Acunetix Standard & Premium

New Features

• New Acunetix web UI
• Improved Network Scanner integration
• Malware Detection using Windows Defender on Windows and ClamAv on Linux
• Smart Scan
• New scanning algorithm prioritises scanning tasks and reduces scanning time
• Proof of exploit is reported in the vulnerability alerts
• Incremental Scans
• Vulnerability Confidence Rating for web vulnerabilities
• New GitLab Issue Tracker Integration
• New Bugzilla Issue Tracker Integration
• New Mantis Issue Tracker Integration
• Ability to create Login Sequence from Selenium script
• New WADL import file
• New ASP.NET Webforms import file
• New Postman import file
• New Paros import file
• Ability to create custom checks
• Highlighting of vulnerability in HTTP response
• DeepScan provides better support for Angular 2, Vue and React JavaScript Frameworks
• Unlimited network scanning for Acunetix Premium customers
• Account Session Timeout settings
• Account Maximum Consecutive Login Failure settings

New Vulnerability Checks

• New check for publicly accessible Bitrix server test script
• New check for publicly accessible NGINX+ dashboard
• New check for unrestricted access to NGINX+ API endpoints
• New check for outdated TLS version
• New check for Citrix Netscaler Unauthenticated Remote Code Execution (CVE-2019-19781)
• New check for Kentico CMS Deserialization RCE
• New check for Cross site scripting via Bootstrap
• New check for Django weak secret key
• New check for Oracle Weblogic T3 XXE (CVE-2019-2888)
• New check for leakage of API keys
• New check for JWT weak secret key
• New check for JWT none algorithm
• New check for publicly exposed .NET HTTP Remoting
• New check for .NET BinaryFormatter Object Deseralization vulnerabilities
• New check for Apache Solr Parameter Injection
• New check for Ruby framework weak secret key
• New check for Tornado weak secret key
• New check for BottlePy weak secret key
• New WordPress Core and plugin vulnerability checks
• New Joomla Core vulnerability checks
• New Drupal Core vulnerability checks

Updates

• Improved memory consumption for the scanner
• PDF reports now have page numbers
• Generic User-agent will be used for communication with issue trackers
• All lists in Acunetix UI can be sorted
• Easier filtering options in the Acunetix UI
• Settings can now be accessed from the side-bar
• Links discovered by AcuSensor are given more prominence
• Improved processing of XML and JSON POST input schemes
• Scanner will try to replay the LSR playback actions a number of times before failing
• Improved Auto-Login
• Multiple updates in the Login Sequence Recorder
• Developer report updated to include Source file, line number and other details provided by AcuSensor
• Acunetix now supports scanning domains with international characters
• Increase page size limit to 20Mb in scanner and LSR
• Improved detection of Possible Sensitive Files
• Improved detection of email addresses
• Improved detection of Command Injection
• Improved detection of database backup files
• Improved detection of XXE

Fixes

• Fixed issue in Developer report showing incorrect parameter name for detected vulnerabilities
• Fixed: “Tester” user role will not be able to create reports
• upgrades on Linux were not removing all files from previous installation
• Fixed issue with Manual Intervention
• Fixed: Session cookies where not always collected by LSR
• Fixed: Incorrect processing of URLs with “{” character
• Fixed a number of crashes in scanner
• Fixed issue causing scanner proxy to unintentionally transform parts of the HTTP request
• Fixed false positive in the detection of Apache Tomcat Remote Code Execution
• Fixed issues causing some links not to be properly imported by the importer
• Fixed issue with license activation when proxy and authentication is used
• Fixed issue causing session to get lost when Deepscan is used

New Features

• Introduced new Scan Type: New Web Vulnerabilities to scan for new vulnerabilities introduced in the latest Acunetix update
• Introduced ad-blocking in the scanner, resulting in faster scans
• Implemented support for Session HTTP headers when logging in to the site
• Introduced custom_settings.xml to configure settings from settings.xml, which are not overwritten on upgrade

New Vulnerability Checks

• New test for insecure Java de-serialization causing RCE in SAP Commerce Cloud (CVE-2019-0344)
• New test for a weak key used to sign a cookie in Yii2
• New test for a weak key used to sign a cookie in Mojolicious
• New test for Webmin 0day remote code execution (CVE-2019-15107)
• Updated WordPress Core and WordPress Plugin vulnerability checks

Updates

• The scan will now report when an invalid Selenium script is used as an import file
• Improved detection of the type of Burp import file being used
• Increased limit on Custom Headers
• Multiple improvements in DeepScan
• The LSR Record button is disabled during Login Action playback
• Acunetix will start reporting login forms when no login credentials are configured
• The tester user will not be able to create or view reports

Fixes

• Fixed: Directory Traversal vulnerabilities were sometimes incorrectly reported as found with AcuSensor
• Fixed: Several broken references in the vulnerability alerts
• Fixed: HTTP Response was not shown in some vulnerability alerts
• Fixed an issue causing DeepScan to take too long to process some locations
• Fix in PHP Hash Collision DOS vulnerability check
• Fixed: Integrated LSR was not working on IE11
• Fixed: Selenium script playback fails for some scripts
• Fixed: Session Detection fails if session pattern spans multiple lines
• Fixed: LSR keeps showing the spinner on some pages
• Fixed: LSR Session pattern was not always saved when detected using the navigation
• Fixed: LSR Session pattern check might fail for in body / not in body patterns
• Fixed: On some systems, Chromium processes cannot be terminated when generating PDF reports
• Fixed: Passwords were recoverable from the UI
• Better handling of HTTP timeouts by vulnerability checks

New Vulnerability Checks

• New test for Joomla! Core CSV Injection vulnerability check [CVE-2019-12765]
• New test for Joomla! Core XSS vulnerability check (CVE-2019-12766)
• New test for Joomla! Core Security bypass (CVE-2019-12764)
• New test for Oracle Weblogic XXE (CVE-2019-2647)
• Added the detection of CDNs
• Added the detection of reverse proxies

Updates

• Auto-Login is now using the LSR functionality – this will improve auto-login in general
• Improved detection of DOM XSS
• Improved handling of invalid Selenium scripts
• Improved handling of email addresses fields in web forms
• Improved parsing of WSDL files
• Implemented support for Proxy-Authenticate header
• Improved crawling of Spring-based web applications
• Updated LSR to automatically dismiss modal dialogs during playback
• Reduced false positives in checks looking for sensitive and backup files
• Reduced false positives in SSN number detection
• Reduced false positives in XSS in URIs
• Improved the detection of WAFs
• LSR can now record actions within <iframe> elements
• Jira Issue Tracker integration now supports HTTP Authentication with API key

Fixes

• Fixed a crash when parsing SOAP messages
• Fixed issue in interpretation of some Selenium scripts
• Fixed a number of broken links in the Vulnerability Alerts
• Autologin was recording the password in the log file
• Fixed crash caused when reading specific swagger files
• Fixed crash caused when reading specific large files
• Fixed issue causing the scanner to go into a loop
• Fixed issue causing crawler to not interpret correctly certain locations in JavaScript
• Fixed issue in Manual Intervention
• Fixed issue affecting sites using euc-kr encoding
• Fixed Chromium issue caused when window.chrome is used by the site
• Fixed issue causing Chromium not to load on Kali Linux
• Fixed LSR playback issue caused when input field contained predefined text
• SRI not implemented was being reported multiple times per host

New Vulnerability Checks

• Test for Remote code execution in bootstrap-sass 3.2.0.3 (CVE-2019-10842)
• Test for Magento (2.2.0 to 2.3.0) Unauthenticated SQL Injection Vulnerability

Updates

• Minor update improving efficiency of PerFolder checks
• LSR: Disabled spellcheck for fields loaded
• Deepscan: Improved exclusion of clicks on logout elements
• LSR: clicks on some SVG elements where not being recorded
• LSR: Session Pattern Detection now uses session headers provided by webapp

Fixes

• Fixed 2 issues causing the scanner to stop unexpectedly
• Scan progress was not always correctly saved when scan is paused
• Session Pattern Detection was not always using the session headers provided by the webapp

New Vulnerability Checks

• Test for Drupal REST Remote Code Execution (CVE-2019-6340)
• Tests for vBulletin 5 routestring Local File Inclusion Vulnerability
• Tests for ThinkPHP v5.0.22/5.1.29 Remote Code Execution Vulnerability
• Tests for uWSGI Unauthorized Access Vulnerability
• Tests for FastGI Unauthorized Access Vulnerability
• Test for Typo3 Restler 1.7.0 Local File Disclosure
• A number of new vulnerability checks for WordPress Core and Plugins and Drupal Core

Updates

• Update Source Code Disclosure checks to prevent False Positives
• Unused paths are filtered out from AcuSensor data

Fixes

• Fixed false positive in Expression Language Injection vulnerability check
• Fixed issue in LSR / Deepscan when processing scripts overriding toJSON on Object