Update v10.5.20160520 – 20th May 2016

Bug Fixes

• Fixed minor bugs reported

Update v10.5.20160510 – 10th May 2016

New Features

• New check for WordPress 4.5.2 Security Release

Build v10.5.20160504 – 5th May 2016

Improvements

• Updated the PCI DSS compliance report for PCI DSS 3.2
• Updated the NIST Special Publication 800-53 – Recommended Security Controls for Federal Information Systems compliance report to comply with revision 4 of the publication

Bug Fixes

• Fixed a bug that could result in remote code execution

Build v10.5.20160427 – 27th April 2016

New Features

• New version of .NET AcuSensor (requires removal of the sensors installed in the web applications – check this blog post for more info)
• Implemented a test looking for JSP source code disclosure via SOH (start of header)
• Added a script for parsing specific Java error messages to improve crawling coverage and discover new content.

Improvements

• Improved backup config files discovery
• Request cookies will now be automatically processed from proxy log requests and used during a scan
• The Crawler now processes untrusted URLs even if they do not belong to the host being scanned.

Bug Fixes

• Fixed a number of false positives in the SQL injection vulnerability checks
• Limit AST parsing to files smaller than 1Mb
• Fixed an SQL injection vulnerability in the reporter.

Update v10.5.20160302 – 2nd March 2016

New Features

• New Vulnerability check for DROWN attack – CVE-2016-0800
• New vulnerability checks for Rails remote code execution using render :inline – CVE-2016-2098
• New vulnerability checks for various AmCharts SWF XSS vulnerabilities
• New vulnerability checks for vulnerabilities in Google Referrer search query
• New vulnerability checks for Adobe Flex 3 DOM-based XSS vulnerability and other Adobe Flex vulnerabilities.

Build v10.5.20160215 – 16th February 2016

New Features

• Implemented support for automatically scanning Drupal and Joomla! web applications using a proprietary database of vulnerabilities
• Implemented support for CVSS v3.0 for most vulnerabilities
• Added a test for HTTP Response Splitting in Node.js (CVE-2016-2216)
• Added a test for Magento Cacheleak vulnerability
• Added a test looking for ASP.NET diagnostic pages
• Implemented a test looking for XXE (XML External Entity injection) in SAML (Security Assertion Markup Language) payloads
• Added a test for vulnerabilities presented in the Perl Jam 2 presentation
• Added a test for Atlassian Jira 6.0.* <= 6.1.4 DOM-based XSS
• Added a test for AngularJS client-side template injection
• Added a test for Rails Dynamic Render to RCE (CVE-2016-0752)
• Added a test looking for LiteSpeed request header injection
• Added a test for Path Traversal in Oracle GlassFish Server Open Source Edition
• Parse Javascript files using an Abstract Syntax Tree Parser to extract various information useful for the crawler.

Improvements

• Improved Blind and Error-based SQL injection tests
• Improved XSS tests
• Big improvements to the XXE (XML External Entity) tests
• Improved static crawling by parsing of JavaScript event handler parameters.
• Improve Email header injection test based on the paper from http://www.mbsd.jp/Whitepaper/smtpi.pdf

 

Build v10.0.20151125 – 26th November 2015

New Features

• Added a test looking for insecure CORS configurations.
• Added a test looking for CVE-2014-7829 – Arbitrary file existence disclosure in Action Pack.
• Added a test looking for Rails application running in development mode.
• Added a test looking for CVE-2015-7808 vBulletin 5 PreAuth RCE.
• Added a test looking for Insecure DNS records
• Added a test looking for Spring Boot Actuator
• Added a test looking for Tornado Debug mode
• Added a test looking for Pyramid Debug mode
• Implemented PHP object deserialization of user-supplied data
• Added a test looking for older versions of the ZeroClipboard SWF library that are vulnerable to a cross-site scripting vulnerability.

Improvements

• Updated WordPress plugins and WordPress core checks.
• Improved tests for possible sensitive directories and sensitive files.
• Improved Apache Axis audit script.
• Added a test for Java object deserialization of user-supplied data
• Various improvements for XSS detection.
• Improved HTML structural parser and added allow to robots.txt parser
• Added support for WADL files when served using content-type application/vnd.sun.wadl+xml

Bug Fixes

• Fixed crash cause during auto session detection.
• Security fix for privilege escalation reported by security researcher Daniele Linguaglossa

 

Build v10.0.20151028 – 28th October 2015

Improvements

• Improved the description for all the vulnerability checks in Scanning Profiles

Build v10.0.20151026 – 26th October 2015

Bug Fixes

• Bug limiting the number of external hosts in kbase
• Fixed a issue which caused the scanner to crash
• Some script dependencies could cause the scan to not finish
• Importer crash when user user cancels the importation
• Fixed syntax error affecting Chinese Windows
• Restrictions configured in LSR where not taken into consideration in some POST requests

Build v10.0.20150921 – 22nd September 2015

New Features

• Added a new test looking for development configuration files such as Vagrantfile, Gemfile, Rakefile and others
• Added a test for Insecure response with wildcard ‘*’ in Access-Control-Allow-Origin
• Added detection of Cross Site Scripting (XSS) in the mobile-touch event handlers
• Added a test for CVE-2015-5956 – Typo3 Core sanitizeLocalUrl() Non-Persistent Cross-Site Scripting
• Added a test looking for CVE-2015-5603: HipChat for JIRA plugin – Velocity Template Injection
• Added a test looking for vulnerable project dependencies by analyzing the contents of composer.lock
• Added a test for CVE-2015-5161 – XML eXternal Entity Injection (XXE) on PHP FPM (FastCGI Process Manager), affecting various versions of Zend Framework and ZendXML
• Added a test for CVE-2014-0114 – Class Loader Manipulation via Request Parameters affecting Apache Struts 1
• Added a test for CVE-2015-4670: Directory Traversal to Remote Code Execution in AjaxControlToolkit
• Added a test looking for sensitive files such as .mysql_history, .bash_history and others. Acunetix will verify the contents of these files to reduce false positives caused by custom 404s.

Improvements

• Updated database of WordPress core and plugin vulnerabilities.
• Added more checks for vulnerable JavaScript libraries.
• Improved WADL parsing to support more representation types.

Bug Fixes

• Fixed some false positives in JavaScript libraries audit.
• Fixed a false positive in File Inclusion script.
• Fixed an issue causing JSON and XML inputs not being checked for XSS.
• Fixed SSL audit bug that is triggered when server_name extension was not sent to the server during SSL negotiation.

Build v10.0.20150820 – 20th August 2015

New Features

• Added a test for Server-Side Template Injection vulnerability.
• Added tests for new WordPress (core and plugins) vulnerabilities.
• Added a test checking for Django Debug Mode

Improvements

• Improved CRLF injection/HTTP response splitting tests
• Improvements to the XSS testing script
• Updated Payment Card Industry (PCI) report to PCI 3.1
• Updated DISA Application Security and Development STIG report to V3R10
• LSR updated to support all SSL cipher suites

Bug Fixes

• Fixed a crash in WSDL scanner
• Various updates and fixes in the Login Sequence Recorder
• DeepScan blocks on a specific sites
• Fixed bug in Scan wizard
• Crash in Scan wizard when choosing a non-existent login sequence file name
• Crawler starturl was incorrectly set to http instead of https when importing from proxy log

Build v10.0.20150623 – 24th June 2015 – NEW VERSION

New Features

• New Login Sequence Recorder which supports Single-Sign-On (SSO) and OAuth-based authentication.
• Database of 1200 WordPress-specific vulnerabilities, including checks for WordPress core and popular WordPress plugins.
• Improved scanning of Java / J2EE web applications
• Improved scanning of Restful Web Services, including parsing of WADL files
• Improved scanning of web applications implemented in Ruby on Rails
• Detection of XML External Entity (XXE) via REST APIs
• Crawling a website can now be pre-seeded using HAR files and exports from Fiddler, Burp, Selenium and the Acunetix Sniffer
• Introduced the detection of links to websites known to host malware or used for phishing
• Improved support for WSDL-based web services by introducing support for xsd:include, xsd:import and wsdl:import

• 1
• 2
• 3
• 4
• 5
• 6
• 7
• 8
• 9
• 10
• 11
• 12