Acunetix Standard & Premium

New Security Check

• Acunetix WVS checks if your PHP-CGI installation is vulnerable to remote code execution. For further information regarding this type of vulnerability, read the PHP-CGI advisory article here.

New Features

• Ability to edit scheduled scans. No need for scheduling new scans every time you wish to change a scan setting.
• Amend multiple scheduled scans simultaneously by selecting them and applying the required global changes.
• Save all your scanned results and access them at any time from your scheduler’s scan history. You can also delete your scanned results from the web-based scheduler.
• A new setting has been introduced to configure the maximum number of pages during a crawl.

Improvements

• Improved Cross-Site Scripting (XSS) tests.
• The web-based scheduler has been improved to run better in the latest version of Internet Explorer.
• Enhanced SQL injection tests to reduce the false positives reporting even more.

Bug Fixes

• The scheduled scans can be correctly imported after upgrading to a more recent build of Acunetix WVS 8.
• The false positives settings node can now support changes from multiple instances at the same time.
• Web Service Definition Language (WSDL) Scanner URL edit box is now able to save history.

New Security Checks

• Acunetix WVS 8 runs security tests for Joomla 1.6.x/1.7.x/2.5.x Privilege Escalation
• Acunetix WVS 8 provides security tests Joomla 1.7/2.5 Core SQL Injection

Improvements

• More advanced security checks for MongoDB and Rails Mass Assignment.

Bug Fixes

• The crash in the Login Sequence Recorder has been fixed.
• The Login Sequence Recorder is accurately parsing websites which send back GZIP encoded content, even if it was not specified in the Accept-Encoding header.
• The Acunetix Reporter has improved the handling of missing scans reports.
• The Acunetix Reporter Console supports spaces within the specified parameters.
• The Acunetix Reporter accepts longer input names.

New Features

• Manipulation of inputs from URL’s
• Automatic IIS 7 rewrite rule interpretation
• Support for custom HTTP headers during automated scans
• Imperva Web Application Firewall integration
• Multiple instance support for scanning multiple websites in parallel
• New web-based Scheduler
• Automatic custom 404 error page recognition and detection
• Scan settings templates
• Simplified Scan Wizard
• Smart memory management
• Real-time Crawler status
• Scan termination status included in report
• Web application coverage report
• Configuration of log files retention

New Vulnerability Classes Checks

• HTTP Parameter Pollution
• MongoDB Injection
• NodeJs Injection
• Expression Language Injection

New Web Security Audit Checks

• Check website content for Bazaar source code repository
• Check website content for Mercurial source code repository
• Check website content for source code GIT repository
• Disclosure of HTML Forms in redirect pages
• Security audit of alternative PHP cache
• Check for insecure preg replace in PHP
• Apache httpOnly Cookie Disclosure
• Elmah Information Disclosure
• Checks for Options web server method
• PHP Hash Collision Denial Of Service
• Plone&Zope Remote Command Execution
• Checks for Reverse Proxy bypass
• CakePHP web application Audit
• Web applications Configuration File Disclosure
• phpThumb web application audit
• Struts2 Remote Code Execution
• Tiny MCE web application audit
• Uploadify web application audit
• Webmail web application audit

Improved the Web Security Audit Scripts for

• SQL Injection
• XSS (Cross site scripting)
• Code Execution
• CRLF Injection
• Directory Traversal
• File Inclusion
• PHP Code Execution
• Backup Files
• Sensitive Text Search
• Secure Socket Layer configuration
• Error Messages
• ASP.NET Application Trace
• .htaccess File Configuration
• Http Verb Tampering
• PHPInfo / PHP Configuration
• Possible Sensitive Directories Disclosure
• Possible Sensitive Files Disclosure
• SQL Injection In Basic Authentication
• SQL Injection In URI
• SVN Repository Disclosure
• Trojan Scripts
• File Upload Form Audits
• Generic Oracle Padding
• Web Form based Authentication
• LDAP Injection
• Script Source Code Disclosure
• XFS and Redir
• XPath Injection
• Apache Geronimo Default Administrative Credentials
• ColdFusion v9 Solr Exposed
• Error Pages with Path Disclosure
• Frontpage Authors Passwords
• Frontpage Extensions Enabled
• IIS Unicode Directory Traversal
• JBoss Web Server Configuration
• Unprotected phpMyAdmin Interface
• Web Server Version Checks
• XML External Entity Injection
• FCKEditor security audit
• Struts2 XWork Remote Code Execution

Improvements

• Smart Memory management (ability to scan larger websites)
• Detection of more web security vulnerability variants

New Security Check

• Security check for Apache httpd remote denial of service

Improvements

• Firefox plugin now supports Firefox v.6
• Inclusion of more variables discovered by Acusensor during a scan

Bug Fixes

• Fixed HTTP verb tampering security checks with further reduction of false positives
• Paths edited in HTTP Authentication settings node are being saved correctly
• Actions menu is appearing correctly in the Small Business Edition

New Feature

• Included IMAGE tag with source in crawler for more detailed crawling data.

Improvements

• Improved Cross-site scripting checks.
• Introduced a number of improvements in the Client Script Analyzer (CSA) module for better Web 2.0 crawling.

Bug Fixes

• Fixed crash in Login Sequence Recorder when accessing specific sites with frames.
• Fixed Access Violation in fuzzer if XML filetype is selected and set an invalid filename.
• Fixed issue when authenticating against websites using Digest and NTLM.
• Fixed a file browser crash if visualizing file during scanning.
• Fixed a crash when loading saved scans from specific websites.
• Corrected interpretion of HTML encoding in Crawler.
• Fixed Access Violation in Fuzzer