Acunetix 360 On-Demand

This update includes changes to Internal Agents. The internal agent’s current version is 2.0.2.129.

NEW FEATURES

• Added support for scanning GraphQL APIs.
• Added OWASP API Top Ten Report.

IMPROVEMENTS

• Improved the paragraph style of the login warning banner.
• Changed the brand name of Clubhouse to Shortcut.
• [INTERNAL AGENT] Added the error messages to the Login Simulation Pages.

FIXES

• Fixed the Jolokia version disclosure report to properly highlight the related lines.
• Fixed a bug that threw an error when users update a vulnerability’s status as False Positive on the Technical Report page.
• [INTERNAL AGENT] Fixed a bug that prevented subprocesses of agent from being shutdown during the update process.

This update includes changes to Internal Agents. The internal agent’s current version is 2.0.2.127.

NEW FEATURES

• Added Node.js sensor for AcuSensor.

NEW SECURITY CHECKS

• Added signature matching to Web app fingerprint checker.
• Added patterns for Base64 encoded DOM Cross-site Scripting.
• Added phpMyAdmin Version Disclosure security check.
• Added Atlassian Confluence Version disclosure and Out-of-date security checks.
• Added exclusion feature to JavaScript Library detection.
• Added PHP Version Detection via phpinfo() call.
• Added the Shopify Identified security check.

IMPROVEMENTS

• Added the Bridge URL and Shark token support for AcuSensor.
• Added the “not contains” filter to exclude specific titles, such as Out-of-Date.
• Added the notification on the Reporting page when the time start predates the time end.
• Added setting to configure Session Cookie Names.
• Updated CWE classification category orders for Out-of-date templates.
• Improved Cross-site Scripting attack pattern.
• Added support for exploiting local storage and session storage in the DOM XSS security checks.
• Added highlighting support for custom scripts.
• Added Web Application Firewall to the site profile.
• Changed the default ignored parameter comparison to case insensitive.
• Added ‘Is Encoded’ option to OAuth2 parameters.
• Added JWT Token pre-request script template.
• Added the CSP Not Implemented that will be reported as confirmed.
• Added the Subresource integrity not implemented that will be reported as confirmed.
• Marked weak TLS ciphers.

FIXES

• Fixed the issue that Content-Type header missing was reported when there was no content in the response.
• Fixed the issue that false positive JSON Web Token (JWT) was reported in a not found response.
• Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
• Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
• Fixed FP WAF Identified.
• Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
• Fixed the issue source code disclosure is reported in binary responses.
• Fixed the issue JWT JKU vulnerabilities are not reported in Acunetix 360 because of Null Reference Exception.
• Fixed the issue fingerprint checker crashes when an applications file could not be found.
• Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
• Fixed the issue that some cipher suites are not reported as weak.
• Fixed the issue classification links were not rendered correctly when there are multiple values.
• Fixed the issue proof prefix was added when there were no more characters to be found.

This update includes changes to Internal Agents. The internal agent’s current version is 2.0.2.125.

IMPROVEMENTS

• Added a new security check to identify version disclosure and out-of-date version for Atlassian Confluence CVE-2021-26084.

FIXES

• Fixed a bug that results in missing HTTP headers of target URL when added with imported links.
• Fixed an issue that causes proof creation for SQL injection and Cross-site Scripting even if the proof generation is disabled.
• Fixed an issue that prevents cookie’s same site attribute from being updated which causes “same-site cookie is not implemented” vulnerability to be reported.
• Fixed a JSON Web Token (JWT) validation check that causes too many invalid token errors when using Bearer Authentication Tokens in the form authentication.
• Fixed an issue where host and path parameters in Postman collection were not imported when they are string instead of an array.
• Fixed a bug that returns 401 when the scanner sends HTTP headers in lowercase.
• Fixed a bug about cookie handling in the logout detection page during the form authentication verification.
• [INTERNAL AGENTS] Fixed a bug that results in slow response time from the web application to the agent that causes inconsistent vulnerability reports in the Blind SQL Injection.

IMPROVEMENTS

• Improved the search for scan profiles on the Recent Scans page. Added the Scan Profile Default option to the column filters on the Recent Scans page to speed up the search for the default scan profiles.
• Improved the error messages and code returned from the updating issue API endpoint.
• Added unique IDs on the HTTP 500 Error page.
• Updated a Docker agent library to run more security checks.

FIXES

• Fixed a bug that prevents a website from being deleted if that website has tags.
• Fixed a bug that non-register users receive the Out-of-Date technology notification although these users have no website responsibility.
• Fixed a bug that shows a two-factor authentication page to some users with SSO login after their information is updated on the Team Member page.
• Fixed typo in the All Issues’ page filter drop-down.
• Fixed a bug returning the 500 Error when an issue is updated.
• Fixed a bug that led to duplicated records in a member’s role.
• Fixed a bug that ignored a member’s time zone setting while generating a vulnerability list in XML format.
• Fixed a bug that causes the private scan policies to appear in the Scan Policy drop-down at the New Scheduled Group Scan page.
• Fixed a bug that did not convert the remaining time for the Next Execution Time of a scheduled scan properly.