New Features
- New Integrated Login Sequence Recorder - Login Sequences can be recorded directly from the Acunetix UI
- Swagger (JSON and YAML) and WSDL can be used as import files
New Vulnerability checks
- New checks for a number of WebBackdoors
- New checks for elmah.axd information disclosure
- New test for Stack Trace Disclosure in Django
- New test for Stack Trace Disclosure in ASP.NET
- New test for Stack Trace Disclosure in ColdFusion
- New test for Stack Trace Disclosure in Python
- New test for Stack Trace Disclosure in Ruby
- New test for Stack Trace Disclosure in Tomcat
- New test for Stack Trace Disclosure in Grails
- New test for Stack Trace Disclosure in Apache MyFaces
- New test for Stack Trace Disclosure in Java
- New test for Stack Trace Disclosure in GWT
- New test for Stack Trace Disclosure in Laravel
- New test for Stack Trace Disclosure in Rails
- New test for Stack Trace Disclosure in CakePHP
- New test for Stack Trace Disclosure in CherryPy
- New Directory Listing vulnerability checks
- New Error Message vulnerability checks
- New test for Oracle Reports RWServlet showenv
- New test for Docker Engine API publicly accessible
- New test for Docker Registry API publicly accessible
- New test for Jenkins server user enumeration
- New test for Jenkins server weak credentials
- Added the following new tests for Adobe Experience Manager
- Day CQ WCM Debug Filter enabled
- LoginStatusServlet exposed (allows to bruteforce credentials)
- Bruteforce a set of default AEM credentials if LoginStatusServlet is exposed
- QueryBuilderFeedServlet public accessible, sensitive information might be exposed
- Implemented tests for a bunch of SWF files that are exposed by AEM code that are vulnerable to Reflected XSS
- Test if the AEM Groovy Console is publicly accessible. Permits RCE
- Added a test for exposed AEM ACS Tools (a set of tools for AEM developers) - RCE is possible
- Test if GQLServlet is publicly accessible. Sensitive information could be exposed
- Test if Adobe Experience Manager AuditLogServlet is publicly accessible. Audit log records could be exposed
- Test for Server Side Request Forgery (SSRF) via SalesforceSecretServlet (CVE-2018-5006)
- Test for Server Side Request Forgery (SSRF) via ReportingServicesServlet
- Test for Server Side Request Forgery (SSRF) via SiteCatalystServlet was detected
Updates
- Improved the scanning of sites using SOAP
- Improved parsing of paths
- TXT import now takes precedence over excluded paths
- Improved the adherence of the scan scope
- Improved the detection of the version of WordPress plugins
- Improved the automatic session pattern detection in the LSR
- LocalStorage / SessionStorage is retained between LSR and Deepscan Sessions
Fixes
- Fixed: Scan scope was not always respected
- Technology detected during the scan was not being reported
- Fixed several scanner unexpected termination issues
- Fixed issue causing large PDF reports not to be generated
- Fixed: AcuSensor file data is better filtered by scanner