Acunetix Standard & Premium

Updates

• Updated Telerik vulnerability checks
• The Tech Admin user role can now create new Targets
• Renamed acu_phpaspect.php to acusensor.php
• Updated Comprehensive report to indicate Verified vulnerabilities
• Logon Banner now supports multi-line banners

Fixes

• Fixed issue in SlowLoris vulnerability check
• Fixed issue LSR hang caused when closing the LSR immediately after opening it
• Fixed scan hanging issue
• Fixed a couple of issues in the CSV export
• Fixed issue causing incorrect threat level in Comprehensive report
• Fixed false positives in Outdated JS libraries and Insecure Referrer Policy checks
• Fixed UI issue with long target name causing buttons to be hidden
• Fixed issue causing double input schemes
• Fixed crash in scanner
• Fixed issue causing vulnerability count in Dashboard to not always be updated

New Features

• Export Scans to JSON (available as WAF Export option)
• Added context-sensitive help for all pages in the UI. Clicking on the ? icon will open documentation for the specific page

New Vulnerability Checks

• New test for Apache OFBiz XMLRPC Deserialization RCE (CVE-2020-9496)
• New test for No HTTP Redirection
• Numerous tests related to TLS / SSL, including:
  • Added support for 200 new cipher suites, bringing the total number of supported cipher suites to 360
  • New test for TLS/SSL Diffie-Hellman Key Reuse (prerequisite for Raccoon Attack)
  • New test for TLS/SSL LOGJAM attack (CVE-2015-4000)
  • New test for TLS/SSL Sweet32 attack (CVE-2016-2183 and CVE-2016-6329
  • Alert if server offers cipher suites with symmetric encryption key length <128
  • Alert if server offers cipher suites using symmetric encryption algorithms RC2, DES (insecure), IDEA
  • Alert if server offers cipher suites using ANON, NULL, SHA-1 for authentication
  • Alert if server offers cipher suites using MD5 for HMAC
• New vulnerability checks for WordPress plugins and Drupal core

Updates

• Numerous updates to the UI
• Malware scan profile updated to check for Trojans
• Scanner updated to receive newly discovered hosts from vulnerability checks
• Updated Swagger 2 implementation to better cater for nested schemes/objects
• Updated deduplication to better cater for network scans / vulnerabilities
• Adaptive ciphersuite testing, reduces the average SSL/TLS scan duration by 90%

Fixes

• Fixed issue where no data was shown for archived scans
• Fixed some minor issues with default filters
• Fixed issue showing wrong Target count in license page
• Fixed UI issue affecting Custom Scan Profiles
• Fixed Possible Sensitive Files / Folders to use the Case Sensitive Paths setting for the Target
• Fixed issue in Reverse Proxy Detection check

New Features

• Acunetix is now available in Simplified Chinese
• Path Fragments are now shown in the site structure

New Vulnerability Checks

• New check for Insecure Inline Frames
• New check for Remote code execution of user-provided local names in Rails
• New check for SAP NetWeaver RECON auth bypass vulnerability
• New check for H2 console publicly accessible
• New check for PHP version disclosure
• New check for Atlassian JIRA ServiceDesk misconfiguration
• New test for Jolokia XML External Entity (XXE) vulnerability
• New checks for WordPress core, WordPress themes, WordPress plugins, Joomla and Drupal

Updates

• Created and Last Updated dates are available for vulnerabilities
• Order of section in Comparison report updated to be more intuitive
• Target Address is shown in full in the UI
• /users/ endpoint is now available in the API

Fixes

• Fixed issue when exporting vulnerabilities to WAF which contained CVSS3.1
• Fixed issue causing custom user-agent to not be used in all requests during a scan
• Fixed issues causing some vulnerabilities not to be well formatted when sent to JIRA issue tracker
• Fixed issue when adding JIRA Issue Tracker in Acunetix Online
• Fixed issue caused when adding Targets to an existing Target Group
• Minor fix in Comprehensive report text
• Fixed UI issue showing blank list (Scans, Targets etc) when using the browser’s back button
• Fixed issue caused by scanning Targets with complex GraphQL schemas

New Features

• Introduced support for GraphQL
• Introduced support for OAuth2.0
• GraphQL files can be used as Import Files
• New Comprehensive Report, which includes the HTTP Response in the HTML version of the report
• HTTP Response uses syntax highlighting for improved readability
• Scans can now be restricted to paths/locations in import files
• User can choose which columns to show in all the Acunetix lists
• UI saves columns selected for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
• UI saves number of items to show on each page / user (applies to Targets, Vulnerabilities, Scans and Reports)
• UI saves sorting order for each page / user (applies to Targets, Vulnerabilities, Scans and Reports)

New Vulnerability Checks

• New check for vBulletin 5.6.1 (and earlier) nodeId SQL injection
• New check for Cmd hijack vulnerability
• New check for PHP opcache-gui publicly accessible
• New check for Laravel debug mode enabled
• New check for Laravel Health Monitor publicly accessible
• New check for Laravel Health Horizon publicly accessible
• New check for Laravel Health LogViewer publicly accessible
• New check for Laravel Health Telescope publicly accessible
• New check for Laravel Ignition Reflected Cross-Site Scripting
• New check for Laravel framework weak secret key
• New check for HTML Attribute Injection
• New check for Clockwork PHP dev tool enabled
• New check for PHP Debug Bar enabled
• New check for Broken Link Hijacking
• New checks for Cookie misconfigurations leading to security issues
• New vulnerabilities for WordPress Core, WordPress plugins, Joomla and Drupal

Updates

• Targets with Manual Intervention cannot have a Business Logic Recording
• Changed vulnerability name filter to use search as you type
• Scans will start reporting pages that require HTTP Authentication
• Acunetix UI notifications have been changed as follows:
  • Moved to bottom right of Acunetix UI
  • Stay longer on the page
  • Can be closed by the user
• Increased name length limit of import files to 128 characters
• User can optionally specify the address to be used for Auto-login. This is useful for SSO login pages
• The scanner will try to connect to the address of the target before aborting the scan after 25 consecutive network errors
• Targets can be deleted and replaced on the license anniversary

Fixes

• Fixed: The vulnerability name filter did not always show all vulnerabilities
• Fixed incorrect error handling message when disabling the proxy settings
• Hide Business Logic Recorder for Network Only targets
• Fixed: Acunetix Online was showing an ID as the name of some network vulnerabilities
• Fixed: Acunetix Online was not always showing the HTTP Response for some vulnerabilities
• Fixed: Acunetix Online was not showing the number of licensed Targets
• Fixed issue causing paths of ignored files to be ignored too
• Fixed LSR issue on Safari browser
• Fixed issue caused when the LSR and BLR are used on certain sites
• Various minor fixes to the UI
• Fixed false positives in over 25 vulnerability checks

New Features

• Business Logic Recorder – used to record logic used in multi-step forms
• Export to Citrix WAF
• Support for Azure DevOps Services issue tracker
• CVSS3.1 score for most Acunetix vulnerabilities
• Targets can now be exported to CSV
• New Graph in Dashboard showing Average vulnerabilities per Target

New Vulnerability Checks

• New check for Server-Side Template Injection (SSTI) in ASP.NET Razor
• New check for Oracle BI AMF Deserialization RCE (CVE-2020-2950)
• New check for Possible Cross Site Scripting via jquery.htmlPrefilter() (CVE-2020-11023)
• New check for Stored XSS in WP theme Onetone (CVE-2019-17230 and CVE-2019-17231)
• Updated detection of phpinfo pages
• New checks in WordPress Core and WordPress plugins
• New checks for default credentials in over 65 web applications

Updates

• Manual Intervention (used for CAPTCHAs, OTP etc) is now using the integrated (web-based) LSR
• As a result of the previous update, Manual Intervention is now available on Linux
• Improved error reporting for network scans aborted due to network errors
• Vulnerability alerts updated to show important information at the top
• Updated Github issue tracker to support Personal Access Token (PAT) authentication
• Improved reporting of Paused scans in the UI
• Improved UI message user triggers a scan which is not allowed due to Manual Intervention
• API documentation can now be downloaded from within the Acunetix UI
• Added support for popup windows in the Login Sequence Recorder
• Improved handling of large import files
• Improved handling large requests / responses generated from import files
• Decreased false positives reported for Possible username or password disclosure
• Truncated large vulnerability alerts when sending to Jira issue tracker

Fixes

• Fixed incorrect from email address used for monthly update emails
• Fixed AcuMonitor UI notification to link to corresponding vulnerability
• Fixed issue causing vulnerability checks to not be able to send empty values
• Fixed a number of crashes
• Fixed issue causing ASP.NET sites to be processed as ASP sites
• Fixed 2 issues caused when using Swagger import files
• Improved handling of txt import files using incorrect import format
• Fixed Session Fixation false positive
• Fixed UI issue when configuring Custom Cookies
• Trend charts where not being updated for user accounts
• Fixed issue in excluded hours
• Fixed “Client Certificate Not Set” message incorrectly being reported