9.22.0 unauthenticated arbitrary file upload vulnerability
  • New test looks for Google Firebase Databases URLs in the response and checks if the Firebase Databases are accessible without authentication
  • New test for Oracle WebLogic Remote Code Execution vulnerability via T3 (CVE-2018-3245)
  • New test for Oracle WebLogic Authentication Bypass vulnerability (CVE-2018-2894)
  • New test checks if Jupyter Notebook is publicly accessible
  • New test for Apache Log4j socket receiver deserialization vulnerability
  • New test for NGINX range filter integer overflow (CVE-2017-7529)
  • New test for Xdebug remote code execution via xdebug.remote_connect_back
  • Numerous new checks for WordPress Core, WordPress plugins, Joomla Core and Drupal Core.

Updates

  • Numerous memory management improvements
  • Multiple updates to LSR and session detection improving scanning of restricted areas
  • Improved speed of SQL Injection vulnerability checks
  • The new LSR / Deepscan will improve support of JavaScript rich sites
  • Added mock geo-location support to support scanning sites that require geo-location
  • Improved analysis of XML and JSON

Fixes

  • Fixed scanner crash when scan was resumed from paused state
  • Fixed some issues in the handling of cookies
  • Custom cookies were not always used
  • Content-Type header was not always being sent. This affected the detection of some vulnerabilities
  • Fixed a false positive in SSL weak key length vulnerability check
  • Fixed issue in the Social Security Number and Credit Card number check
  • Fixed issue with AcuSensor download on Linux release
  • Fixed issue causing scans to be aborted when server returns an invalid charset
  • Fixed a number of other issues causing the scanner to close unexpectedly
  • Sensitive and Backup files were not being checked for in the site root
  • Fixed issue with jquery version extractor
  • Fixed 2 internally reported security issues
  • Fixed issue with re-installation of Linux installations

Upgrade to the latest build

If you are already using Acunetix v12, you can initiate the automatic upgrade from the new build notification in the Acunetix UI > Settings page.
If you are using a previous version of Acunetix, you need to download Acunetix version 12 from here. Use your current Acunetix License Key to download and activate your product.

SHARE THIS POST
THE AUTHOR
Nicholas Sciberras
Principal Program Manager
As the Principal Program Manager, Nicholas is passionate about IT security and technology at large. Prior to joining Acunetix in 2012, Nicholas spent 12 years at GFI Software, where he managed the email security and anti-spam product lines, led multiple customer service teams, and provided technical training.