Acunetix Standard & Premium

Improvements

• More updates to the Client Script Analyser (CSA) engine for better Web 2.0 support

Bug fixes

• Fix: Added port in host header for https in manual browsing
• Fixed: Crawler not serving pages to Client Script Analyzer engine on request if pages were already queued
• Fixed: Compare results frame crashed if nodes are expanding while still comparing
• Fixed: CanonicalizeLink was incorrectly interpreted “..” style links

Bug fixes

• Fixed: Replay of recorded login sequences was not working properly in the free version
• Fixed: NTML authentication was not working properly when using specific type of credentials
• Fixed: Crash in Login Sequence Recorder while detecting invalid session on some particular websites
• Bugfix: Fixed XSS tests to automatically follow redirects
• Bugfix: Fixed script error in ASP.NET padding oracle test

New Security Check

• Added a security check for the latest OpenX OFC file upload vulnerability
• Added a ASP.NET security check for the ASP.NET padding Oracle vulnerability

Improvements

• Reduced the number of false positives for Blind SQL injections security checks
• Improved Blind SQL injection tests by adding a number of new tests to detect blind SQL injections in UPDATE/INSERT/…

Bug fixes

• Fixed: Cookie encoding didn’t worked as expected in some cases
• Fixed: Cookie were not always imported from AcuSensor data

New Features

• New scanning engine – faster and reports more vulnerabilities
• New vulnerability verifying techniques to reduce false positives
• New site crawler – ability to crawl a wider range of websites and find more parameters
• Scriptable Vulnerabilities – now vulnerability checks are written in JavaScript
• Ability to analyse website presentation layer to better understand website parameters’ functions
• Graphical Scan status interface presents you with more scan information
• Re-scan single vulnerability to avoid launching repetitive scans to verify fixes
• Support for HTTP Keep-alive
• DNS Caching to reduce multiple DNS requests
• Ability to control delay between requests
• HTTP authentication settings node – support for granular specifications of HTTP credentials
• Support for digest HTTP authentication mechanism
• AcuSensor Technology test button to quickly verify installation of remote AcuSensor agent
• Different variants of the same vulnerability are consolidated under one alert node
• Ability to specify label or tag instead of actual website parameter name in Input Fields node
• Option to automatically randomize input for parameters specific in Input Fields node

New security checks

• Test for SQL Injection in URI
• Stored SQL injection
• Stored file inclusion
• Stored directory traversal
• Stored code execution
• Stored file tampering
• A whole new set of more advanced WebDav auditing checks
• Automated form based authentication auditing checks (e.g. check if credentials can be brute forced)

Major Improvements

• Consumes less bandwidth
• Improved network traffic handling
• HTTP authentication is now shared between all penetration testing tools
• Improved HTTP Snifffer / Manual crawling process
• Improved support for Web 2.0 requests and responses e.g. JSON, XML etc
• Support for a wider variety of content-types
• Improved Web 2.0 session management support
• Imrpoved XSS (Cross-site scripting) security checks and detection rate
• Added a number of new and improved existing web server security auditing techniques
• Improved file upload security checks
• Improved DNS auditing scripts

New Feature

• Added OWASP top 10 2010 report template

Bug Fix

• Fixed: Proxy crashes when processing some specific SSL traffic