February 3, 2010 – 6:53 pm | No Comment

An updated build of Acunetix WVS Version 6.5 has been released with a number of new security checks, improvements and bug fixes.
New security checks:

8.3 DOS filename source code disclosure
Apache Tomcat Directory Host Appbase authentication bypass …

Read the full story »
releases

Acunetix Web Vulnerability Scanner Product Releases

acunetix how to

Technical tips and videos about Acunetix WVS and Web Security

news

Acunetix Company and Web Security news, & Press Releases

events

Acunetix Webinars and Training around the world

web security zone

Everything you need to know about Web Security

news »

Latest Comparison Report from Larry Suto
February 8, 2010 – 5:43 pm | 10 Comments

Last week, Larry Suto published a report entitled “Accuracy and Time Costs of Web Application Security Scanner Report”.  I’ve started to investigate in detail the results from this report. And I’ve found a list of inaccuracies.  Here is a direct quote from his paper:

Methodology

In order to cover as many bases as possible it was decided to run each scanner in two ways:

1. Point and Shoot (PaS): This includes nothing more than run default scanning options and provide credentials if the scanner supported it and the site used any.

2. Trained: This includes any configurations, macros, scripts or other training determined to be required to get the best possible results. As needed help was requested from the vendors or from acquaintances with expertise in each scanner to make sure that each was given all possible opportunity to get its best possible results.

Therefore he’s defining two modes; Point and Shoot and Trained. In the Point and Shoot mode he’s supposed to use the default scanning options AND provide credentials if the scanner supported it.

Read the full story »

Bookmark and Share
Can I scan a website that uses URL rewrite without specifying URL rewrite rules in Acunetix WVS?
February 3, 2010 – 7:21 pm | No Comment

Although it is not a suggested operation, yes, you can still scan a website which has URL rewrite enabled without specifying any URL rewrite rules in Acunetix Web Vulnerability Scanner.  Unlike other scanners, Acunetix WVS …

Acunetix WVS Version 6.5 build 20100203 released
February 3, 2010 – 6:53 pm | No Comment

An updated build of Acunetix WVS Version 6.5 has been released with a number of new security checks, improvements and bug fixes.
New security checks:

8.3 DOS filename source code disclosure
Apache Tomcat Directory Host Appbase authentication bypass …

e107 CMS system website compromised
January 27, 2010 – 5:19 pm | 4 Comments

As part of my job here at Acunetix, from time to time I analyze source code looking for security problems. Using this information I adjust Acunetix WVS to detect these problems automatically (when it’s possible).
Monday, …

Security is hard
January 22, 2010 – 3:29 pm | No Comment

The year debuted with ‘Operation Aurora‘: Google and over 30 other companies were hit by a spear phishing attack which resulted in theft of intellectual property from Google and probably other companies. Spear phishing is a targeted …

Looking past layer 7
January 19, 2010 – 8:01 pm | No Comment

When it comes to Web security why is it we always seem to focus on layer 7 only? Sure, it can be argued that XSS, SQL injection, flawed application logic and so on are the …

Statistics from the top 1,000,000 websites
January 12, 2010 – 2:00 pm | 5 Comments

The next version of Acunetix Web Vulnerability Scanner (version 7), will contain a much more improved HTTP stack.   While testing, we wanted to test the new HTTP stack on as many sites as possible to …

Acunetix WVS Version 6.5 build 20100111 released
January 11, 2010 – 7:35 pm | No Comment

An updated build of Acunetix WVS Version 6.5 has been released with a number of new security checks and bug fixes.

New security checks:

Test for File Upload IIS bug filename.asp;.jpg
Test for WP-Forum 2.3 vulnerabilities
JBoss rmi ping …

Acunetix WVS Version 6.5 build 20091215 released
December 16, 2009 – 4:52 am | 3 Comments

An updated build for Acunetix WVS Version 6.5 has been released with a number of improvements, bug fixes, and a number of new security checks.
New security checks:

JBoss BSHDeployer MBean
JBoss checks from RedTeam’s paper
JBoss HttpAdaptor JMXInvokerServlet
JBoss …

AcuSensor, curl and Zen Cart
December 9, 2009 – 7:10 pm | 7 Comments

Recently we’ve released a new build, build number 20091124. This build includes a new AcuSensor check named “curl_exec() url is controlled by user”. This new check will verify if the user can control the URL passed to curl_exec.
In …

Changes coming to the OWASP Top 10 in 2010
December 3, 2009 – 8:24 pm | 8 Comments

In the spirit of improving Web application security worldwide the folks at OWASP have released the OWASP Top 10 2010 “release candidate”. It’s currently open for comments and scheduled for final release the first quarter …