Acunetix Standard & Premium

New Features

• New 14 day Evaluation version will replace the Free Edition. Evaluating users can now perform full scans of the Acunetix test websites and of their websites. The Evaluation version has the following limitations:
  • The vulnerability details are only shown when scanning Acunetix test websites
  • Results cannot be saved
  • Reports are disabled
  • Scheduled scans are disabled

Improvements

• Changed prioritisation of TLS protocol over SSLv3. This provides better support for IIS 7.5 web servers, which previously refused connections from Acunetix Web Vulnerability Scanner.

Bug Fixes

• Fixed crash that occurs when the Scan Wizard is used while the Login Sequence Recorder is running
• Fixed crash in Session Manager

New Security Checks

• New PHP code execution test for Invision Power Board

Improvements

• We’ve improved the Acunetix SDK by introducing a new UI for selecting script targets
• All web security scripts now send the Referrer header during tests, which means that websites that check referrers can now be scanned properly.
• The XSS security script has been further improved.

Bug Fixes

• We’ve added a cache-control HTTP header to crawler requests.
• Several issues in the crawler have been fixed so you can now crawl larger websites

New Features

• Added a new option to allow offline activation of Acunetix WVS
• Added heauristic input limitations in crawler for more efficient scanning

New Security Checks

• SQL Injection tests for OpenX web application
• Cross-site scripting checks for IBM Lotus Domino Web Server
• Search for MySQL connection details when scanning a website
• Detection of phpMyAdmin v3.5.2.2 backdoor

Improvements:

• Further enhanced the XSS security check
• Improved Remote file inclusion security check
• Local file inclusion tests have been improved to better handle Java based applications
• When importing scan results to reporting database using the console, the database scan ID will be reported

Bug Fixes

• Fixed a crash when trying to stop the crawler and the CSA engine was still working
• User specified client certificates are now being used by the Login Sequence Recorder
• The exit button from LSR was not fully visible in some situations
• Login Sequence Recorder now uses the configured scan settings templates
• Manual browser now uses the correct user specified User-Agent string

New Feature

• Acunetix WVS will alert the user if a web application firewall or IDS are detected

New Security Checks

• Added a security check for FCKeditor cross site scripting vulnerability
• Added a test for Liferay json Auth Bypass
• Acunetix WVS now checks for Server Side Request Forgery
• Added several security checks for IBM Tivoli Access Manager Web Server vulnerabilities
• New security check for vulnerabilities in SharePoint Could Allow Elevation of Privilege (MS12-050)
• Acunetix WVS now cheks for several DotNetNuke vulnerabilities (popular ASP.NET CMS)
• Added a new security check for exposed Apache Solr Service
• Remote code execution tests for Umbraco asp.net CMS software
• Check for SWFUpload applet vulnerability in a large number of web applications
• Added security checks for user controllable scripts and charsets

Improvements

• Cross-site scripting (XSS) security checks were improved
• HTTP Verb Tapering security script now bruteforces common or sensitive files and directories

Bug Fixes

• Fixed: Incorrect handling of Internet Explorer’s Javascript substr implementation
• Fixed: Login Sequence Recorder; ssl_write result was not handled correctly resulting in data not rendering correctly
• Fixed: Display problem; alert/child count was not displayed correctly in some cases
• Fixed: Developer report was not showing long urls in coverage report
• Fixed: Saved credentials were not persistent in general settings

New Security Checks

• New security checks for Microsoft SharePoint.
• Debug Parameters test offers you the ability to check your web applications if common debug parameters, such as “?debug=1” disclose sensitive information.
• New Cross-Site Scripting checks for Ruby on Rails / Homakov variants.
• Security check for JetBrains .idea project directory.
• ToolsPack backdoor verification.
• Security check for Fantastico_Filelist information disclosure.
• Tests for authentication bypass vulnerabilities in MySQL, MariaDB (CVE-2012-2122).
• Check for Nginx restrictions bypass (CVE-2011-4963).
• New checks when phpinfo() page is discovered: all html in such page is parsed and various alerts are issued reporting PHP configuration problems (display_errors on, register_globals etc).

New Features

• Ability to export report in the Report Viewer.
• Alerts you when HTML forms do not have CSRF protection.

Improvements

• Rewrote the ASP_NET_Oracle_Padding security script.
• Improved SVN/GIT repository security scripts.
• Improved presentation for all the alerts generated by crawler by showing more attack details.

Bug Fixes

• Login sequence recorder is now using the configured user-agent.
• Cookies path parameters are better supported.
• The scheduler authentication checkbox is restored properly if you press “Cancel”.
• Fixed theTrace/Track HTTP method test security script issue.
• The input forms which are part of the login sequence are no longer filled with HTML forms pre-configured data.
• Fixed the namespaces issue on the Web Services scanner.
• Corrected the requests which are generated by the scan results imported from the Firefox extension.
• Blind SQL injection now reports the correct value in the alert details.
• Fixed the Jquery problem: CSA select html element and options are now correctly handled.