Acunetix WVS Build History

Build v7.0.20100902 - 2nd September 2010

New Features:

  • Added the option to mark a whole group or node alerts as false positive via right click 

Bug fixes:  

  • Problems with proxy authentication didn't allow proxy users to run scans
  • Mark Alert as false positive was not working properly in some cases

 

Build v7.0.20100901 - 1st September 2010 - NEW VERSION  

New Features:

  • New scanning engine - faster and reports more vulnerabilities
  • New vulnerability verifying techniques to reduce false positives
  • New site crawler - ability to crawl a wider range of websites and find more parameters
  • Scriptable Vulnerabilities - now vulnerability checks are written in JavaScript
  • Ability to analyse website presentation layer to better understand website parameters' functions
  • Graphical Scan status interface presents you with more scan information
  • Re-scan single vulnerability to avoid launching repetitive scans to verify fixes
  • Support for HTTP Keep-alive
  • DNS Caching to reduce multiple DNS requests
  • Ability to control delay between requests
  • HTTP authentication settings node - support for granular specifications of HTTP credentials
  • Support for digest HTTP authentication mechanism
  • AcuSensor Technology test button to quickly verify installation of remote AcuSensor agent
  • Different variants of the same vulnerability are consolidated under one alert node
  • Ability to specify label or tag instead of actual website parameter name in Input Fields node
  • Option to automatically randomize input for parameters specific in Input Fields node

New security checks:  

  • Test for SQL Injection in URI
  • Stored SQL injection
  • Stored file inclusion
  • Stored directory traversal
  • Stored code execution
  • Stored file tampering
  • A whole new set of more advanced WebDav auditing checks
  • Automated form based authentication auditing checks (e.g. check if credentials can be brute forced)

Major Improvements:

  • Consumes less bandwidth
  • Improved network traffic handling
  • HTTP authentication is now shared between all penetration testing tools
  • Improved HTTP Snifffer / Manual crawling process
  • Improved support for Web 2.0 requests and responses e.g. JSON, XML etc
  • Support for a wider variety of content-types
  • Improved Web 2.0 session management support
  • Imrpoved XSS (Cross-site scripting) security checks and detection rate
  • Added a number of new and improved existing web server security auditing techniques
  • Improved file upload security checks
  • Improved DNS auditing scripts
Build v6.5.20100616 - 16th June 2010

Change:

  • All vulnerabiliy checks which used http://*.acunetix.com test websites, now are using to http://*.vulnweb.com

Build v6.5.20100601 - 19th April 2010

New Feature:

  • Added OWASP top 10 2010 report template

Bug Fix:

  • Fixed: Proxy crashes when processing some specific SSL traffic  
Build v6.5.20100419 - 19th April 2010

Bug Fix:

  • Fixed: Access violation when the application exits

 

Build v6.5.20100407 - 7th April 2010

Bug Fixes:

  • Fixed: Login Sequence Recorder was not using client certificates when recording a login sequence
  • Fixed: Login Sequence Recorder was not using the configured User Agent string
  • Fixed: HTTP Sniffer was not handling some specific web authentication properly
Build v6.5.20100303 - 3rd March 2010

New feature:

  • Added a new option to export results to HTTP Fuzzer

New Security Checks:

  • Test for XML External Entity Injection
  • Test for XML Injection

Improvements:

  • Improved directory traversal vulnerability check
  • Improved Cross-site Scripting (XSS) vulnerability checks

Bug Fixes:

  • Fixed: access violation when the application exists
  • Fixed: access violation when protocol was terminated in NotifyCaller function in LSR
  • Fixed: AbortVulnXML OnFirstAlert was not imported from settings
  • Fixed: Form values were not encoded correctly when submitted from JavaScript (CSA engine)
Build v6.5.20100210 - 10th February 2010

New security check:

  • Test for Cross Site Scripting in the Referrer header

Improvement:

  • Acunetix Firefox extension now supports latest Firefox release

Bug Fixes:

  • Crawler: Html decode form inputs before usage
  • Fixed an infinite recursion when crawler reported an external link from the same host but on a different port
  • Fixed an issue with the crawler with parsing robots.txt file
  • Web Services scanner: Fixed parsing of WSDL files with attributes
Build v6.5.20100203 - 3rd February 2010

New security checks:

  • 8.3 DOS filename source code disclosure
  • Apache Tomcat Directory Host Appbase authentication bypass vulnerability
  • Apache Tomcat WAR File directory traversal vulnerability
  • Apache stronghold-info enabled
  • Apache stronghold-status enabled
  • ColdFusion 9 Solr Service exposed
  • Error page path disclosure
  • Error page web server version disclosure
  • File inclusion RFI list
  • Checks for multiple vulnerabilities in XAMPP
  • Server-Side Includes (SSI) injection on Unix
  • Server-Side Includes (SSI) injection on Windows
  • ASP.NET error messages when requesting URL like |.aspx

Improvements:

  • Added more variants to FCKeditor arbitrary file upload
  • Updated cross site scripting in path security checks
  • Updated directory listing security checks
  • Updated directory traversal on Unix security checks
  • Updated file upload security checks
  • Updated LDAP injection security checks
  • Updated possible sensitive files security checks
  • Updated XPath injection security checks

Bug Fixes:

  • Workaround for window.open used with NULL parameter
  • Notify elements that they are unbidden
  • Notify form if an input was removed
  • Include select element values in submitted data
  • Fixed: HttpProt was sending content length with CONNECT
  • Fixed: Crawler didn't consider post data for links from CSA engine; some where ignored
  • Fixed: Login sequence recorder was sending requests synchronously
Build v6.5.20100111 - 11th January 2010

New security checks:

  • Test for File Upload IIS bug filename.asp;.jpg
  • Test for WP-Forum 2.3 vulnerabilities
  • JBoss rmi ping (network script)

Bug Fixes:

  • Bugfix: Modified forms notifications from CSA
  • Bugfix: CSA: Workaround for window.open with null parameters
  • Fixed: In some specific scenarios the scheduler queue was restarting on its own
  • Fixed: Node was not expanding automatically when manually adding a new logout link in the LSR
Build v6.5.20091215 - 15th December 2009

New security checks:

  • JBoss BSHDeployer MBean
  • JBoss checks from RedTeam’s paper
  • JBoss HttpAdaptor JMXInvokerServlet
  • JBoss Server MBean
  • JBoss ServerInfo MBean
  • JBoss Web Console JMX Invoker
  • phpShop v0.8.1 Multiple Vulnerabilities
  • Invision Power Board <= v3.0.4 Local PHP File Inclusion and SQL Injection

Improvements:

  • Improved Blind SQL injection tests to reduce false positives
  • Added better JBoss server detection
  • Better detection for Postgre SQL injections

Bug Fixes:

  • Fixed: GUI crashes when specific settings are changed in the Port Scanner node
  • Fixed: Login Sequence recorder was retaining post data when redirecting to the same page
Build v6.5.20091130 - 30th Novomber 2009

Bug Fixes:

  • Fixed: crash in TM_MultiRequest_Parameter_Manipulation module
  • Fixed: bug in crawler related with GetVar encoding
Build v6.5.20091124 - 24th November 2009

New:

  • New security checks of AcuSensor Technology
    • curl_exec() url is controlled by user
    • PHP preg_replace used on user input
    • PHP super-globals-overwrite
    • PHP unseriazlie used on user input
  • Other new security checks of Acunetix WVS
    • osCommerce authentication bypass
    • Apache Tomcat insecure default administrative password
    • Apache Tomcat directory traversal
    • Checks for PHP invalid data type error messages
    • Check for possible remote SWF inclusion
    • Added further checks for possible sensitive files; general tests per server
    • Added further checks for possible sensitive directories; general tests per server
    • Added a new security check for SQL injection in the authentication header (basic authentication, base64 encoded)
    • Added AlertIfTextNotFound group parameter to invert search and issue an alert if a specified text is not found

Improvements:

  • Renamed Weak password module to Authentication module since now it includes much more authentication security checks
  • Improved Cross-site scripting in URI checks to include Ruby on rails security checks
  • Improved Application errors security checks
  • Introduced 3 new setting parameters for the crawler in Settings.XML file:
    • <MaxFirstPossibleValue>262144</MaxFirstPossibleValue>
    • <MaxOtherPossibleValues>256</MaxOtherPossibleValues>
    • <MaxNumberOfPossibleValues>1000</MaxNumberOfPossibleValues>

Bug Fixes:

  • Fixed: false positives issued in weak password alert
  • Fixed: WSDL importer crash when importing recursive complex elements
  • Fixed: Crawler proxy request handling changed to decode the input name/value
  • Fixed Vulnerability Editor to show group parameters with default values if no VulnXML template is used
  • Changed HTTP_Anomalies to log PHP errors and save the results in a file (instead of alerts)Changed HTTP_Anomalies to log PHP errors and save the results in a file instead of alerts
  • Hidden VulnXML properties for alerts that are not using vulnxml default template in Vulnerability Editor
  • Adjusted VulnXML to reduce the number of false positives for Blind SQL injection timing tests
  • Updated CSA engine; delete the BOM characters from script sources
  • Updated URL_Helper; UrlEncode/Decode modified not to use str := str + ch and to validate hex characters after %
  • Updated File_Inputs; possible values are limited in size now
Build v6.5.20091027 -27th October 2009

Bug Fixes:

  • Fixed: Redirect on LoginSequenceStep was not followed correctly
  • Fix in URL Rewrite module to remove GetVars before matching rules
Build v6.5.20091012 -12th October 2009

Bug Fixes:

  • Fixed: Memory leak when invoking state change handler
  • Fixed: Item index for an item which has just been inserted fails in the Browserframe
  • Fixed: Error in indexing the get variables when redirecting in Session management
Build v6.5.20091005 - 5th October 2009

New:

  • Added a new check for SVN repositories

Improvements:

  • Improved MultiRequest paramenter manipulation; now using the form matcher to match parameter values
  • Improved SQL injection tests
  • Improved Application error tests

Bug Fixes:

  • Fixed: Links from HTML comments and other sources that are not trusted where not checked if they are from the same host as the base
  • Fixed: Login sequence not working properly with HTTP authentication
  • Fixed: MessageDlg was used in inittempfiles in console mode
  • Fixed: WinInet bug to resent the request if the server accepts client certificates
  • Fixed: Redirect from index.php to index.php was not working
Build v6.5.20090917 - 17th September 2009

New:

  • Added two new blind SQL injection tests
  • Added a new scanning profile for stored XSS only
  • Added HTTP verb tempering using POST method check

Improvements:

  • Improved appearance for compliance report by adding visual markets and several other presentation enhancements

Bug Fixes:

  • Fixed temporary files access issue
  • Fixed issue where HTTP Proxy was dublicating the connection: keep-alive header
  • Fixed issue where HTTP Proxy was putting the authorization header from fake basic authentication into server request
  • Fixed a problem where credentials configured through command line where not working properly in particular situations

Build v6.5.20090813 - 13th August 2009

Improvements:

  • HTML forms settings node was renamed to Input Fields.  This node now can also be used to pre-define web services operations values.
  • New SQL Injection tests added
  • New XSS tests (unicode) added

Build v6.5.20090728 - 28th July 2009

New Features:

  • Manual Intervention module: better support for CAPTCHA and modern authentication mechanisms  

Improvements:

  • Added new variants of blind SQL injection tests (now testing both AND and OR boolean operators)
  • Added new tests for SQL Injection with charset GBK/Big5
  • Added new variants for Cross site scripting

Bug Fixes: 

  • Fixed several issues with CSA (Client Script Analyzer) engine.

Build v6.5.20090622 - 22nd June 2009

Improvements:

  • Better cookies handling in several modules
  • Implemented exception handler in Login Sequence Recorder

Bug Fixes:

  • Handled issue when non-responsive hosts triggered download dialog 

Build v6.5.20090618 - 18th June 2009

 New Features:

  • Implemented Blind SQL Injection (timing) for web services scanner  
  • Implemented HTTP authentication for web services scanner

Bug Fixes:

  • Fixed problem related to File Inclusion in AcuSensor Technology
  • Fixed a problem in ssl_ping network script

Build v6.5.20090519 - 20th May 2009  - NEW VERSION

 New Features:

  • File upload forms vulnerability checks  
  • New Login Sequence Recorder; supports much more authentication forms and web technologies  
  • Session Auto Recognition module; if the session is invalidated or logged out during crawling, the scanner will automatically replay the login sequence without the need of manual intervention  
  • Actions drop down menu; for each selected node, the actions drop down menu is activated showing all possible functions  
  • Much more checks and alerts for JSP, Java and Tomcat web server  

Major Improvements:

  • Improved cookie management and session handling to support modern dynamic websites
  • Port scanner and Network Alerts results will appear  in a separate node in the results tree
  • Users can import Version 6 settings to Version 6.5
  • Added blind SQL injection timing test using MySQL's sleep and MS SQL's waitfor function.  This will help in discovering particular blind SQL injections that do not report a change on the page

Build v6.1.20090211 - 11th February 2009

 General improvements:

  • CSA engine now supposrts jQuery and Yahoo! UI JavaScripts libraries
  • Added component in scanner to search for links in HTML comments and Flash (SWF) strings
  • Created an ASL.1 parser which can parse X509 Certificates
  • Improved Crawler; improved Wivet coverage to 94%
  • Added more JBoss configuration tests
  • Added more Tomcat tests
  • Added more web server configuration checks for server path, internal IP and username/password disclosure
  • Improved RSS/Atom parses
  • Added more attack vectors to source code disclosure and directory traversal tests for both Windows and Unix

Bug Fixes:

  • Reporter now filters very long knowledge base items
  • Fixed SSL3, TLS1 parsing issues
  • Fix in Crawler to handle better query variable in start URL's
Build v6.0.20081209 - 9th December 2008

 General improvements:

  • Optimized large portions of the code to improve speed
  • Optimized Progress text for scripts and port scan
  • Show progress on ScanInfo frame

Bug Fixes:

  • Module tm_backup_files - can make tests like {filename}{test}{extension} (e.g. file1.php from file.php)
  • Crawler was not sending the custom cookies for the first request reporter crash on settings read (only try/except)
  • Fixed crash in "import scan results to database" when the scan was running
  • SSL certificate validity year fix
  • Fixed a bug in parameter manipulation. Crashing when Combination was nil (no values)
  • Error in interpreting redirections of type "?getvar=value"
  • Fixed jsessionid session fixation test
  • Fixed Activation in v6 for Vista.
  • Fixed a problem with Authentication Tester (the app was not recovering when an invalid protocol was specified as target) - Reported by Harutyun Sardaryan
  • Fixed a crash in HTTP Fuzzer - Reported by Harutyun Sardaryan
  • Fix in Blind SQL Injector: On UNION SELECT based string extraction when httpencoding is applied the last char was eaten
Build v6.0.20081028 - 28th October 2008 - NEW VERSION

New tools / Applications:

General improvements:

  • Pause and Resume scan functionality
  • Option to mark an alert as false positive
  • Support for NTLM v2
  • Scanner can now gather a list of uncommon HTTP responses
  • Scanner can automatically stop if a number of network errors occure or web server does not respond.

User Interface improvements:

  • Compare results tool now compares also Knowledge Base items and list of open web server ports
  • Possibility to quickly locate a vulnerability by using a filter while before only search was allowed
  • In Scanning profiles and Vulnerability Edior vulnerabilities are automatically sorted by name
  • In HTTP Fuzzer results can be sorted by clicking on header columns and changes in Fuzzer filters are automatically reflected in results window

Scheduler improvements:

  • All scanning options are now available in scheduler
  • Option to configure the day of the week or month for a scheduled scan
  • Option to configure scan exclusion hours, i.e. when an ongoing scan should be paused and resumed
Build v5.1.70829 - 4th September 2007
  • Huge improvement in memory handling! - Memory handling is now done in a much more efficient way and temporary data is now stored by default onto the hard drive freeing up a LOT of system memory especially when dealing with large websites.
  • Introduced pre-conditions to various vulnerability tests - this will check if vulns can actually exist in a certain environment before starting to test for then - thus avoiding checking for vulnerabilities in vain and at the same time speeding up the scanning time.
  • Summary view for alert nodes - avoids long delays in displaying all alerts under a node
  • Added "Current Test" information to the scan information view
  • Improvements in HTTP Fuzzer
  • Fixed Javascript issue with parsing certain websites
  • Fixed validation when saving login sequence file
  • Fixed crash with error "sitefile parts already loaded"
  • Fixed Web Services Scan Wizard detection of Inputs for particular WSDL URLs
  • Fixed Web Services Scaner crash when clicking on some elements of the tree structure
Build v5.0.70621 - 25th June 2007
  • Tweak in Heuristic scanning mode for improved memory management
  • Enabled by default save crawling data to disk
  • Added Day and Month to timestamps in Activity Window
  • Small text changes in crawler settings
  • Elevation of privileges OS vulnerability fix
Build v5.0.70604 - 11th June 2007 - NEW VERSION

New Tools / Applications:

  • Subdomain Scanner
  • Web Services Scanner
  • Web Services Editor
  • Reporter Application

General Improvements:

  • Microsoft WindowsVista Support
  • Visual Interface Improvements with new graphics and buttons
  • Source View in various parts of the product
  • Password protection for all Acunetix Tools and applications
  • Upgrading from Previous Versions/Builds keeps all Settings and Configurations

Reporting Improvements:

  • New Reporter Application
  • Detailed Scans View from the Database
  • Standard Report Templates: Developer, Executive, Vulnerability
  • Scan Comparison Templates
  • Statistical Templates: Yearly, Monthly, etc..
  • Compliance Reports Templates: PCI, Sarbanes-Oxley, HIPAA, etc..

Crawler Improvements:

  • Manual Choice of Files from the Site Structure
  • Directory Recursion (loop) Detection
  • URL Rewrite Detection and Warning to User
  • Improved Filtering (replacing the old search functionality)

Scanner Improvements:

  • New Scanning Mode Option: Quick, Heuristic and Full
  • Multi-Step Scanning
  • Stored XSS Tests
  • Header Manipulation
  • Improved Blind SQL Injection Tests
  • Improved Mod_Rewrite Support
  • Improved Filtering (replacing the old search functionality)
  • Grouping of Test Variants
  • Sitemaps Support
  • Added New Vulnerability Tests

Scheduler Improvements:

  • Support for Web Services Scheduled Scans
  • New options for Source and Output of Scans
  • Mail Notifications

Command Line Improvements:

  • New options added to support more functions like the full application
  • Web Services Scans
  • Mail Notifications

Database Improvements:

  • Significantly Reduced DB Size by 90% while keeping the same details and more!
  • New Database Structure (conversion tool available to upgrade from v4 structure)

Acunetix Web Application Security Blog

Latest Article

Exploiting a cross-site scripting vulnerability on Facebook

Read how by exploiting a XSS vulnerability, an attacker can hijack Facebook accounts!

Latest Whitepaper

Why File Upload Forms are a major security threat

This white paper talks about common file upload forms validation types and also how malicious users can easily bypass them.  With the help of Acunetix WVS, a web developer can easily find these vulnerabilities in web applications without the need of advanced web security expertise.  He can also easily solve them thanks to the amount of extensive information Acunetix WVS reports.

Testimonials

“The issues detected were of major impact; if hackers would have found the security holes, they could have hacked an entire Joomla! Site.”

Robin Muilvijk
Quality & Testing Team, Joomla!