Build v7.0.20111005 – 5th October 2011
New Features
- The Client Script Analyzer engine now supports jQuery, jQuery UI, and YUI Library
- New URL Rewrite option: Match full URI. When enabled, a URL rewrite rule can be matched against the whole URI and not just the path
Improvements
- Major AcuSensor improvements for PHP
- Inclusion of more variables discovered by Acusensor during a scan
Bug Fixes
- Login Sequence Recorder uses the specified Proxy settings correctly
Build v7.0.20110920 – 20th September 2011
New Security Check
- Security check for Apache httpd remote denial of service
Improvements
- Firefox plugin now supports Firefox v.6
- Inclusion of more variables discovered by Acusensor during a scan
Bug Fixes
- Fixed HTTP verb tampering security checks with further reduction of false positives
- Paths edited in HTTP Authentication settings node are being saved correctly
- Actions menu is appearing correctly in the Small Business Edition
Build v7.0.20110823 – 23rd August 2011
New Security Checks
- Complex security check for Timthumb (detects WordPress installations and checks for vulnerable plugins and themes
- Includes bruteforcing capabilites to look for plugins/themes that contain the Timthumb script
- Security check for Sun/Oracle GlassFish Server Authentication Bypass (same check includes some additional checks for GlassFish)
Updates
- Updated Firefox plugin to support Firefox 5
Bug Fix
- Fixed an enumeration problem while parsing a WSDL with inputs that have a lot of possible values.
Build v7.0.20110711 – 17th July 2011
New Feature
- Included IMAGE tag with source in crawler for more detailed crawling data.
Improvements
- Improved Cross-site scripting checks.
- Introduced a number of improvements in the Client Script Analyzer (CSA) module for better Web 2.0 crawling.
Bug Fixes
- Fixed crash in Login Sequence Recorder when accessing specific sites with frames.
- Fixed Access Violation in fuzzer if XML filetype is selected and set an invalid filename.
- Fixed issue when authenticating against websites using Digest and NTLM.
- Fixed a file browser crash if visualizing file during scanning.
- Fixed a crash when loading saved scans from specific websites.
- Corrected interpretion of HTML encoding in Crawler.
- Fixed Access Violation in Fuzzer
Build v7.0.20110518 – 18th May 2011
Bug Fixes
- Fixed where the Acusensor Technology files were updated incorrectly.
- Fixed Access Violation when scan is stopped.
- Fixed user interface incorrect behaviour.
Build v7.0.20110406 – 6th April 2011
New feature
- AcuSensor details are now exported in the report as well.
Bug Fixes
- Fixed a bug in cross domain check script.
- Fixed 2 crashes in the scanner software.
- Fixed a bug in DOM XSS security check.
Build v7.0.20110308 – 8th March 2011
New features
- Acunetix WVS will parse SVN repositories file structure and crawl it automatically
New security checks
- ClientAccessPolicy.xml and CrossDomain.xml security checks
- Git repository security checks
- Check if htaccess file is readable
- Nginx PHP Code Execution via FastCGI
- Nginx buffer underflow vulnerability
- Nginx PHP FastCGI Code Execution File Upload.
Improvement
- Improved Cross-site scripting checks.
Bug fixes
- Maximum directory depth value was not working properly
- HTTP limitations were not respected from scripts
- When scanning a domain with subdomains, in some cases multiple scans were created for the same subdomain
- Properly handling of situations when a file redirects to itself from http to https.
Build v7.0.20110209 – 9th February 2011
New features
- PCI 2.0 compliance report template
- CWE/SANS top 25 complaince report template
Improvement
- Input fields now support wildcards and priorities
Bug fix
- Fixed: access violation in Client Script analyzer engine
Build v7.0.20110124- 24th January 2011
New features
- New type of XSS test introduced (parameter was set to javascript:…)
Bug fixes
- Fixed: Scanner crash when scanning https sites with client certificates.
- Fixed: A number of particular checks were not performed when scanning from crawl results.
- Fixed: Login Sequence Recorder: different user agent string was sent with XHR.
- Fixed: Reports were not sent as attachments when scanning a list of URLs from the Scheduler.
- Fixed: Fixed incorrect error message popup in scheduler “there is already a queue starting a that time when the queues were of different type”
- Fixed: Crawler MaximumVariationCount was being ignored in the scanner settings.
- Fixed: eval() security check moved from scanner to crawler.
- Fixed: Aborting of analysis while executing events in CSA engine not always working.
- Fixed: CSA engine “Worker already executing” exception.
- Fixed: In XML or AVDL export CDATA content is no longer encoded.
Build v7.0.20101216- 20th December 2010
New features
- DOM XSS will now report the filename in which the attack was executed
- DOM XSS checks on document.open, window.open, window.navigate and more
Bug fixes
- Fixed: Aborting analysis while executing events not always worked in CSA
- Fixed: CSA engine crashing with “worker already executing” exception
- Fixed: Crawler was not considering maximum number of variations in case of links from comments
- Fixed: In some cases during a WSDL service scan, port address query params where not properly used
- Fixed: False positive for ASP.NET padding oracle test
- Bugfix: HTML parser; Fixed regex for extracting URLs from HTML comments
Build v7.0.20101206- 6th December 2010
New feature
Bug fixes
- Fixed: Get First URL Only option not working correctly because it was still importing links from CSA engine
- Fixed: “User credentials sent in clear text” was not being reported by crawler in certain circumstances
- Fixed: Port was being specified in host header even if default ports were being used.
Build v7.0.20101123- 23th November 2010
Improvements
- More updates to the Client Script Analyser (CSA) engine for better Web 2.0 support
Bug fixes
- Fix: Added port in host header for https in manual browsing
- Fixed: Crawler not serving pages to Client Script Analyzer engine on request if pages were already queued
- Fixed: Compare results frame crashed if nodes are expanding while still comparing
- Fixed: CanonicalizeLink was incorrectly interpreted “..” style links
Build v7.0.20101115- 15th November 2010
New features
- Ability to stop individual running security scripts during a scan
Major Improvements
- Introduced a good number of CSA engine improvements; better support of JQuery and Web 2.0 applications
- Introduced a number of new XSS security checks
Bug fixes
- Fixed: Memory leak in NTLM authentication
- Fixed: Incorrect interpratation of links with leading “//”
- Fixed: Access violation crashes in HTTP Sniffer for certain SSL websites
Build v7.0.20101028- 28th October 2010
Bug fixes
- Fixed: Replay of recorded login sequences was not working properly in the free version
- Fixed: NTML authentication was not working properly when using specific type of credentials
- Fixed: Crash in Login Sequence Recorder while detecting invalid session on some particular websites
- Bugfix: Fixed XSS tests to automatically follow redirects
- Bugfix: Fixed script error in ASP.NET padding oracle test
Build v7.0.20101012 – 12th October 2010
Bug fixes
- Fixed: Client Script Analyser engine was blocking if insertAdjacentHTML used on an element without parent
- Fixed: “Accept” header was not sent by the advanced penetration testing tools
Build v7.0.20100921 – 22nd September 2010
New Security Check
- Added a security check for the latest OpenX OFC file upload vulnerability
- Added a ASP.NET security check for the ASP.NET padding Oracle vulnerability
Improvements
- Reduced the number of false positives for Blind SQL injections security checks
- Improved Blind SQL injection tests by adding a number of new tests to detect blind SQL injections in UPDATE/INSERT/…
Bug fixes
- Fixed: Cookie encoding didn’t worked as expected in some cases
- Fixed: Cookie were not always imported from AcuSensor data
Build v7.0.20100902 – 2nd September 2010
New Features
- Added the option to mark a whole group or node alerts as false positive via right click
Bug fixes
- Problems with proxy authentication didn’t allow proxy users to run scans
- Mark Alert as false positive was not working properly in some cases
Build v7.0.20100901 – 1st September 2010 – NEW VERSION
New Features
- New scanning engine – faster and reports more vulnerabilities
- New vulnerability verifying techniques to reduce false positives
- New site crawler – ability to crawl a wider range of websites and find more parameters
- Scriptable Vulnerabilities – now vulnerability checks are written in JavaScript
- Ability to analyse website presentation layer to better understand website parameters’ functions
- Graphical Scan status interface presents you with more scan information
- Re-scan single vulnerability to avoid launching repetitive scans to verify fixes
- Support for HTTP Keep-alive
- DNS Caching to reduce multiple DNS requests
- Ability to control delay between requests
- HTTP authentication settings node – support for granular specifications of HTTP credentials
- Support for digest HTTP authentication mechanism
- AcuSensor Technology test button to quickly verify installation of remote AcuSensor agent
- Different variants of the same vulnerability are consolidated under one alert node
- Ability to specify label or tag instead of actual website parameter name in Input Fields node
- Option to automatically randomize input for parameters specific in Input Fields node
New security checks
- Test for SQL Injection in URI
- Stored SQL injection
- Stored file inclusion
- Stored directory traversal
- Stored code execution
- Stored file tampering
- A whole new set of more advanced WebDav auditing checks
- Automated form based authentication auditing checks (e.g. check if credentials can be brute forced)
Major Improvements
- Consumes less bandwidth
- Improved network traffic handling
- HTTP authentication is now shared between all penetration testing tools
- Improved HTTP Snifffer / Manual crawling process
- Improved support for Web 2.0 requests and responses e.g. JSON, XML etc
- Support for a wider variety of content-types
- Improved Web 2.0 session management support
- Imrpoved XSS (Cross-site scripting) security checks and detection rate
- Added a number of new and improved existing web server security auditing techniques
- Improved file upload security checks
- Improved DNS auditing scripts