Added filename (from file uploads) as an input scheme for a number of tests (XSS, Directory Traversal, SQL Injection, XXE Injection and others)
Implemented a test looking for Java Authentication and Authorization Service (JAAS) authentication bypass (when using a security-constrain section with http-method definitions).
Now it’s possible to read cookie information from scripting (getCookies function).
Implemented a test which checks for JavaScript libraries with known vulnerabilities.
Added a new console parameter /Timestamps to print the current timestamp with each console output line.
Improvements
Improved test for WordPress OptimizePress Theme file upload vulnerability.
The scanner will now indicate that a scan can take long time to complete, allowing the user to tweak the scan settings if needed.
Various improvements to the Login Sequence Recorder
Improved the test looking for possible form caching (look for missing “pragma: no-cache” header).
It is now possible to use multiple input values for HTML inputs using the format: $(choice1,choice2). These can be configured from Configuration > Scan Settings > Input Fields.
Speed improvements gained by streamlining the number of requests performed by some checks.
Better handling of some uncommon HTTP status codes.
The user-agent of the Login Sequence Recorder can now be configured to use the one configured in WVS (by default, it uses Internet Explorer)
Directory Traversal script now provides better handling of Java Web Applications.
Improved the calculation of the average response time during a scan
Bug Fixes
Sites with a high response time were showing incorrect scan statistics.
Fixed rewrite detection on nginx servers with phpfastcgi.
Fixed some false positives in SQL Statement in comment.
Better handling of very long VIEWSTATE strings.
Improved handling of Windows based websites by providing better support for case insensitive filesystems
Scan from HTTP Proxy log entry was not working correctly
Fixed a crash caused by specific characters in the URL Encoded Post Data
Fixed a false positive in Script_Source_Code_Disclosure.script
Fixed some false positives in error messages.
Web Services: fixed Out of Bounds error when importing invalid WSDLs.