Acunetix Standard & Premium

New Features

• FULL support for HTML5
• Introduced DeepScan Technology which enhances crawling of JavaScript based web sites, including AJAX and Single Page Applications (SPA). DeepScan is powered by WebKit.
• Improved support for mobile friendly web sites
  • Improved ability to crawl such sites
  • User is given option to scan mobile friendly version of website
• Drastically increased the detection of DOM-based XSS
• Launched Acunetix AcuMonitor used to detect vulnerabilities that can only be detected using an intermediate server. The use of AcuMonitor requires registration.
• Detection of Blind XSS using AcuMonitor
• Detection of Server Side Request Forgery (SSRF) using AcuMonitor
• Detection of Host Header Attacks using AcuMonitor
• Detection of Email Header Injection using AcuMonitor
• Detection of XML External Entity (XXE) using AcuMonitor
• New parameter: /SaveCrawlerData. This new parameter can be used to save the crawler data following a scan from command line.
• At the end of a scan, the command line output includes scan statistics showing the number of files detected, number of requests, average response and other data which is shown in the main application.
• Introduced http://testhtml5.vulnweb.com – a new HTML 5 test site which hosts various HTML5 specific vulnerabilities

Improvements

• Blind SQL Injection script has been revamped and now provides better detection and significantly reduces false positives
• Crawler has been updated to support 303 and 307 HTTP Redirection Status codes
• Updated HTML Authentication Auditing script
• When a vulnerability is identified, Acunetix will stop checking for variations of the vulnerability. This decreases the scan time, and prevents reporting the same vulnerability multiple times on the same input field.
• HTTP Authentication now allows saving of websites with underscore in the domain names
• Backup file script has been updated to not display large binary files in HTTP editor.

Bug Fixes

• Fixed non-responsive user interface caused when saving scan results.
• Fixed issue where some scans incorrectly reported the alert ‘Password type input with auto-complete enabled’ multiple times incorrectly.
• Some scans used to run the perServer scripts twice, thus taking longer and reporting the same vulnerability twice.
• Scheduler sometimes reported an ‘Unknown State’ when a scan is cancelled.
• Various other bug fixes

New Features

• Added a test that enumerates valid WordPress usernames using various techniques.
• Added a test for weak WordPress passwords for the usernames identified during the scan.
• Added a test that identifies common WordPress plugins. For each plugin identified, Acunetix WVS will try to enumerate the plugin name, short description, installed version and latest version of the plugin. This information is shown in a Knowledge Base item.
• Added a test that identifies Amazon S3 public buckets.
• Added a test for the security hotfix for ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX (Adobe Vulnerability ID: APSB13-10; CVE-2013-1387, CVE-2013-1388)
• Added a test looking for Apache Tomcat SessionExample servlet that can allow session manipulation.
• Added a test for Drupal Views Module Information Disclosure Vulnerability.
• Added a test for Gallery v3.0.4 Remote Code Execution.
• Added a test for Jenkins Dashboard (http://jenkins-ci.org/).
• Added a test for Roundcube Webmail Security updates 0.8.6 and 0.7.3.
• Added a test for WordPress 3.4.2 Cross Site Request Forgery.
• Added a test looking for a Cross-Site Scripting vulnerability in older versions of jQuery which affected Drupal amongst others.
• Added a test looking for SQL Injection in Symphony v2.3.1 (CVE-2013-2599)

Improvements

• Client Script Analyser: Optimized script source retrieval (modernizr-2.5.3.js)
• Improved XSS in URI script to test for Apache Tomcat Path Parameters.
• Improved WordPress Pingback Scanner test.
• Improved Blind SQL Injection script.
• Improved Crossdomain_XML script.
• Improved Directory Traversal script.
• Improved Error_Message script.
• Improved URL redirection script.
• Improved XSS testing script.
• The amount of input schemes has been reduced for known applications, improving the scan performance for such web applications.

Bug Fixes

• Fixed an issue which caused false positives to occasionally show up in the report for Scheduled Scans.
• Better handling for META http-equiv=”refresh” tags by the Crawler.
• Fixed an issue in error_messages_helpers.inc script.
• Fixed a minor bug in the Scheduler UI (Bug ID: 364)
• North and South Korea are now correctly identified in the Product Activation Wizard.
• Scans were sporadically entering a loop when scanning certain sites using a login sequence and the CSRF check was enabled.
• WebApps scripts were being invoked even though they were excluded in the scanning profile

New Features

• New 14 day Evaluation version will replace the Free Edition. Evaluating users can now perform full scans of the Acunetix test websites and of their websites. The Evaluation version has the following limitations:
  • The vulnerability details are only shown when scanning Acunetix test websites
  • Results cannot be saved
  • Reports are disabled
  • Scheduled scans are disabled

Improvements

• Changed prioritisation of TLS protocol over SSLv3. This provides better support for IIS 7.5 web servers, which previously refused connections from Acunetix Web Vulnerability Scanner.

Bug Fixes

• Fixed crash that occurs when the Scan Wizard is used while the Login Sequence Recorder is running
• Fixed crash in Session Manager

New Security Checks

• New PHP code execution test for Invision Power Board

Improvements

• We’ve improved the Acunetix SDK by introducing a new UI for selecting script targets
• All web security scripts now send the Referrer header during tests, which means that websites that check referrers can now be scanned properly.
• The XSS security script has been further improved.

Bug Fixes

• We’ve added a cache-control HTTP header to crawler requests.
• Several issues in the crawler have been fixed so you can now crawl larger websites

New Features

• Added a new option to allow offline activation of Acunetix WVS
• Added heauristic input limitations in crawler for more efficient scanning

New Security Checks

• SQL Injection tests for OpenX web application
• Cross-site scripting checks for IBM Lotus Domino Web Server
• Search for MySQL connection details when scanning a website
• Detection of phpMyAdmin v3.5.2.2 backdoor

Improvements:

• Further enhanced the XSS security check
• Improved Remote file inclusion security check
• Local file inclusion tests have been improved to better handle Java based applications
• When importing scan results to reporting database using the console, the database scan ID will be reported

Bug Fixes

• Fixed a crash when trying to stop the crawler and the CSA engine was still working
• User specified client certificates are now being used by the Login Sequence Recorder
• The exit button from LSR was not fully visible in some situations
• Login Sequence Recorder now uses the configured scan settings templates
• Manual browser now uses the correct user specified User-Agent string