Added detection of MediaWiki Chunked Uploads Security Check Bypass
Added detection for Plupload XSS vulnerability (included in WordPress versions 3.5, 3.4.2, 3.4.1, 3.4, 3.3.3 and 3.3.2 and other applications)
Reduced false positives in XSS detection
Improvements to Web Server Default Welcome Page script
Reduced false positives reported by Blind SQL Injection
Improvements in the detection of Sensitive Directories
Added patterns for Python error messages and stack traces in the Text Search script.
Fixed an issue in PHP AcuSensor
In some situations, the Login Sequence Recorder misidentified connections to HTTPs sites when working through the Acunetix Web Vulnerability Scanner proxy
Fixed a false positive in Microsoft IIS Tilde Directory Enumeration
Fixed issues where scheduled scans with recursion are not rescheduled if they cannot start because of scan restrictions
Fixed a bug with Amazon S3 Public Buckets audit KB items being reported multiple times
Build v8.0.20130416 – 18th April 2013
Added a test that enumerates valid WordPress usernames using various techniques.
Added a test for weak WordPress passwords for the usernames identified during the scan.
Added a test that identifies common WordPress plugins. For each plugin identified, Acunetix WVS will try to enumerate the plugin name, short description, installed version and latest version of the plugin. This information is shown in a Knowledge Base item.
Added a test that identifies Amazon S3 public buckets.
Improved XSS in URI script to test for Apache Tomcat Path Parameters.
Improved WordPress Pingback Scanner test.
Improved Blind SQL Injection script.
Improved Crossdomain_XML script.
Improved Directory Traversal script.
Improved Error_Message script.
Improved URL redirection script.
Improved XSS testing script.
The amount of input schemes has been reduced for known applications, improving the scan performance for such web applications.
Fixed an issue which caused false positives to occasionally show up in the report for Scheduled Scans.
Better handling for META http-equiv=”refresh” tags by the Crawler.
Fixed an issue in error_messages_helpers.inc script.
Fixed a minor bug in the Scheduler UI (Bug ID: 364)
North and South Korea are now correctly identified in the Product Activation Wizard.
Scans were sporadically entering a loop when scanning certain sites using a login sequence and the CSRF check was enabled.
WebApps scripts were being invoked even though they were excluded in the scanning profile
Build v8.0.20130308 – 8th March 2013
Added a test for Kayako Fusion v4.51.1891 – Multiple Web Vulnerabilities
Added various tests for Apache Tomcat
Added a test for CKEditor 4.0.1 Cross-Site Scripting vulnerability
Added a test for Moveable Type 4.x Unauthenticated Remote Command Execution
Implemented detection of Virtual Hosts on the target server
Implemented jQuery 1.9 support
Added a test for subversion 1.7 (.svn) repositories
Added a test for Parallels Plesk SQL Injection Vulnerability (CVE-2012-1557).
Implemented some tests looking for various Unicode transformation issues such as Best-Fit Mappings, Overlong byte sequences and Ill-Formed Sub-sequences
Added header input schemes for folders
Added identification of file names in input scheme parameter values. Any file names detected are subsequently crawled
Various improvements to XSS tests
Improved Possible_Sensitive_Directories script
Improved jQuery attr() support
Improved Virtual Host Directory Listing test
The report of 404 – Page Not Found now instructs users to checks the Referrers tab for a list of pages linking to the broken link
Fixed a crash that occurs infrequently when configuring a scheduled scan
Fixed various minor issues in the scan scheduler
Build v8.0.20130205 – 5th February 2013
New 14 day Evaluation version will replace the Free Edition. Evaluating users can now perform full scans of the Acunetix test websites and of their websites. The Evaluation version has the following limitations:
The vulnerability details are only shown when scanning Acunetix test websites
Results cannot be saved
Reports are disabled
Scheduled scans are disabled
Changed prioritisation of TLS protocol over SSLv3. This provides better support for IIS 7.5 web servers, which previously refused connections from Acunetix Web Vulnerability Scanner.
Fixed crash that occurs when the Scan Wizard is used while the Login Sequence Recorder is running
Fixed crash in Session Manager
Build v8.0.20121213 – 13th December 2012
New report template for ISO 27001
New Security Checks
During a scan Acunetix WVS checks if the MongoDB web interface is open on the external interface
Check for included scripts which are from an invalid hostname
Added a new module for testing Slow HTTP Denial of Service attacks like Slowloris
Added a new security check that tries to guess various internal virtual hosts (information disclosure)
Checks for phpLiteAdmin default passwords
Improved the SQL Injection detection for SQLite3
Further improved the Cross-Site Scripting security check
Added detailed descriptions to all the Acunetix WVS security scripts
Removed all broken web references in vulnerability reports and added several new ones
Improved the Joomla! security scripts for more enhanced security scanning of Joomla! portals
Fixed a text wrapping issue in the compliance reports
Fixed an issue where the CSA engine was being executed multiple times against the same file during a scan
User-Agent header is now included with the in-session check request
Login Sequence Recorder now uses the timeout value specified from settings
Fixed several crashes when the Login Sequence Recorder was used against some specific websites
Build v8.0.20121113 – 13th November 2012
New Security Checks
New PHP code execution test for Invision Power Board
We’ve improved the Acunetix SDK by introducing a new UI for selecting script targets
All web security scripts now send the Referrer header during tests, which means that websites that check referrers can now be scanned properly.
The XSS security script has been further improved.
We’ve added a cache-control HTTP header to crawler requests.
Several issues in the crawler have been fixed so you can now crawl larger websites
Build v8.0.20121106 – 6th November 2012
Schedule up to 2,000 website security scans using a CSV file.
Ability to exclude WSDL inputs from a scan from the WSDL scan wizard.
New Security Checks
Added a new security check for IIS global.asa / global.asax backup files.
Added a new remote code execution security check for vbseo 3.6.0.
New arbitrary PHP code execution security check for Drupal.
New information disclosure security check for Drupal.
Added several web security checks for Ekton CMS.
New XSS security check that can find vulnerabilities in Referrer headers.
Scheduler UI now supports pagination for faster load time.
Improved XSS vulnerabilities detection in URIs.
Improved Input Fields entries for better crawling of websites.
Client certificates are now being used from the Login Sequence Recorder.
Fixed a crash in the compare scans template.
Fixed an AcuSensor injection problem with .NET Framework 4.0 applications.
Fixed several Sensitive Directory vulnerabilities false positives.
Fixed a Login Sequence Recorder crash.
Build v8.0.20121003 – 3rd October 2012
Added a new option to allow offline activation of Acunetix WVS
Added heauristic input limitations in crawler for more efficient scanning
New Security Checks
SQL Injection tests for OpenX web application
Cross-site scripting checks for IBM Lotus Domino Web Server
Search for MySQL connection details when scanning a website
Detection of phpMyAdmin v18.104.22.168 backdoor
Further enhanced the XSS security check
Improved Remote file inclusion security check
Local file inclusion tests have been improved to better handle Java based applications
When importing scan results to reporting database using the console, the database scan ID will be reported
Fixed a crash when trying to stop the crawler and the CSA engine was still working
User specified client certificates are now being used by the Login Sequence Recorder
The exit button from LSR was not fully visible in some situations
Login Sequence Recorder now uses the configured scan settings templates
Manual browser now uses the correct user specified User-Agent string
Build v8.0.20120911 – 11th September 2012
A new option that allows you to specify a different email address for each configured scan in the scheduler.
HTTP Fuzzer number generator now supports padding, e.g. you can use a leading zero i.e. from 01 to 10.
A new option to specify if the latest cookie from the scanned website should be used rather than the one discovered during crawling.
New option to force scanner to not overwrite user specified custom cookies with newer cookies from the scanned website.
Ability to import multiple HTTP Sniffer captures to the same crawl.
Ability to merge HTTP Sniffer captures to existing website crawls.
New Security Checks
Added a test for .Net Cross Site Scripting (Request Validation Bypassing).
New security check for MediaWiki security issues.
Fixed a Crossdomain in an XML false positive.
Fixed the Scan Wizard back button issue; there were instances were it was not working correctly.
Fixed a bug in the scanner to scan only website files found during a crawl.
Fixed a memory leak in the Client Script Analyser engine.
The Login Sequence Recorder User-Agent string is now the same in both the header and in the scripting code.
Fixed a bug within the WSDL scanner “Customize” button.
Build v8.0.20120808 – 9th August 2012
Acunetix WVS will alert the user if a web application firewall or IDS are detected
New Security Checks
Added a security check for FCKeditor cross site scripting vulnerability
Added a test for Liferay json Auth Bypass
Acunetix WVS now checks for Server Side Request Forgery
Added several security checks for IBM Tivoli Access Manager Web Server vulnerabilities
New security check for vulnerabilities in SharePoint Could Allow Elevation of Privilege (MS12-050)
Acunetix WVS now cheks for several DotNetNuke vulnerabilities (popular ASP.NET CMS)
Added a new security check for exposed Apache Solr Service
Remote code execution tests for Umbraco asp.net CMS software
Check for SWFUpload applet vulnerability in a large number of web applications
Added security checks for user controllable scripts and charsets
More advanced security checks for MongoDB and Rails Mass Assignment.
The crash in the Login Sequence Recorder has been fixed.
The Login Sequence Recorder is accurately parsing websites which send back GZIP encoded content, even if it was not specified in the Accept-Encoding header.
The Acunetix Reporter has improved the handling of missing scans reports.
The Acunetix Reporter Console supports spaces within the specified parameters.
The Acunetix Reporter accepts longer input names.
Build v8.0.20120305 – 07th March 2012
New Security Checks
Scanning of Web Statistics Software Applications such as AWStats and Webalizer. Acunetix WVS crawls the result pages of your website(s) statistics software application and notifies you if sensitive data is disclosed in such pages.
Automatic checks for ASP Code injection vulnerability.
Further security checks for SQLite Databases.
Security checks for Rails Mass Assignment.
Ability to stop the website crawling and proceed with the scan at anytime.
Posibility to choose a scan report template that you would like to use when scheduling a scan.
Scripts are being executed faster thus the scans are taking less time to complete.
Improved security scripts for Blind SQL injection, Remote File Inclusion XSS, File Inclusion and Directory Traversal.
If a variant check for a specific vulnerability times out, the next variant checks assigned for that type of vulnerability will be launched automatically.
Crawler: input encoding was not correct for _EVENTTARGET = and /
Ansi string was not working correctly when using specific languages other than English.
Build v8.0.20120215 – 16th February 2012 – NEW VERSION
Manipulation of inputs from URL’s
Automatic IIS 7 rewrite rule interpretation
Support for custom HTTP headers during automated scans
Imperva Web Application Firewall integration
Multiple instance support for scanning multiple websites in parallel
New web-based Scheduler
Automatic custom 404 error page recognition and detection