Acunetix Standard & Premium

New

• New security checks of AcuSensor Technology
  • curl_exec() url is controlled by user
  • PHP preg_replace used on user input
  • PHP super-globals-overwrite
  • PHP unseriazlie used on user input
• Other new security checks of Acunetix WVS
  • osCommerce authentication bypass
  • Apache Tomcat insecure default administrative password
  • Apache Tomcat directory traversal
  • Checks for PHP invalid data type error messages
  • Check for possible remote SWF inclusion
  • Added further checks for possible sensitive files; general tests per server
  • Added further checks for possible sensitive directories; general tests per server
  • Added a new security check for SQL injection in the authentication header (basic authentication, base64 encoded)
  • Added AlertIfTextNotFound group parameter to invert search and issue an alert if a specified text is not found

Improvements

• Renamed Weak password module to Authentication module since now it includes much more authentication security checks
• Improved Cross-site scripting in URI checks to include Ruby on rails security checks
• Improved Application errors security checks
• Introduced 3 new setting parameters for the crawler in Settings.XML file:
  • 262144
  • 256
  • 1000

Bug Fixes

• Fixed: false positives issued in weak password alert
• Fixed: WSDL importer crash when importing recursive complex elements
• Fixed: Crawler proxy request handling changed to decode the input name/value
• Fixed Vulnerability Editor to show group parameters with default values if no VulnXML template is used
• Changed HTTP_Anomalies to log PHP errors and save the results in a file (instead of alerts)Changed HTTP_Anomalies to log PHP errors and save the results in a file instead of alerts
• Hidden VulnXML properties for alerts that are not using vulnxml default template in Vulnerability Editor
• Adjusted VulnXML to reduce the number of false positives for Blind SQL injection timing tests
• Updated CSA engine; delete the BOM characters from script sources
• Updated URL_Helper; UrlEncode/Decode modified not to use str := str + ch and to validate hex characters after %
• Updated File_Inputs; possible values are limited in size now

Bug Fixes

• Fixed: Memory leak when invoking state change handler
• Fixed: Item index for an item which has just been inserted fails in the Browserframe
• Fixed: Error in indexing the get variables when redirecting in Session management

New

• Added two new blind SQL injection tests
• Added a new scanning profile for stored XSS only
• Added HTTP verb tempering using POST method check

Improvements

• Improved appearance for compliance report by adding visual markets and several other presentation enhancements

Bug Fixes

• Fixed temporary files access issue
• Fixed issue where HTTP Proxy was dublicating the connection: keep-alive header
• Fixed issue where HTTP Proxy was putting the authorization header from fake basic authentication into server request
• Fixed a problem where credentials configured through command line where not working properly in particular situations

New Features

• Manual Intervention module: better support for CAPTCHA and modern authentication mechanisms

Improvements:

• Added new variants of blind SQL injection tests (now testing both AND and OR boolean operators)
• Added new tests for SQL Injection with charset GBK/Big5
• Added new variants for Cross site scripting

Bug Fixes

• Fixed several issues with CSA (Client Script Analyzer) engine.

New Features

• Implemented Blind SQL Injection (timing) for web services scanner
• Implemented HTTP authentication for web services scanner

Bug Fixes

• Fixed problem related to File Inclusion in AcuSensor Technology
• Fixed a problem in ssl_ping network script