Acunetix Standard & Premium

New Features

• Added a test for XSS on Apache HTTP Server 413 error pages via malformed HTTP method
• Added a test for Joomla! v3.2.1 SQL Injection
• Added a test looking for WEB-INF/web.xml backups (at directory level and at file level)

Improvements

• Limited the maximum number of variations from HTML forms
• Login Sequence Recorder will now skip recording automatic redirects
• Improved automatic in-session detection (Login Sequence Recorder)
• PHP AcuSensor – Added the ability to handle PHP5 Closures and improved handling of large data
• Improved ELMAH Information Disclosure script to cover default installation locations
• Improved ability to identify redirect variants in JavaScript code
• Improvements to the Backup File Tests
• Improvements to the Directory Traversal Tests
• Improvements to the File Inclusion Tests
• Added support for HSQL Error Messages
• Improvements to the Possible Sensitive Directories Tests
• Improvements to the Possible Sensitive Files Tests
• Improvements to the URL Redirection script

Bug Fixes

• Fixed a number of memory leaks
• Fixed an issue causing the scan to hang caused by invalidated sessions
• Fixed an issue causing the scan from crawler executed all tests twice
• Fixed a crash in the Session Manager caused by invalid server dates
• URL finder regex hanged on some basic inputs
• EOutOfMemory exceptions during the execution of scripts will not cause WVS to crash. The scan will be stopped when such an exception is encountered
• Fixed issue with false positives not being saved to disk when marked from the Vulnerability Information panel
• Ignore external scripts feature in DeepScan was sometimes still processing external scripts

Improvements

• WVS will warn user if the login sequence failed to make a successful login and disables the login steps.
• Various improvements in the detection of Blind SQL Injection
• Various improvements in DeepScan
• Better handling of web servers that don’t send HTTP headers in the response (HTTP 0.9)
• Improved Readme Files script
• JSON parser can now handle unnamed inputs

Bug Fixes

• XSS vulnerabilities are no longer reported if the initial request is redirected to another host
• Fixed an issue with the Crawler depth limitation
• Fixed issue with Crawler request counter when used with login sequence
• “Add to request” function in HTTP Editor was not working in raw HTTP request tab
• Fixed a bug that was causing false positives in the JavaScript Libraries Audit script
• Fixed some false positives in Possible Sensitive Directories script.

New Features

• Added a test for PHP-CGI remote code execution
• Added a test which checks for SSL certificates with a Public Key length less than 2048 bit
• Added a test that checks for Microsoft IIS server service.cnf file

Improvements

• Improved XSS testing script.
• From an alert, clicking on the affected file takes the user to the file in the site structure. This is useful when additional information on the affected file is required (such as the referrers in the case of Broken links, or the source of the web page)
• DOM XSS alerts will include more information (such as the HTML written for document.write)
• Improved Code Execution script to find more specific issues and reduce the number of requests performed

Bug Fixes

• Fixed an issue causing application deadlock.
• Fixed false positives shown in broken links
• Fixed some false positives with Script_Source_Code_Disclosure.script
• Fixed DOM XSS false positives
• Fixed an issue with Analyze_Parameter_Values script causing the script not to parse relative paths correctly
• Fixed false positives with Slow HTTP Denial Of Server script

New Features

• Introduced the detection of additional DOM XSS vulnerabilities which can be injected in the HTTP GET parameters.
• Implemented the option to auto-save scan results after the scan is completed. This can be configured from Configuration->Application Settings->Saved scan results. This node also includes the Database settings, which are used for the reporting database.

Improvements

• Reduced number of requests made by PerFolder scripts by making some optimizations in the scripts.
• Improved Readme_Files script to reduce some false positives originating from sites using a custom 404 page

Bug Fixes

• Affected file was sometimes set incorrectly for DOM XSS vulnerabilities.
• Fixed an issue causing the scan to check for possible sensitive files/folders when AcuSensor is enabled, and thus such files would already be known.
• Saving scan results to reporting database and loading of saved scans sometimes caused WVS to crash
• The Edit Request Variables option in the HTTP editor was not visible
• Fixed Out of memory crash in AcuSensor for PHP when “mbstring.func_overload” is enabled.
• Fixed memory leak affecting large websites