Acunetix Standard & Premium

New Security Check

• Added a security check for the latest OpenX OFC file upload vulnerability
• Added a ASP.NET security check for the ASP.NET padding Oracle vulnerability

Improvements

• Reduced the number of false positives for Blind SQL injections security checks
• Improved Blind SQL injection tests by adding a number of new tests to detect blind SQL injections in UPDATE/INSERT/…

Bug fixes

• Fixed: Cookie encoding didn’t worked as expected in some cases
• Fixed: Cookie were not always imported from AcuSensor data

New Features

• New scanning engine – faster and reports more vulnerabilities
• New vulnerability verifying techniques to reduce false positives
• New site crawler – ability to crawl a wider range of websites and find more parameters
• Scriptable Vulnerabilities – now vulnerability checks are written in JavaScript
• Ability to analyse website presentation layer to better understand website parameters’ functions
• Graphical Scan status interface presents you with more scan information
• Re-scan single vulnerability to avoid launching repetitive scans to verify fixes
• Support for HTTP Keep-alive
• DNS Caching to reduce multiple DNS requests
• Ability to control delay between requests
• HTTP authentication settings node – support for granular specifications of HTTP credentials
• Support for digest HTTP authentication mechanism
• AcuSensor Technology test button to quickly verify installation of remote AcuSensor agent
• Different variants of the same vulnerability are consolidated under one alert node
• Ability to specify label or tag instead of actual website parameter name in Input Fields node
• Option to automatically randomize input for parameters specific in Input Fields node

New security checks

• Test for SQL Injection in URI
• Stored SQL injection
• Stored file inclusion
• Stored directory traversal
• Stored code execution
• Stored file tampering
• A whole new set of more advanced WebDav auditing checks
• Automated form based authentication auditing checks (e.g. check if credentials can be brute forced)

Major Improvements

• Consumes less bandwidth
• Improved network traffic handling
• HTTP authentication is now shared between all penetration testing tools
• Improved HTTP Snifffer / Manual crawling process
• Improved support for Web 2.0 requests and responses e.g. JSON, XML etc
• Support for a wider variety of content-types
• Improved Web 2.0 session management support
• Imrpoved XSS (Cross-site scripting) security checks and detection rate
• Added a number of new and improved existing web server security auditing techniques
• Improved file upload security checks
• Improved DNS auditing scripts

Bug Fix

• Fixed: Access violation when the application exits

Bug Fixes

• Fixed: Login Sequence Recorder was not using client certificates when recording a login sequence
• Fixed: Login Sequence Recorder was not using the configured User Agent string
• Fixed: HTTP Sniffer was not handling some specific web authentication properly