New Features
- Added a test looking for insecure CORS configurations.
- Added a test looking for CVE-2014-7829 – Arbitrary file existence disclosure in Action Pack.
- Added a test looking for Rails application running in development mode.
- Added a test looking for CVE-2015-7808 vBulletin 5 PreAuth RCE.
- Added a test looking for Insecure DNS records
- Added a test looking for Spring Boot Actuator
- Added a test looking for Tornado Debug mode
- Added a test looking for Pyramid Debug mode
- Implemented PHP object deserialization of user-supplied data
- Added a test looking for older versions of the ZeroClipboard SWF library that are vulnerable to a cross-site scripting vulnerability.
Improvements
- Updated WordPress plugins and WordPress core checks.
- Improved tests for possible sensitive directories and sensitive files.
- Improved Apache Axis audit script.
- Added a test for Java object deserialization of user-supplied data
- Various improvements for XSS detection.
- Improved HTML structural parser and added allow to robots.txt parser
- Added support for WADL files when served using
content-type application/vnd.sun.wadl+xml
Bug Fixes
- Fixed crash cause during auto session detection.
- Security fix for privilege escalation reported by security researcher Daniele Linguaglossa