Acunetix 360 On-Demand

This update includes changes to the internal agents. The internal scan agent’s current version is 23.4.0. The internal authentication verifier agent’s current version is 23.4.0

New security checks

• Added new patterns for GrapQL attack usage.
• Added new attack pattern to CommandInjection.xml.
• Implemented Bootstrap Libraries Detection.
• Added Out-of-Date vulnerability for mod_ssl.
• Added a report template and vulnerability type for Spring Framework Identified.
• Added JavaMelody Interface Detected Signature.
• Added the support for Nested objects for GraphQL attacks.

Improvements

• Added the discovery source option to filters on the discovered websites page.
• Added the AWS badge to the Discovery Service to identify the assets identified via the AWS connection.
• Improved the Linux agents to work in the FIPS-enabled environment.
• Updated the IAST Bridge to improve the communication between the bridge and the scanner agent.
• Added a null check for HAR files imported.
• Improved the agent and web application communication to end it after three attempts if the internal agent has wrong information.
• Updated IAST NuGet PHP package.
• Updated StaticDetection.xml & StaticResourceFinder.xml.
• Changed WAF Identification Signature for F5 Big IP.
• Added external schema import to solve a WSDL file importing another WSDL file.
• Added service worker request support for authentication, login simulation, and crawling.

Fixes

• Fixed the issue with a folder name with blanks to prevent the Unquoted Service Path vulnerability.
• Fixed the AWS connection issue to let customers add internal EC2 instances.
• Fixed an issue that caused high memory usage while collecting form values.
• Fixed the issue that caused the change in the date and time format during the Postman file importing.
• Fixed the next scheduled scan execution time information on the user interface.
• Fixed the issue that displayed “vulnerability not found” on the user interface although the vulnerability is identified.
• Fixed the control issue that threw an “internal server error” when exporting a scan from Invicti Standard to the Enterprise.
• Fixed the “Catastrophic Backtracking” in Whoops Debugging detection.

This update includes changes to the internal agents. The internal scan agent’s current version is 23.3.0. The internal authentication verifier agent’s current version is 23.3.0

New security checks

• Added package.json Configuration File attack pattern.
• Added new File Upload Injection pattern.
• Added SSRF (Equinix) vulnerability.
• Added Swagger user interface Out-of-Date vulnerability.
• Added a file upload injection pattern.
• Added StackPath CDN Identified vulnerability.
• Added Insecure Usage of Version 1 GUID vulnerability.
• Added JBoss Web Console JMX Invoker check.
• Added Windows Server check.
• Added Windows CE check.
• Added Cloudflare Identified, Cloudflare Bot Management, Cloudflare Browser Insights, and cdnjs checks.
• Added Varnish Version Disclosure vulnerability check.
• Added Stack Trace Disclosure (Apache Shiro) vulnerability check.
• Added Java Servlet Ouf-of-Date vulnerability check.
• Added AEM Detected vulnerability check.
• Added CDN Detected(JsDelivr) vulnerability check.

Improvements

Improvements in scans

• Improved the bulk update of those issues with the Fixed(Can’t Retest) status.
• Added a column on the Issues page to show users whether an issue is retestable.
• Improved the scan compression algorithm to lower the size of the scan data.
• Added a tooltip to show the full scan report name when it is too long.
• Added a progress indication while exporting a PCI scan report.
• Added an option to delete the stuck agents’ commands.
• Fixed the business logic recorder issue while using the Basic, NTLM/Kerberos Configurations.

Improvements in API

• Improved the descriptions for /api/1.0/issues/report endpoint and the integration parameter on the Allissues endpoint.

Improvements in security checks

• Improved WS_FTP Log vulnerability test pattern.
• Improved X-XSS-Protection Header Issue vulnerability template.
• Improved MySQL Database Error Message attack pattern.
• Improved XML External Entity Injection vulnerability test pattern.
• Improved Forced Browsing List.
• Added CWE classification for Insecure HTTP Usage.
• Added GraphQL Attack Usage to existing test patterns by default.
• Improved the internal agents on Windows to prevent possible Unquoted Service Path issues.

Fixes

• Fixed the internal agents naming issue.
• Fixed the update issue in the Proof node in the Knowledge Base panel.
• Fixed the API token reset issue for team members.
• Fixed the API documentation’s website that failed to show descriptions.
• Fixed the business logic recorder issue where the session is dropped because of a cookie.
• Fixed the default email address that appeared on the login page during the custom script window.
• Fixed the Out-of-Memory issue caused by the Text Parser when adding any extension to the parser.
• Fixed the Client Secret in raw text appearing in the scan report for OAuth2.
• Fixed the Hawk validation issue.
• Fixed the scan flow with different logic for incremental scans that are launched via CI/CD integrations and the user interface.
• Fixed the custom vulnerability deletion problem on the custom report policy.
• Fixed the vulnerability database issue that occurred because of a URL redirect problem.
• Fixed the internal server error on the Audit logs’ list endpoint.
• Fixed the issue of email notifications when a new scan is launched.
• Fixed the typo on the OAuth2 settings page.
• Fixed the issue updating timeout issue.
• Fixed the PCI scan icon issue that disappeared during the scan.

Fixes

• Fixed the bug that threw an error when the Require SAML assertions to be encrypted checkbox is not selected on the Single Sign-on page.

Improvements

• Improved the Technologies page for detailed version information of technologies identified.
• Improved the target website deletion process to prevent any errors because of instantaneous action.
• Add a new API endpoint (api/1.0/issues/summary) for better issue reporting.
• Improved the maximum scan duration to stop only those scans with the Scanning status.
• Added default SSL Configuration to docker agents.
• Added a token matching rule when it is required to get the token from a website other than the target URL.

Fixes

• Fixed the scanner agent issue where the Linux agents failed because of TLS as a result of breaking changes in .NET 5.
• Fixed the basic authentication issue that threw an error although the credentials are correct in the scan profile.
• Fixed the business logic recorder issue that prevented the recorder to play recorded steps during a scan.
• Fixed the inconsistent number of vulnerability counts by severity information on the scan report page.
• Fixed the vulnerability serialization issue that caused the out-of-memory error.
• Fixed the scan scope issue that does not load the scan scope correctly on the first try.
• Fixed the scan profile issue that failed to register the database selected on the scan optimization page.
• Fixed the corrupted scan data ZIP file downloaded via an API endpoint.

This update includes changes to the internal agents. The internal scan agent’s current version is 2.0.2.158. The internal authentication verifier agent’s current version is 2.0.2.158.

IMPROVEMENTS

• Added auto responder for images to escape the onerror issue.

FIXES

• Fixed the agent stuck issue when the scan timeout is detected.
• Fixed an issue that overrode TLS settings available in the scan policy when the Ignore SSL Certificate Errors is set to True in the Appsetting.json file.