Acunetix Premium - v9.5.20140902

New Features

  • Implemented a test for format strings vulnerabilities in web applications
  • Implemented support for Hibernate Query Injection
  • Implemented a check for MySQL username disclosure in error messages
  • Implemented a test looking for vBulletin 5 SQL injection
  • Implemented detection of Multiple Vulnerabilities in Parallels Plesk Sitebuilder
  • Implemented a test looking for WordPress XMLRPC bruteforce
  • Implemented a test for Remote File Upload vulnerability in Mailpoet/Wysija newsletters popular WordPress plugin
  • Implemented a test for Insecure Nonce Generation in popular WordPress plugin WPTouch
  • Implemented a test looking for various JSP access restriction bypasses in Java web applications
  • Implemented detection of multiple vulnerabilities in Kunena Forum for Joomla
  • Implemented a test checking if applets are permitted when file uploads are possible (this will lead to XSS vulnerabilities)
  • Added a test for Java Debug Wire Protocol vulnerabilities
  • Added a test for Zabbix XXE
  • Added a test looking for Weblogic console default credentials
  • Added a test for Symphony debugging console enabled
  • Added a test for some MongoDB vulnerabilities
  • Added a test looking for Chrome Logger information disclosure
  • Added a generic script looking for unsecured mail forms that could lead to spam
  • Added a test to check if ASP.NET Viewstate MAC is enabled
  • Implemented a test for WordPress/Drupal/… XML quadratic blowup denial of service attack
  • Added a test looking for HTML injection with unterminated tag
  • Added a test for WordPress plugin Custom Contact Forms.

Improvements

  • Various optimisations to Amazon S3 related scripts such as XXE and SSRF
  • Improved the script looking for possible sensitive files
  • XSS script can now find less common XSS variants such as double encode payloads
  • SQL injection script checks for other variants such as SQL injection in order by, group by
  • XSS script now checks for many user controllable tag attributes
  • Various optimizations in the generation of reports
  • Improved Server Directory Traversal script
  • Improved Host Header Attack script

Bug Fixes

  • Fixed JS errors that appear in HTTP editor.
  • Restricted links matching was not working in some situations.
  • Fixed the slow response time alert - moved alert details from description.
  • Fixed a false positive with Struts2_Development_Mode script.
  • Auto login crash if requests were failing after a long time.
  • Existing cookies from manual browsing were ignored by crawler.
  • Reduced some false positives in Backup file reporting.
  • Login Sequence Recorder will delete the cookies it collected in the wizard.
  • Crawler will use cookies from LSR in manual mode.