Acunetix Premium Changelogs

v10.5.20160427 - 27 Apr 2016

Copy Link Copy Link

Build v10.5.20160427 - 27th April 2016

New Features

New version of .NET AcuSensor (requires removal of the sensors installed in the web applications – check this blog post for more info)
Implemented a test looking for JSP source code disclosure via SOH (start of header)
Added a script for parsing specific Java error messages to improve crawling coverage and discover new content.

Improvements

Improved backup config files discovery
Request cookies will now be automatically processed from proxy log requests and used during a scan
The Crawler now processes untrusted URLs even if they do not belong to the host being scanned.

Bug Fixes

Fixed a number of false positives in the SQL injection vulnerability checks
Limit AST parsing to files smaller than 1Mb
Fixed an SQL injection vulnerability in the reporter.

v10.5.20160302 - 02 Mar 2016

Copy Link Copy Link

Update v10.5.20160302 - 2nd March 2016

New Features

New Vulnerability check for DROWN attack – CVE-2016-0800
New vulnerability checks for Rails remote code execution using render :inline – CVE-2016-2098
New vulnerability checks for various AmCharts SWF XSS vulnerabilities
New vulnerability checks for vulnerabilities in Google Referrer search query
New vulnerability checks for Adobe Flex 3 DOM-based XSS vulnerability and other Adobe Flex vulnerabilities.

v10.5.20160215 - 16 Feb 2016

Copy Link Copy Link

Build v10.5.20160215 - 16th February 2016

New Features

Implemented support for automatically scanning Drupal and Joomla! web applications using a proprietary database of vulnerabilities
Implemented support for CVSS v3.0 for most vulnerabilities
Added a test for HTTP Response Splitting in Node.js (CVE-2016-2216)
Added a test for Magento Cacheleak vulnerability
Added a test looking for ASP.NET diagnostic pages
Implemented a test looking for XXE (XML External Entity injection) in SAML (Security Assertion Markup Language) payloads
Added a test for vulnerabilities presented in the Perl Jam 2 presentation
Added a test for Atlassian Jira 6.0.* <= 6.1.4 DOM-based XSS
Added a test for AngularJS client-side template injection
Added a test for Rails Dynamic Render to RCE (CVE-2016-0752)
Added a test looking for LiteSpeed request header injection
Added a test for Path Traversal in Oracle GlassFish Server Open Source Edition
Parse Javascript files using an Abstract Syntax Tree Parser to extract various information useful for the crawler.

Improvements

Improved Blind and Error-based SQL injection tests
Improved XSS tests
Big improvements to the XXE (XML External Entity) tests
Improved static crawling by parsing of JavaScript event handler parameters.
Improve Email header injection test based on the paper from http://www.mbsd.jp/Whitepaper/smtpi.pdf

v10.0.20151125 - 26 Nov 2015

Copy Link Copy Link

Build v10.0.20151125 - 26th November 2015

New Features

Added a test looking for insecure CORS configurations.
Added a test looking for CVE-2014-7829 – Arbitrary file existence disclosure in Action Pack.
Added a test looking for Rails application running in development mode.
Added a test looking for CVE-2015-7808 vBulletin 5 PreAuth RCE.
Added a test looking for Insecure DNS records
Added a test looking for Spring Boot Actuator
Added a test looking for Tornado Debug mode
Added a test looking for Pyramid Debug mode
Implemented PHP object deserialization of user-supplied data
Added a test looking for older versions of the ZeroClipboard SWF library that are vulnerable to a cross-site scripting vulnerability.

Improvements

Updated WordPress plugins and WordPress core checks.
Improved tests for possible sensitive directories and sensitive files.
Improved Apache Axis audit script.
Added a test for Java object deserialization of user-supplied data
Various improvements for XSS detection.
Improved HTML structural parser and added allow to robots.txt parser
Added support for WADL files when served using content-type application/vnd.sun.wadl+xml

Bug Fixes

Fixed crash cause during auto session detection.
Security fix for privilege escalation reported by security researcher Daniele Linguaglossa

v10.0.20151028 - 28 Oct 2015

Copy Link Copy Link

Build v10.0.20151028 - 28th October 2015

Improvements

Improved the description for all the vulnerability checks in Scanning Profiles

v10.0.20151026 - 26 Oct 2015

Copy Link Copy Link

Build v10.0.20151026 - 26th October 2015

Bug Fixes

Bug limiting the number of external hosts in kbase
Fixed a issue which caused the scanner to crash
Some script dependencies could cause the scan to not finish
Importer crash when user user cancels the importation
Fixed syntax error affecting Chinese Windows
Restrictions configured in LSR where not taken into consideration in some POST requests

v10.0.20150921 - 22 Sep 2015

Copy Link Copy Link

Build v10.0.20150921 - 22nd September 2015

New Features

Added a new test looking for development configuration files such as Vagrantfile, Gemfile, Rakefile and others
Added a test for Insecure response with wildcard ‘*’ in Access-Control-Allow-Origin
Added detection of Cross Site Scripting (XSS) in the mobile-touch event handlers
Added a test for CVE-2015-5956 – Typo3 Core sanitizeLocalUrl() Non-Persistent Cross-Site Scripting
Added a test looking for CVE-2015-5603: HipChat for JIRA plugin – Velocity Template Injection
Added a test looking for vulnerable project dependencies by analyzing the contents of composer.lock
Added a test for CVE-2015-5161 – XML eXternal Entity Injection (XXE) on PHP FPM (FastCGI Process Manager), affecting various versions of Zend Framework and ZendXML
Added a test for CVE-2014-0114 – Class Loader Manipulation via Request Parameters affecting Apache Struts 1
Added a test for CVE-2015-4670: Directory Traversal to Remote Code Execution in AjaxControlToolkit
Added a test looking for sensitive files such as .mysql_history, .bash_history and others. Acunetix will verify the contents of these files to reduce false positives caused by custom 404s.

Improvements

Updated database of WordPress core and plugin vulnerabilities.
Added more checks for vulnerable JavaScript libraries.
Improved WADL parsing to support more representation types.

Bug Fixes

Fixed some false positives in JavaScript libraries audit.
Fixed a false positive in File Inclusion script.
Fixed an issue causing JSON and XML inputs not being checked for XSS.
Fixed SSL audit bug that is triggered when server_name extension was not sent to the server during SSL negotiation.

v10.0.20150820 - 20 Aug 2015

Copy Link Copy Link

Build v10.0.20150820 - 20th August 2015

New Features

Added a test for Server-Side Template Injection vulnerability.
Added tests for new WordPress (core and plugins) vulnerabilities.
Added a test checking for Django Debug Mode

Improvements

Improved CRLF injection/HTTP response splitting tests
Improvements to the XSS testing script
Updated Payment Card Industry (PCI) report to PCI 3.1
Updated DISA Application Security and Development STIG report to V3R10
LSR updated to support all SSL cipher suites

Bug Fixes

Fixed a crash in WSDL scanner
Various updates and fixes in the Login Sequence Recorder
DeepScan blocks on a specific sites
Fixed bug in Scan wizard
Crash in Scan wizard when choosing a non-existent login sequence file name
Crawler starturl was incorrectly set to http instead of https when importing from proxy log

v10.0.20150623 - 24 Jun 2015

Copy Link Copy Link

Build v10.0.20150623 - 24th June 2015 - NEW VERSION

New Features

New Login Sequence Recorder which supports Single-Sign-On (SSO) and OAuth-based authentication.
Database of 1200 WordPress-specific vulnerabilities, including checks for WordPress core and popular WordPress plugins.
Improved scanning of Java / J2EE web applications
Improved scanning of Restful Web Services, including parsing of WADL files
Improved scanning of web applications implemented in Ruby on Rails
Detection of XML External Entity (XXE) via REST APIs
Crawling a website can now be pre-seeded using HAR files and exports from Fiddler, Burp, Selenium and the Acunetix Sniffer
Introduced the detection of links to websites known to host malware or used for phishing
Improved support for WSDL-based web services by introducing support for xsd:include, xsd:import and wsdl:import

Acunetix Standard & Premium

New Features

Improvements

Bug Fixes

New Features

New Features

Improvements

New Features

Improvements

Bug Fixes

Improvements

Bug Fixes

New Features

Improvements

Bug Fixes

New Features

Improvements

Bug Fixes

New Features