Acunetix 360 On-Demand

This update includes changes to Internal Agents. The internal agent’s current version is 2.0.2.127.

NEW FEATURES

• Added Node.js sensor for AcuSensor.

NEW SECURITY CHECKS

• Added signature matching to Web app fingerprint checker.
• Added patterns for Base64 encoded DOM Cross-site Scripting.
• Added phpMyAdmin Version Disclosure security check.
• Added Atlassian Confluence Version disclosure and Out-of-date security checks.
• Added exclusion feature to JavaScript Library detection.
• Added PHP Version Detection via phpinfo() call.
• Added the Shopify Identified security check.

IMPROVEMENTS

• Added the Bridge URL and Shark token support for AcuSensor.
• Added the “not contains” filter to exclude specific titles, such as Out-of-Date.
• Added the notification on the Reporting page when the time start predates the time end.
• Added setting to configure Session Cookie Names.
• Updated CWE classification category orders for Out-of-date templates.
• Improved Cross-site Scripting attack pattern.
• Added support for exploiting local storage and session storage in the DOM XSS security checks.
• Added highlighting support for custom scripts.
• Added Web Application Firewall to the site profile.
• Changed the default ignored parameter comparison to case insensitive.
• Added ‘Is Encoded’ option to OAuth2 parameters.
• Added JWT Token pre-request script template.
• Added the CSP Not Implemented that will be reported as confirmed.
• Added the Subresource integrity not implemented that will be reported as confirmed.
• Marked weak TLS ciphers.

FIXES

• Fixed the issue that Content-Type header missing was reported when there was no content in the response.
• Fixed the issue that false positive JSON Web Token (JWT) was reported in a not found response.
• Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
• Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
• Fixed FP WAF Identified.
• Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
• Fixed the issue source code disclosure is reported in binary responses.
• Fixed the issue JWT JKU vulnerabilities are not reported in Acunetix 360 because of Null Reference Exception.
• Fixed the issue fingerprint checker crashes when an applications file could not be found.
• Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
• Fixed the issue that some cipher suites are not reported as weak.
• Fixed the issue classification links were not rendered correctly when there are multiple values.
• Fixed the issue proof prefix was added when there were no more characters to be found.

This update includes changes to Internal Agents. The internal agent’s current version is 2.0.2.125.

IMPROVEMENTS

• Added a new security check to identify version disclosure and out-of-date version for Atlassian Confluence CVE-2021-26084.

FIXES

• Fixed a bug that results in missing HTTP headers of target URL when added with imported links.
• Fixed an issue that causes proof creation for SQL injection and Cross-site Scripting even if the proof generation is disabled.
• Fixed an issue that prevents cookie’s same site attribute from being updated which causes “same-site cookie is not implemented” vulnerability to be reported.
• Fixed a JSON Web Token (JWT) validation check that causes too many invalid token errors when using Bearer Authentication Tokens in the form authentication.
• Fixed an issue where host and path parameters in Postman collection were not imported when they are string instead of an array.
• Fixed a bug that returns 401 when the scanner sends HTTP headers in lowercase.
• Fixed a bug about cookie handling in the logout detection page during the form authentication verification.
• [INTERNAL AGENTS] Fixed a bug that results in slow response time from the web application to the agent that causes inconsistent vulnerability reports in the Blind SQL Injection.

IMPROVEMENTS

• Improved the search for scan profiles on the Recent Scans page. Added the Scan Profile Default option to the column filters on the Recent Scans page to speed up the search for the default scan profiles.
• Improved the error messages and code returned from the updating issue API endpoint.
• Added unique IDs on the HTTP 500 Error page.
• Updated a Docker agent library to run more security checks.

FIXES

• Fixed a bug that prevents a website from being deleted if that website has tags.
• Fixed a bug that non-register users receive the Out-of-Date technology notification although these users have no website responsibility.
• Fixed a bug that shows a two-factor authentication page to some users with SSO login after their information is updated on the Team Member page.
• Fixed typo in the All Issues’ page filter drop-down.
• Fixed a bug returning the 500 Error when an issue is updated.
• Fixed a bug that led to duplicated records in a member’s role.
• Fixed a bug that ignored a member’s time zone setting while generating a vulnerability list in XML format.
• Fixed a bug that causes the private scan policies to appear in the Scan Policy drop-down at the New Scheduled Group Scan page.
• Fixed a bug that did not convert the remaining time for the Next Execution Time of a scheduled scan properly.

FEATURES

• Introduced the tagging feature for websites, website groups, and scans: While this feature has been available for Issues since March,  you can now add tags to scans, websites, and websites groups as well.

This update includes changes to Internal Agents.

FEATURE

• Added ServiceNow Vulnerability Response Integration.
• Added DefectDojo Integration.
• Added support for editing built-in sections of custom report policies.
• Added Pre-Request Script feature which helps to configure HMAC Authentication on the New Scan page.
• Added DITA STIG, NIST SP 800-53, and ASVS 4.0 Compliance Reports
• Added a new State filter on the Issues page.

IMPROVEMENT

• Added an option to fail Azure build for only confirmed vulnerabilities.
• Improved the statusCode and errorMessage returned from members/deleteinvitation API endpoint on cases when the invitation is missing.
• Changed roles/update API endpoint response status code from 201 to 200 to better comply with REST best practices.
• Added “Override Version Vulnerability Severities” option to Scan Policy > Attacking settings.
• Improved the error message displayed when a Website Group cannot be deleted due to it being referenced by a notification.
• Extended the range of digits that can be entered for HOTP and TOTP configuration.
• Improved global dashboard performance.
• Changed the error message for members/update API endpoint for password POST requests.
• Added a control in the UserRoleWebsiteGroupMapping API endpoint to prevent null object reference exceptions.

REMOVAL

• Removed X-Scanner request header from the default scan policies to prevent web application firewalls from blocking scans.

FIXES

• Fixed an error preventing NIST, DISA STIG, and ASVS classifications from appearing in the Issue details.
• Fixed an unhandled error that occurs while deleting scans.
• Fixed an issue where the check state is reset when the search keyword is modified on the Report Policy Editor security checklist.
• Fixed scheduled website group scans that do not use primary scan policies.
• Fixed an issue where multiple Common Weakness Enumeration values were being sent to Kenna Integration.
• Fixed the incorrect API documentation of roles/listpermissions endpoint.
• Fixed an issue where form authentication may fail because of credentials being modified when the scan profile is updated.
• Fixed missing state field on the member API endpoint.
• Fixed the 500 Internal Server Error message for a query string to a non-existent page.
• [INTERNAL AGENT] Fixed an issue where a scan policy name containing invalid filename characters was causing scans to fail.
• [INTERNAL AGENT] Fixed several scan failure issues caused by an error that occurred while trying to open the vulnerability database.
• [INTERNAL AGENT] Fixed agent attempting to use proxy even after settings are changed.
• [INTERNAL AGENT] Fixed an unhandled error thrown while archiving the scan data.
• [INTERNAL AGENT] Added NoProxy option to internal agents.