Build v10.0.20151125 – 26th November 2015
- Added a test looking for insecure CORS configurations.
- Added a test looking for CVE-2014-7829 – Arbitrary file existence disclosure in Action Pack.
- Added a test looking for Rails application running in development mode.
- Added a test looking for CVE-2015-7808 vBulletin 5 PreAuth RCE.
- Added a test looking for Insecure DNS records
- Added a test looking for Spring Boot Actuator
- Added a test looking for Tornado Debug mode
- Added a test looking for Pyramid Debug mode
- Implemented PHP object deserialization of user-supplied data
- Added a test looking for older versions of the ZeroClipboard SWF library that are vulnerable to a cross-site scripting vulnerability.
- Updated WordPress plugins and WordPress core checks.
- Improved tests for possible sensitive directories and sensitive files.
- Improved Apache Axis audit script.
- Added a test for Java object deserialization of user-supplied data
- Various improvements for XSS detection.
- Improved HTML structural parser and added allow to robots.txt parser
- Added support for WADL files when served using
- Fixed crash cause during auto session detection.
- Security fix for privilege escalation reported by security researcher Daniele Linguaglossa
Build v10.0.20151028 – 28th October 2015
- Improved the description for all the vulnerability checks in Scanning Profiles
Build v10.0.20151026 – 26th October 2015
- Bug limiting the number of external hosts in kbase
- Fixed a issue which caused the scanner to crash
- Some script dependencies could cause the scan to not finish
- Importer crash when user user cancels the importation
- Fixed syntax error affecting Chinese Windows
- Restrictions configured in LSR where not taken into consideration in some POST requests
Build v10.0.20150921 – 22nd September 2015
- Added a new test looking for development configuration files such as Vagrantfile, Gemfile, Rakefile and others
- Added a test for Insecure response with wildcard ‘*’ in Access-Control-Allow-Origin
- Added detection of Cross Site Scripting (XSS) in the mobile-touch event handlers
- Added a test for CVE-2015-5956 – Typo3 Core sanitizeLocalUrl() Non-Persistent Cross-Site Scripting
- Added a test looking for CVE-2015-5603: HipChat for JIRA plugin – Velocity Template Injection
- Added a test looking for vulnerable project dependencies by analyzing the contents of composer.lock
- Added a test for CVE-2015-5161 – XML eXternal Entity Injection (XXE) on PHP FPM (FastCGI Process Manager), affecting various versions of Zend Framework and ZendXML
- Added a test for CVE-2014-0114 – Class Loader Manipulation via Request Parameters affecting Apache Struts 1
- Added a test for CVE-2015-4670: Directory Traversal to Remote Code Execution in AjaxControlToolkit
- Added a test looking for sensitive files such as .mysql_history, .bash_history and others. Acunetix will verify the contents of these files to reduce false positives caused by custom 404s.
- Updated database of WordPress core and plugin vulnerabilities.
- Improved WADL parsing to support more representation types.
- Fixed a false positive in File Inclusion script.
- Fixed an issue causing JSON and XML inputs not being checked for XSS.
- Fixed SSL audit bug that is triggered when server_name extension was not sent to the server during SSL negotiation.
Build v10.0.20150820 – 20th August 2015
- Added a test for Server-Side Template Injection vulnerability.
- Added tests for new WordPress (core and plugins) vulnerabilities.
- Added a test checking for Django Debug Mode
- Improved CRLF injection/HTTP response splitting tests
- Improvements to the XSS testing script
- Updated Payment Card Industry (PCI) report to PCI 3.1
- Updated DISA Application Security and Development STIG report to V3R10
- LSR updated to support all SSL cipher suites
- Fixed a crash in WSDL scanner
- Various updates and fixes in the Login Sequence Recorder
- DeepScan blocks on a specific sites
- Fixed bug in Scan wizard
- Crash in Scan wizard when choosing a non-existent login sequence file name
- Crawler starturl was incorrectly set to http instead of https when importing from proxy log
Build v10.0.20150623 – 24th June 2015 – NEW VERSION
- New Login Sequence Recorder which supports Single-Sign-On (SSO) and OAuth-based authentication.
- Database of 1200 WordPress-specific vulnerabilities, including checks for WordPress core and popular WordPress plugins.
- Improved scanning of Java / J2EE web applications
- Improved scanning of Restful Web Services, including parsing of WADL files
- Improved scanning of web applications implemented in Ruby on Rails
- Detection of XML External Entity (XXE) via REST APIs
- Crawling a website can now be pre-seeded using HAR files and exports from Fiddler, Burp, Selenium and the Acunetix Sniffer
- Introduced the detection of links to websites known to host malware or used for phishing
- Improved support for WSDL-based web services by introducing support for