-
發佈日期:2021-06-17
Version 14 build 14.3.210615184 for Windows, Linux and macOS
用於Windows、Linux和macOS的第14版build 14.3.210615184
A new Acunetix update has been released for Windows, Linux, and macOS: 14.3.210615184.
This Acunetix release introduces software composition analysis (SCA) functionality, allowing customers to detect vulnerable open-source libraries used by the web application. It also provides multiple updates, including a revised PCI DSS compliance report, numerous improvements to the Acunetix UI, and a modernized .NET AcuSensor (IAST). We have also added several important vulnerability checks for well-known applications and we have made numerous updates and fixes, all of which are available for all editions of Acunetix.
New features
• New SCA (software composition analysis) functionality for PHP, JAVA, Node.js, and .NET web
applications.
Acunetix will report vulnerable libraries used by the web application when AcuSensor is used.
New vulnerability checks
• New check for SSRF via logo_uri in MITREid Connect (CVE-2021-26715)
• New check for Oracle E-Business Suite information disclosure
• New check for unauthorized access to a web app installer
• New check for SAML consumer service XML entity injection (XXE)
• New check for Grav CMS unauthenticated RCE (CVE-2021-21425)
• New check for Outsystems upload widget arbitrary file uploading (RPD-4310)
• New check for Django debug toolbar
• New check for Joomla debug console enabled
• New check for Joomla J!Dump extension enabled
• New check for request smuggling
• New check for unrestricted access to Caddy API interface
• New check for Pyramid framework weak secret key
• New check for Apache Tapestry unauthenticated RCE (CVE-2019-0195 and CVE-2021-27850)
• New check for unrestricted access to Spring Eureka dashboard
• New check for unrestricted access to Yahei PHP Probe
• New check for unrestricted access to Envoy dashboard
• New check for unrestricted access to Traefik2 dashboard
• New check for Dragonfly arbitrary file read/write (CVE-2021-33564)
• New check for Oracle E-Business Suite frame injection (CVE-2017-3528)
• New check for Gitlab CI Lint SSRF
• New check for GitLab open user registration
• New check for GitLab user disclosure via GraphQL
Updates
• Updated .NET AcuSensor
• .NET AcuSensor can be now deployed from CLI
• User is notified when imported URLs are out of scope
• Scan events are not shown in JSON anymore
• New column for continuous scanning on the Targets page
• New filter on the Targets page to easily identify targets with debugging enabled
• The Vulnerabilities page shows if the vulnerability was detected by a web or network scan
• Merged Add Target and Add Targets options in UI
• Custom field, labels, and tags can be configured for issue trackers
• Platform admin can now unlock locked accounts
• New column in CSV export showing details in text only
• Updated the way that AcuSensor token can be updated in the target settings
• PCI DSS compliance report updated to PCI DSS 3.2.1
• Compliance reports updated to make use of the Comprehensive report template
• Browser dev tools can be used when LSR is started from CLI
• Updated XFO check
• Multiple UI updates
• Improved false positive detection of out-of-band RCE and argument injection vulnerabilities
• Multiple updates to the Postman import implementation
• Updated JavaScript library audit to support merged JavaScript files
Fixes
• HSTS has been enabled for the AcuSensor bridge
• The latest Alerts section of Scan results was not updated with AcuMonitor (OOB) vulnerabilities
• The Fragments option was not clickable in the site structure
• HSTS Best Practices was sometimes being reported multiple times
• Fixed HSTS false negative
• Fixed issue in the detection of Django 3 weak secret
• Fixed issue causing GitHub labels not to be updated when changing the GitHub issue tracker project
• Fixed an encoding issue in the Node.js AcuSensor
• Fixed an issue causing corruption of the target knowledge base
• Fixed a DeepScan timeout when processing the Prototype JavaScript library
• Fixed an issue causing the outdated JavaScript libraries check not to report external libraries
• Fixed an issue in the Oauth password credentials grant -
發佈日期:2021-05-04
Acunetix introduces Docker support, scan statistics, and the ability to send vulnerabilities to the AWS WAF
Acunetix引入了Docker支持,掃描統計信息以及將漏洞發送到AWS WAF的功能
A new Acunetix update has been released for Windows, Linux, and macOS: 14.2.210503151.
This Acunetix update introduces Docker support, a new Scan Statistics page that is shown for each scan, and the ability to send vulnerability information to the AWS WAF. Customers sending vulnerabilities to their issue tracker can now manage such vulnerabilities better because the Acunetix UI will start showing the issue tracker ID. In addition, issue trackers can now be restricted to specific target groups allowing specific users the ability to send vulnerability information to specific issue trackers. This update includes a number of important vulnerability checks for well-known applications, as well as numerous updates and fixes, all of which are available for all editions of Acunetix.
New features
• Acunetix is now available on Docker
• New Scan Statistics page for each scan
• Vulnerability information can now be sent to the AWS WAF
New vulnerability checks
• New check for Hashicorp Consul API is accessible without authentication
• Multiple new checks for unrestricted access to a monitoring system
• Improvements to JavaScript library audit checks
• New check for Cisco RV series authentication bypass (CVE-2021-1472)
• New check for ntopng authentication bypass (CVE-2021-28073)
• New check for Agentejo Сockpit CMS reset password NoSQLi (CVE-2020-35847)
• New check for AppWeb authentication bypass (CVE-2018-8715)
• New check for Apache OFBiz SOAPService deserialization RCE (CVE-2021-26295)
• New check for F5 iControl REST unauthenticated remote command execution vulnerability
(CVE-2021-22986)
• New check for Python debugger unauthorized access vulnerability
• New check for virtual host locations misconfiguration
• New check for request smuggling
Updates
• You can now select full rows and columns on the Excluded Hours page
• Updated UI with new Acunetix branding
• The issue tracker ID will be shown for vulnerabilities sent to any issue tracker
• Issue trackers can now be restricted to a specific target group
• The target description will be sent to the issue trackers
• Updated Jira integration to support Jira version 9
• Multiple updates to the JAVA AcuSensor
• The scanning engine will now test cookies on pages that do not have any inputs
• The scanner will stop testing cookies that have been found to be vulnerable
• Where possible, DOM XSS vulnerabilities will show the code snippet of the vulnerable JavaScript call
• CSV export will now show the target address
• The maximum size for a custom cookie configured for a target has been increased to 4096 characters
• New date filter on the Vulnerabilities page
• Vulnerability severity now shows text in addition to a color-coded icon
• Multiple updates to the LSR
• Added support for the BaseUrl / global variables in Postman import files
Fixes
• Fixed extra CR in target CSV export
• Fixed DeepScan crash
• Fixed: Discovery options are only shown to users with Access All Targets permission
• Fixed: Existing user’s details shown when adding a new user
• Fixed a scanner crash
• Fixed: Blind XSS check is now part of the XSS scanning profile
• Fixed: AcuMonitor checks were not performed when scan was done using an engine-only installation
• Fixed an issue causing AcuMonitor not to be registered when using an authenticated proxy
• Fixed an issue when loading vulnerabilities for a target group
• Fixed an issue with the Postman importer
• Fixed a sporadic issue when checking for new Acunetix updates on mac
• Fixed an issue in the WP XMLRPC pingback check
-
發佈日期:2021-03-17
Acunetix Upgrading from V13 to V14
Acunetix Online
All backend maintenance for Acunetix Online is taken care of by Acunetix.
There is nothing you need to do for this, and the new version will be deployed
to the Acunetix Online platform automatically in due course.
Acunetix Standard & Premium - Windows
Main Installation
By default, Acunetix is configured to auto-update, and you would therefore not need to do anything else.
If you have disabled this functionality, you can perform the upgrade as follows:
• go to the "About" page
• click the "Check for Updates" button; this will show that a new build is available
• click on the "Update" link; this will trigger the update process; during the update process,
the Acunetix UI will not be available ;
• after a few minutes,
go back to the "About" page and refresh the page
The update process is complete, and the new version number will be displayed.
Engine-Only Installation
The engine-only installation must be performed manually. Copy the
Acunetix
installation to the machine.
• ith theFrom the command prompt, run the installation w /engineonly switch.
• This will start the installation of the Acunetix Scanning Engine
• Proceed with the installation. The "Allow remote access to Acunetix"
option will be enabled aut omatically,
and the Server Name will be prepopulated
with the information used during the first install;
These settings do not need to be adjusted.
• Proceed and finish the installation.
• You can check the status and version number of the Engine-Only installation
from the Engines
page of the Main machine:
Acunetix Standard & Premium - Linux
Main Installation
To upgrade the main installation:
• Download the latest Linux version of Acunetix from the download location provided when
you purchased the license.
• Open a Terminal Window
• Use chmod to add executable permissions on the installation file E.g. chmod +x acunetix_14.
1.210316098_x64.sh
• Run the installation
• E.g. sudo ./acunetix_14.1.210316098_x64.sh
• Accept the license agreement
• At the upgrade prompt, enter "y" to proceed with the upgrade
• When the upgrade is complete, the "About" page will show the new version number:
Engine-Only Installation
To upgrade the main installation:
• Download the latest Linux version of Acunetix from the download location provided when
you purchased the license.
• Open a Terminal Window
• Use chmod to add executable permissions on the installation file E.g. chmod +x acunetix_14.
1.210316098_x64.sh
• Run the installation in Engine-Only mode
• E.g. sudo ./acunetix_14.1.210316098_x64.sh --engineonly
• Accept the license agreement
• At the upgrade prompt, enter "y" to proceed with the upgrade
• When the upgrade is complete, You can check the status and version number of the
Engine-Only installation from the "Engines" page of the Main machine:
Acunetix Standard & Premium - MacOS
To upgrade the installation:
• Download the latest MacOS version of Acunetix from the download location provided
when you purchased the license.
• Double click the installation PKG file to launch the Acunetix installation wizard,
and click "Continue" when prompted.
• Review and accept the License Agreement.
• You may be prompted for your MacOS password to complete parts of the upgrade.
• Setup will now copy all files and updates for the Acunetix services; when the installation
is co mpleted, the "Continue" button will become enabled in the installer.
• Click "Close" to exit the installer.
• When the upgrade is complete, the "About" page will show the new version number:
