Acunetix Standard & Premium

New Security Checks

• Added SAML-related security checks.
• New security checks for Adobe ColdFusion affected by Deserialization RCE vulnerability. CVE-2023-26359/CVE-2023-26360
• New security checks for GraphQL.
• New checks for Joomla vulnerabilities.

Improvements

• Updated the embedded Chromium browser to v109.0.5414.141 for Windows and 112.0.5615.165 for Linux.
• Improved the Business Logic Recorder to work with autocomplete fields.
• Updated .NET IAST AcuSensor to avoid reporting false positives for default server misconfiguration.
• Improved .NET IAST AcuSensor for reporting vulnerable packages.
• Added support for file upload to the Login Sequence Recorder and Business Logic Recorder.
• Improved response handling.
• Various DeepScan Improvements.
• Improved the coverage of development file exposure check.
• Updated the Software Composition Analysis (SCA) database.
• Updated the WordPress plugin vulnerabilities.

Fixes

• Various fixes in the scanner to lower memory usage.

New feature

• .NET Core AcuSensor now supports installing on Linux. Note: When upgrading, please use the new .NET IAST AcuSensor Installation Instructions.

Security checks

• Improved the Server-side prototype pollution check.
• Updated the WordPress plugin vulnerabilities.
• Updated the software composition analysis database.

Improvements

• Added sitemap parser to better handle the sitemap files.
• Improved the user interface to remove the hyperlink for websites that users do not have permission to.
• Improved scanner to identify XSS in forms where these forms are protected with a CSRF token that is changing each time the page is refreshed.
• Increased limit for data exchanged between IAST AcuSensors and the Acunetix engine.
• Improved the token validator for new Jira tokens.

Fixes

• Fixed the OpenVAS service on Acunetix Premium Online to avoid the scan queue.
• Fixed bug causing some vulnerability checks to not execute on scans which are paused and resumed.
• Fixed issue with the request header limit for Github/Gitlab issue trackers.
• Fixed the issue of sending issues to Bugzilla.
• Fixed the bug that threw an internal server exception when a system admin tries to add a new user.
• Fixed the UI bug that appeared when the target is network.
• Fixed the issue that rejected locations and schemes are still being scanned.
• Fixed the issue with the corrupted links that are sent via email after the scan.
• Fixed the password reset issue.
• Fixed possible false positive misconfiguration “ASP.NET expired session IDs are not regenerated”

New features

• Improved the default roles.

New security checks

• Updated the WordPress plugin vulnerabilities.
• Updated the software composition analysis database.
• New security check for detection of ASP.NET core in the development mode.
• Added various checks for Content Security Policy misconfiguration.
• New security check for Oracle Web Applications Desktop Integrator unauthenticated takeover. (CVE-2022-21587)
• New security check for Deserialization RCE vulnerability in Oracle Access Manager OpenSSO Agent. (CVE-2021-35587)
• Updated the file extensions and parameter exclusions.
• New security check for F5 BIG-IP Cookie Remote Information Disclosure.
• New security check detecting retired hash functions usage in SAML.
• Improved the SQL injection check to identify whether the database user has admin privileges.

Improvements

• Added the Heuristic server-side routing detection to optimize attacks.
• Updated the embedded Chromium browser to v109.0.5414.119.
• Added the company name field to the registration process to Acunetix.
• Updated the issue tracker integrations to show the link to the relevant ticket created in those issue trackers.
• Updated the DISA STIG report to version 5.2.
• Improved the CSV importing link to limit the target limit to 500.
• Improved the scanner engine to reduce the memory footprint.
• Improved the .NET IAST sensor to mask any password.

Fixes

• Fixed the pagination bug on the Targets page.
• Fixed the crawler issue that the page becomes unresponsive when it contains many elements.
• Fixed the single-page application crawler to be consistent in the form submission.
• Fixed a notification bug that does not redirect users to the correct URL for the finished scan.
• Fixed the bug that does not refresh the user interface after the update.

New security checks

• Added SAML anonymous assertion consumer service audit for XML external entity injection, XSLT, Server-side request forgery, and Cross-site scripting.
• Added a SAML signature audit to test attacks on signature verification.
• Added various checks for Content Security Policy misconfiguration.
• New security check for ASP.NET core development mode.
• Updated the WordPress core vulnerabilities.
• Updated the WordPress plugin vulnerabilities.

Improvements

• Updated .NET IAST Sensor to detect a number of server-side configuration problems which may result in a security vulnerability.
• Improved the JSON payload tests.
• Updated JWT secrets dictionary.

Fixes

• Fixed a bug in the PHP IAST sensor when reporting arrays to the scanner.
• Fixed the scan summary page that failed to show some of the results.
• Fixed issues in the UI Notifications causing them to be unactionable.
• Fixed a problem that caused the LSR to show the mobile version for some sites incorrectly.
• Fixed .NET sensor issue that returns the root applications (website’s root) files although the sensor is enabled for sub-application.
• Fixed the version information shown on the user interface after the update.
• Fixed the routing issue for .NET Framework ASP.NET Web API because of compatibility issues.
• Improved the login sequence recorder notification that informs users when the response max size limit is exceeded.
• Fixed issue with pagination on the vulnerabilities page.
• Fixed the crawler issue that the page becomes unresponsive when it contains many elements.

New features

• New navigation menu for a better user experience.
• Notification updates are shown for the last 30 days

New vulnerability checks

• New check for Swagger UI DOM XSS vulnerability.
• New test for Fortinet Authentication bypass on the administrative interface (CVE-2022-40684).
• New test for Insecure usage of Version 1 UUID/GUID.
• New test for Text4shell: Apache Commons Text RCE via insecure interpolation (CVE-2022-42889).
• New test for OpenSSL X.509 Email Address Buffer Overflows (CVE-2022-3786).
• Updated test for Open Monitoring Interfaces.
• Updated the software composition analysis database.
• Updated the WordPress plugin vulnerabilities.

Updates

• Updated the embedded Chromium browser to v107.0.5304.87/88.
• Updated how scans reaching max scan time are displayed in UI.
• Updated Issue Tracker UI to accept internal URLs.
• Improved Log4J checks to reduce false positives.

Fixes

• Fixed the issue causing the IAST bridge to fail to send responses to the sensor when large packets are received from the sensor.
• Added loopback routes that returned ‘undefined’ as an HTTP method.
• Added the keep connection alive message between AcuSensor and the web application scanner to keep the connection alive.