Acunetix Standard & Premium

New Features

• New Vulnerability check for DROWN attack – CVE-2016-0800
• New vulnerability checks for Rails remote code execution using render :inline – CVE-2016-2098
• New vulnerability checks for various AmCharts SWF XSS vulnerabilities
• New vulnerability checks for vulnerabilities in Google Referrer search query
• New vulnerability checks for Adobe Flex 3 DOM-based XSS vulnerability and other Adobe Flex vulnerabilities.

New Features

• Added a test looking for insecure CORS configurations.
• Added a test looking for CVE-2014-7829 – Arbitrary file existence disclosure in Action Pack.
• Added a test looking for Rails application running in development mode.
• Added a test looking for CVE-2015-7808 vBulletin 5 PreAuth RCE.
• Added a test looking for Insecure DNS records
• Added a test looking for Spring Boot Actuator
• Added a test looking for Tornado Debug mode
• Added a test looking for Pyramid Debug mode
• Implemented PHP object deserialization of user-supplied data
• Added a test looking for older versions of the ZeroClipboard SWF library that are vulnerable to a cross-site scripting vulnerability.

Improvements

• Updated WordPress plugins and WordPress core checks.
• Improved tests for possible sensitive directories and sensitive files.
• Improved Apache Axis audit script.
• Added a test for Java object deserialization of user-supplied data
• Various improvements for XSS detection.
• Improved HTML structural parser and added allow to robots.txt parser
• Added support for WADL files when served using content-type application/vnd.sun.wadl+xml

Bug Fixes

• Fixed crash cause during auto session detection.
• Security fix for privilege escalation reported by security researcher Daniele Linguaglossa

Bug Fixes

• Bug limiting the number of external hosts in kbase
• Fixed a issue which caused the scanner to crash
• Some script dependencies could cause the scan to not finish
• Importer crash when user user cancels the importation
• Fixed syntax error affecting Chinese Windows
• Restrictions configured in LSR where not taken into consideration in some POST requests

New Features

• Added a test for Server-Side Template Injection vulnerability.
• Added tests for new WordPress (core and plugins) vulnerabilities.
• Added a test checking for Django Debug Mode

Improvements

• Improved CRLF injection/HTTP response splitting tests
• Improvements to the XSS testing script
• Updated Payment Card Industry (PCI) report to PCI 3.1
• Updated DISA Application Security and Development STIG report to V3R10
• LSR updated to support all SSL cipher suites

Bug Fixes

• Fixed a crash in WSDL scanner
• Various updates and fixes in the Login Sequence Recorder
• DeepScan blocks on a specific sites
• Fixed bug in Scan wizard
• Crash in Scan wizard when choosing a non-existent login sequence file name
• Crawler starturl was incorrectly set to http instead of https when importing from proxy log

New Features

• Added a test for WordPress 3 Persistent Script Injection
• Added multiple tests looking for User controllable tag parameter (like link href)
• Added various tests for ASP.NET version disclosure, ASP.NET MVC version disclosure, Microsoft IIS version disclosure.

Improvements

• Upgraded to a newer version of OpenSSL
• Improved the script looking for XSS vulnerabilities
• Improved the script looking for URL redirect issues
• Improved the script testing for SQL injections

Bug Fixes

• Fixed parsing issues for specific formatted links
• Fixed issue causing invalid files to be locked after drag-n-drop opening operation fails
• Crawler was aborting too early if many files were identified during the crawl
• If AcuSensor listed too many files at the beginning, crawler was stopping without actually crawling
• Fixed a memory leak