Acunetix 360 On-Demand

FIXES

• Fixed the parsing problem encountered when Burp and Postman files are imported via the Links/API Definition page.
• Fixed imported links DLL mismatch problem for GraphQL.

This update includes changes to the internal scan agent. The internal scan agent’s current version is 2.0.2.143.

NEW FEATURES

• Added GraphQL Libraries detection support.
• Added built-in DVWA policies to scan policies.

IMPROVEMENTS

• Updated embedded Chromium browser.
• Added a discovered date column for websites detected by the Discovery Service.
• Updated out-of-date Lodash library.
• Added a timeout for website import. The default value for timeout is 400 ms.
• Improved the tooltip for security checks on the scan policy page to properly reflect the security policy selections.
• Updated the SCIM integration for provisioning on Azure Active Directory’s marketplace.
• Added the ability to bulk edit issues.

FIXES

• Fixed a bug that prevents members with user-defined roles from being deleted.
• Fixed a bug that prevents the information displayed when users select Jira on the user mapping.
• Fixed a bug that does not request to verify website ownership when the website’s agent mode is changed from internal to Cloud.
• [Internal agent] Fixed a bug that causes showing an outdated vulnerability database version of an agent on the user interface.
• Fixed a bug that shows different information between Invicti Standard and Acunetix 360 on the Known Issues of the Out-of-Date Node when the software composition analysis is run.
• Fixed a null reference type issue while creating JsonSerialized Kafka issues.
• [Internal agent] Fixed a bug that does not show the website thumbnail when the scan is completed.
• Fixed an issue that causes custom vulnerabilities not to be added to the Vulnerability Lookup table.
• Changed filter for Groupable Custom vulnerabilities when creating vulnerability model.
• Fixed a bug that prevents a scan profile from being updated when users add a client certificate.
• Fixed a bug that threw an error when users tried to delete a scan policy.
• Fix a bug that prevents exporting a vulnerability list report in CSV or XML when Netsparker Shark (IAST) is enabled.
• Fixed a bug that prevents the loading of form authentication pages when OTP is selected.
• Fixed a bug while excluding cookies during the scan.
• Fixed a bug that prevents websites from being deleted.
• Fixed the Jazz Team Server multiple category issue.
• Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
• Fixed a bug that prevents editing the FreshService integration.
• Fixed the link that throws an error on the SCIM API documentation page.
• [Internal agent] Fixed a bug that throws an exception when the agent is started in debug mode on IDE.
• Fixed a bug that prevents a notification from being sent to users when users filter the state.
• Removed the space at the CVSS Scores that caused incorrect values to show up.

This update includes changes to internal scan agent. The internal scan agent’s current version is 2.0.2.140.

NEW SECURITY CHECKS

• Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

This update includes changes to internal scan and authentication verifier agents. The internal scan agent’s current version is 2.0.2.138. The internal authentication verifier agent’s current version is 2.0.2.138.

IMPROVEMENT

• Added the OWASP API Top Ten 2019 scan policy.
• Added a check to prevent from entering special characters to the optimized scan policy.
• Added the DeleteById field when a website is deleted.
• Added validation of the URLs entered by a user in the ImportedLink section while saving the database.
• Improved the SCIM error message when a user filters users/groups with mistaken syntax.
• Added context sensitive help on the Agent page.

FIXES

• Fixed null exception error while mapping imported links in API.
• Fixed a bug that causes the Issues page to be crashed when the state filter is selected.
• Fixed a bug in which the new scan page is stuck although a new scan has been launched.
• Fixed a bug that causes an error when you want to delete a scheduled scan that has a website with tags which were included into a scan profile.
• Fixed a bug that generates a blank scan report when a vulnerability has a null name value.
• Fix a bug that does not show imported links in scheduled scans.
• [Internal Authentication Verifier Agent] Fixed OAuth2 verification that fails due to the OTP settings model being null.
• [Internal Scan Agent ] Fixed a bug that prevents the WSDL files from being imported.

This update includes changes to internal scan agents. The internal scan agent’s current version is 2.0.2.135.

IMPROVEMENTS

• Added a condition for team members when sending an email notification.
• Added a condition when sending an email notification for Out-of-Date Technologies to customers.
• Improved the importing of RAML files includes other files.
• Updated the Freshservice integration not to send a user agent header.
• Improved the API responses by adding model mapping for AuthenticationProfileOption and AuthenticationProfileId.
• Added a message to the Jira integration to show that the integration is created successfully.
• Added an error message for invalid component value of newly created Jira integration.
• Improved the pop-up message that warns users that they share the report with a person from the outside of the organization.
• Updated an explanation on strong password recommendations on the Change Password page.

FIXES

• Fixed an issue that prevented keywords from being refreshed when the login required URL is changed on the Login Verification window.
• Fixed a misspelled word on the GraphQL Introspection window.
• Fixed a bug that prevented each website using its own default scan policy when a scheduled group scan is launched.
• Fixed the issue where the client-side cookies were not excluded correctly.
• Fixed an issue with latestVulnerabilityStatePointId values that return errors on the Issues/To Do and Issues/All issues.
• Fixed an issue that shows a two-factor authentication warning message for provisioned team members with Okta.
• Fixed an information message that uses the word “notification” although the message is about the integration.
• Fixed an issue in DefectDojo, YouTrack, and TFS integration that refreshes the New Integration page when a custom field is added and the user selects the Create Sample Issue button.
• Fixed an issue that shows extra leading white space in the console of the Website page.
• Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
• Fixed the more information link that does not open the correct page for the Custom URL Rewrite.
• Fixed the more information link that does not have a related link on the Scan Scope tab of New Scan Screen.
• Fixed the more information link that does not open any page.
• Fixed an explanation appearing on the AcuSensor page.
• Fixed a weak password error message thrown by Acunetix 360 when a user is synchronized using Okta.
• Fix the issue that prevents the built-in scan policies from being updated when there is a new update for the On-Demand version.
• [INTERNAL AGENTS] Fixed a request payload when the Agent sends big scan data.
• [INTERNAL AGENTS] Fixed OAuth2 verification that fails due to the OTP settings model being null.
• [INTERNAL AGENTS] Fixed the scan error on completion issue because of crossthread error by moving to ConcurrentDictionary.