Acunetix WVS Build History

Build v7.0.20101216- 20th December 2010

New features:

  • DOM XSS will now report the filename in which the attack was executed
  • DOM XSS checks on document.open, window.open, window.navigate and more

Bug fixes:

  • Fixed: Aborting analysis while executing events not always worked in CSA
  • Fixed: CSA engine crashing with “worker already executing” exception
  • Fixed: Crawler was not considering maximum number of variations in case of links from comments
  • Fixed: In some cases during a WSDL service scan, port address query params where not properly used
  • Fixed: False positive for ASP.NET padding oracle test
  • Bugfix: HTML parser; Fixed regex for extracting URLs from HTML comments

Build v7.0.20101206- 6th December 2010

New feature:

  • Acunetix WVS automatically checks for

    DOM XSS vulnerabilities

Bug fixes:

  • Fixed: Get First URL Only option not working correctly because it was still importing links from CSA engine
  • Fixed: “User credentials sent in clear text” was not being reported by crawler in certain circumstances
  • Fixed: Port was being specified in host header even if default ports were being used.

Build v7.0.20101123- 23th November 2010

Improvements:

  • More updates to the Client Script Analyser (CSA) engine for better Web 2.0 support

Bug fixes:

  • Fix: Added port in host header for https in manual browsing
  • Fixed: Crawler not serving pages to Client Script Analyzer engine on request if pages were already queued
  • Fixed: Compare results frame crashed if nodes are expanding while still comparing
  • Fixed: CanonicalizeLink was incorrectly interpreted “..” style links

Build v7.0.20101115- 15th November 2010

New features:

  • Ability to stop individual running security scripts during a scan

Major Improvements:

  • Introduced a good number of CSA engine improvements; better support of JQuery and Web 2.0 applications
  • Introduced a number of new XSS security checks

Bug fixes:

  • Fixed: Memory leak in NTLM authentication
  • Fixed: Incorrect interpratation of links with leading “//”
  • Fixed: Access violation crashes in HTTP Sniffer for certain SSL websites

Build v7.0.20101028- 28th October 2010

Bug fixes:

  • Fixed: Replay of recorded login sequences was not working properly in the free version
  • Fixed: NTML authentication was not working properly when using specific type of credentials
  • Fixed: Crash in Login Sequence Recorder while detecting invalid session on some particular websites
  • Bugfix: Fixed XSS tests to automatically follow redirects
  • Bugfix: Fixed script error in ASP.NET padding oracle test

Build v7.0.20101012 – 12th October 2010

Bug fixes:

  • Fixed: Client Script Analyser engine was blocking if insertAdjacentHTML used on an element without parent
  • Fixed: “Accept” header was not sent by the advanced penetration testing tools

Build v7.0.20100921 – 22nd September 2010

New Security Check:

  • Added a security check for the latest OpenX OFC file upload vulnerability
  • Added a ASP.NET security check for the ASP.NET padding Oracle vulnerability

Improvements:

  • Reduced the number of false positives for Blind SQL injections security checks
  • Improved Blind SQL injection tests by adding a number of new tests to detect blind SQL injections in UPDATE/INSERT/…

Bug fixes:

  • Fixed: Cookie encoding didn’t worked as expected in some cases
  • Fixed: Cookie were not always imported from AcuSensor data

Build v7.0.20100902 – 2nd September 2010

New Features:

  • Added the option to mark a whole group or node alerts as false positive via right click

Bug fixes:

  • Problems with proxy authentication didn’t allow proxy users to run scans
  • Mark Alert as false positive was not working properly in some cases

Build v7.0.20100901 – 1st September 2010 – NEW VERSION

New Features:

  • New scanning engine – faster and reports more vulnerabilities
  • New vulnerability verifying techniques to reduce false positives
  • New site crawler – ability to crawl a wider range of websites and find more parameters
  • Scriptable Vulnerabilities – now vulnerability checks are written in JavaScript
  • Ability to analyse website presentation layer to better understand website parameters’ functions
  • Graphical Scan status interface presents you with more scan information
  • Re-scan single vulnerability to avoid launching repetitive scans to verify fixes
  • Support for HTTP Keep-alive
  • DNS Caching to reduce multiple DNS requests
  • Ability to control delay between requests
  • HTTP authentication settings node – support for granular specifications of HTTP credentials
  • Support for digest HTTP authentication mechanism
  • AcuSensor Technology test button to quickly verify installation of remote AcuSensor agent
  • Different variants of the same vulnerability are consolidated under one alert node
  • Ability to specify label or tag instead of actual website parameter name in Input Fields node
  • Option to automatically randomize input for parameters specific in Input Fields node

New security checks:

  • Test for SQL Injection in URI
  • Stored SQL injection
  • Stored file inclusion
  • Stored directory traversal
  • Stored code execution
  • Stored file tampering
  • A whole new set of more advanced WebDav auditing checks
  • Automated form based authentication auditing checks (e.g. check if credentials can be brute forced)

Major Improvements:

  • Consumes less bandwidth
  • Improved network traffic handling
  • HTTP authentication is now shared between all penetration testing tools
  • Improved HTTP Snifffer / Manual crawling process
  • Improved support for Web 2.0 requests and responses e.g. JSON, XML etc
  • Support for a wider variety of content-types
  • Improved Web 2.0 session management support
  • Imrpoved XSS (Cross-site scripting) security checks and detection rate
  • Added a number of new and improved existing web server security auditing techniques
  • Improved file upload security checks
  • Improved DNS auditing scripts