Acunetix Web Vulnerability Scanner version 9, build 20131216 includes a new compliance report to cover the latest version of the PCI DSS Regulations. In addition, this new build checks for several vulnerabilities in various systems including Ruby on Rails, Zend Framework, Nginx and WordPress.
- Added a new Compliance Report Template for PCI 3.0
- Added support for HTML5 button of type submit (which acts as an HTML input of type submit).
- Added a test for Ruby on Rails CookieStore Session Cookie Persistence vulnerability
- Added a test for Umbraco CMS TemplateService Remote Code Execution vulnearbilities
- Added a test for WordPress OptimizePress unrestricted file upload
- Added application detection profile for Nagios.
- Added a test for Nagios Core Config Manager SQLi vulnerability
- Added a test for Zend Framework application.ini Information Disclosure
- Added a test for a XSS vulnerability in clipboard.swf used in WordPress SyntaxHighlighter Evolved Plugin.
- Added tests for multiple vulnerabilities in Oracle JavaServer Faces
- Added a test for Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution.
- Added a test for Insecure Flash embed parameter (AllowScriptAccess).
- Added a test for Nginx memory disclosure vulnerability
- Added filename (from file uploads) as an input scheme for a number of tests (XSS, Directory Traversal, SQL Injection, XXE Injection and others)
- Implemented a test looking for Java Authentication and Authorization Service (JAAS) authentication bypass (when using a security-constrain section with http-method definitions).
- Implemented a test looking for Ruby on Rails weak/known secret tokens.
- Now it’s possible to read cookie information from scripting (getCookies function).
- Added a new console parameter /Timestamps to print the current timestamp with each console output line.
- Improved test for WordPress OptimizePress Theme file upload vulnerability.
- The scanner will now indicate that a scan can take long time to complete, allowing the user to tweak the scan settings if needed.
- Various improvements to the Login Sequence Recorder
- Improved the test looking for possible form caching (look for missing “pragma: no-cache” header).
- It is now possible to use multiple input values for HTML inputs using the format: $(choice1,choice2). These can be configured from Configuration > Scan Settings > Input Fields.
- Speed improvements gained by streamlining the number of requests performed by some checks.
- Better handling of some uncommon HTTP status codes.
- The user-agent of the Login Sequence Recorder can now be configured to use the one configured in WVS (by default, it uses Internet Explorer)
- Directory Traversal script now provides better handling of Java Web Applications.
- Improved the calculation of the average response time during a scan
- Sites with a high response time were showing incorrect scan statistics.
- Fixed rewrite detection on nginx servers with phpfastcgi.
- Fixed some false positives in SQL Statement in comment.
- Better handling of very long VIEWSTATE strings.
- Improved handling of Windows based websites by providing better support for case insensitive filesystems
- Scan from HTTP Proxy log entry was not working correctly
- Fixed a crash caused by specific characters in the URL Encoded Post Data
- Fixed a false positive in Script_Source_Code_Disclosure.script
- Fixed some false positives in error messages.
- Web Services: fixed Out of Bounds error when importing invalid WSDLs.
How to Upgrade
If you are running Acunetix WVS 8, you should follow the upgrade instructions available in the “Upgrading from a previous version of Acunetix Web Vulnerability Scanner” in the Acunetix WVS user manual.
If you are running Acunetix WVS v9, you will be notified that a new build is available to download when you start Acunetix WVS. Navigate to the General > Program Updates node in the Tools explorer, click on Download and Install the new build.