Acunetix Standard & Premium

Improvements

• WVS will warn user if the login sequence failed to make a successful login and disables the login steps.
• Various improvements in the detection of Blind SQL Injection
• Various improvements in DeepScan
• Better handling of web servers that don’t send HTTP headers in the response (HTTP 0.9)
• Improved Readme Files script
• JSON parser can now handle unnamed inputs

Bug Fixes

• XSS vulnerabilities are no longer reported if the initial request is redirected to another host
• Fixed an issue with the Crawler depth limitation
• Fixed issue with Crawler request counter when used with login sequence
• “Add to request” function in HTTP Editor was not working in raw HTTP request tab
• Fixed a bug that was causing false positives in the JavaScript Libraries Audit script
• Fixed some false positives in Possible Sensitive Directories script.

New Features

• Added a test for PHP-CGI remote code execution
• Added a test which checks for SSL certificates with a Public Key length less than 2048 bit
• Added a test that checks for Microsoft IIS server service.cnf file

Improvements

• Improved XSS testing script.
• From an alert, clicking on the affected file takes the user to the file in the site structure. This is useful when additional information on the affected file is required (such as the referrers in the case of Broken links, or the source of the web page)
• DOM XSS alerts will include more information (such as the HTML written for document.write)
• Improved Code Execution script to find more specific issues and reduce the number of requests performed

Bug Fixes

• Fixed an issue causing application deadlock.
• Fixed false positives shown in broken links
• Fixed some false positives with Script_Source_Code_Disclosure.script
• Fixed DOM XSS false positives
• Fixed an issue with Analyze_Parameter_Values script causing the script not to parse relative paths correctly
• Fixed false positives with Slow HTTP Denial Of Server script

New Features

• Introduced the detection of additional DOM XSS vulnerabilities which can be injected in the HTTP GET parameters.
• Implemented the option to auto-save scan results after the scan is completed. This can be configured from Configuration->Application Settings->Saved scan results. This node also includes the Database settings, which are used for the reporting database.

Improvements

• Reduced number of requests made by PerFolder scripts by making some optimizations in the scripts.
• Improved Readme_Files script to reduce some false positives originating from sites using a custom 404 page

Bug Fixes

• Affected file was sometimes set incorrectly for DOM XSS vulnerabilities.
• Fixed an issue causing the scan to check for possible sensitive files/folders when AcuSensor is enabled, and thus such files would already be known.
• Saving scan results to reporting database and loading of saved scans sometimes caused WVS to crash
• The Edit Request Variables option in the HTTP editor was not visible
• Fixed Out of memory crash in AcuSensor for PHP when “mbstring.func_overload” is enabled.
• Fixed memory leak affecting large websites

New Features

• Implemented the detection for BREACH vulnerabilities.
• Implemented the detection of Compression Ratio Info-leak Made Easy (CRIME) SSL/TLS exploits.
• Added detection for OpenX 2.8.10 backdoor.
• Added detection of vBulletin versions 4.1+ and 5+ customer number leak.
• Improved DeepScan to provide better coverage.
• Improved SQL injection detection for HSQLDB databases.
• Improved XSS detection.
• Added ability to select/unselect all items in a folder when using the option “after crawling let me choose the files to scan”.
• Fixed custom 404 browser navigation bug
• Filenames encoded as UTF-8 are now properly displayed.

Improvements

• Improved DeepScan to provide better coverage.
• Improved SQL injection detection for HSQLDB databases.
• Improved XSS detection.
• Added ability to select/unselect all items in a folder when using the option “after crawling let me choose the files to scan”.

Bug Fixes

• Fixed custom 404 browser navigation bug
• Filenames encoded as UTF-8 are now properly displayed.

New Features

• Introduced a new compliance report for OWASP Top 10 2013
• Introduced detection of AngularJS template injections
• Added detection of Adobe ColdFusion critical vulnerability APSA13-03 (CVE-2013-3336)
• Added detection of nginx stack-based buffer overflow (CVE-2013-2028)
• Added detection of Horde/IMP Plesk Webmail Exploit
• Added detection of missing X-Frame-Options header (used to prevent Clickjacking attacks)
• Added a test checking for Basic Authentication over HTTP
• Added a test checking for Flask Debug Mode
• Added a test checking for Struts2/XWork Remote Code Execution
• Added detection of MediaWiki Chunked Uploads Security Check Bypass
• Added detection for Plupload XSS vulnerability (included in WordPress versions 3.5, 3.4.2, 3.4.1, 3.4, 3.3.3 and 3.3.2 and other applications)

Improvements

• Reduced false positives in XSS detection
• Improvements to Web Server Default Welcome Page script
• Reduced false positives reported by Blind SQL Injection
• Improvements in the detection of Sensitive Directories
• Added patterns for Python error messages and stack traces in the Text Search script.

Bug Fixes

• Fixed an issue in PHP AcuSensor
• In some situations, the Login Sequence Recorder misidentified connections to HTTPs sites when working through the Acunetix Web Vulnerability Scanner proxy
• Fixed crash in the crawler when external JavaScript files where processed from a site with AcuSensor enabled
• Fixed a false positive in Microsoft IIS Tilde Directory Enumeration
• Fixed issues where scheduled scans with recursion are not rescheduled if they cannot start because of scan restrictions
• Fixed a bug with Amazon S3 Public Buckets audit KB items being reported multiple times