Acunetix WVS Build History

Build v8.0.20120911 – 11th September 2012

New Features

  • A new option that allows you to specify a different email address for each configured scan in the scheduler.
  • HTTP Fuzzer number generator now supports padding, e.g. you can use a leading zero i.e. from 01 to 10.
  • A new option to specify if the latest cookie from the scanned website should be used rather than the one discovered during crawling.
  • New option to force scanner to not overwrite user specified custom cookies with newer cookies from the scanned website.
  • Ability to import multiple HTTP Sniffer captures to the same crawl.
  • Ability to merge HTTP Sniffer captures to existing website crawls.

New Security Checks

  • Added a test for .Net Cross Site Scripting (Request Validation Bypassing).
  • New security check for MediaWiki security issues.

Bug Fixes

  • Fixed a Crossdomain in an XML false positive.
  • Fixed the Scan Wizard back button issue; there were instances were it was not working correctly.
  • Fixed a bug in the scanner to scan only website files found during a crawl.
  • Fixed a memory leak in the Client Script Analyser engine.
  • The Login Sequence Recorder User-Agent string is now the same in both the header and in the scripting code.
  • Fixed a bug within the WSDL scanner “Customize” button.

Build v8.0.20120808 – 9th August 2012

New Feature

  • Acunetix WVS will alert the user if a web application firewall or IDS are detected

New Security Checks

  • Added a security check for FCKeditor cross site scripting vulnerability
  • Added a test for Liferay json Auth Bypass
  • Acunetix WVS now checks for Server Side Request Forgery
  • Added several security checks for IBM Tivoli Access Manager Web Server vulnerabilities
  • New security check for vulnerabilities in SharePoint Could Allow Elevation of Privilege (MS12-050)
  • Acunetix WVS now cheks for several DotNetNuke vulnerabilities (popular ASP.NET CMS)
  • Added a new security check for exposed Apache Solr Service
  • Remote code execution tests for Umbraco asp.net CMS software
  • Check for SWFUpload applet vulnerability in a large number of web applications
  • Added security checks for user controllable scripts and charsets

Improvements

  • Cross-site scripting (XSS) security checks were improved
  • HTTP Verb Tapering security script now bruteforces common or sensitive files and directories

Bug Fixes

  • Fixed: Incorrect handling of Internet Explorer’s Javascript substr implementation
  • Fixed: Login Sequence Recorder; ssl_write result was not handled correctly resulting in data not rendering correctly
  • Fixed: Display problem; alert/child count was not displayed correctly in some cases
  • Fixed: Developer report was not showing long urls in coverage report
  • Fixed: Saved credentials were not persistent in general settings

Build v8.0.20120704 – 4th July 2012

New Security Checks

  • Added a number of new HTML 5 Cross-site scripting security checks
  • Content-type text /xml responses are now being checked for XSS vulnerabilities
  • Using Windows 8.3 short filenames techniques to check for information disclosure
  • Checks for Microsoft IIS Tilde directory enumaration problems
  • A number of new security checks for Webadmin
  • Checking for MySQL, RubyonRails and phpMyAdmin SQL dump files on web applications
  • File disclosure via XXE Injection tests for Zend Framework
  • Information disclosure checks in environment variables

Improvements

  • Improved Directory Traversal security checks
  • Less false positives reported by the HTML Forms security checks

Bug Fixes

  • Custom cookies paths are now set correctly to the start URL
  • Login Sequence Recorder now executes Javascripts even if there are js errors
  • New discovered input parameters variations are added to the list of input variations rather than ignored

Build v8.0.20120613 – 13th June 2012

New Security Checks

  • New security checks for Microsoft SharePoint.
  • Debug Parameters test offers you the ability to check your web applications if common debug parameters, such as “?debug=1” disclose sensitive information.
  • New Cross-Site Scripting checks for Ruby on Rails / Homakov variants.
  • Security check for JetBrains .idea project directory.
  • ToolsPack backdoor verification.
  • Security check for Fantastico_Filelist information disclosure.
  • Tests for authentication bypass vulnerabilities in MySQL, MariaDB (CVE-2012-2122).
  • Check for Nginx restrictions bypass (CVE-2011-4963).
  • New checks when phpinfo() page is discovered: all html in such page is parsed and various alerts are issued reporting PHP configuration problems (display_errors on, register_globals etc).

New Features

  • Ability to export report in the Report Viewer.
  • Alerts you when HTML forms do not have CSRF protection.

Improvements

  • Rewrote the ASP_NET_Oracle_Padding security script.
  • Improved SVN/GIT repository security scripts.
  • Improved presentation for all the alerts generated by crawler by showing more attack details.

Bug Fixes

  • Login sequence recorder is now using the configured user-agent.
  • Cookies path parameters are better supported.
  • The scheduler authentication checkbox is restored properly if you press “Cancel”.
  • Fixed theTrace/Track HTTP method test security script issue.
  • The input forms which are part of the login sequence are no longer filled with HTML forms pre-configured data.
  • Fixed the namespaces issue on the Web Services scanner.
  • Corrected the requests which are generated by the scan results imported from the Firefox extension.
  • Blind SQL injection now reports the correct value in the alert details.
  • Fixed the Jquery problem: CSA select html element and options are now correctly handled.