January 9th, 2013New Features:
· New report template for ISO 27001
New Security Checks:
· During a scan Acunetix WVS checks if the MongoDB web interface is open on the external interface
· Check for included scripts which are from an invalid hostname
· Added a new module for testing Slow HTTP Denial of Service attacks like Slowloris
· Added a new security check that tries to guess various internal virtual hosts (information disclosure)
· Checks for phpLiteAdmin default passwords
· Improved the SQL Injection detection for SQLite3
· Further improved the Cross-Site Scripting security check
· Added detailed descriptions to all the Acunetix WVS security scripts
· Removed all broken web references in vulnerability reports and added several new ones
· Improved the Joomla! security scripts for more enhanced security scanning of Joomla! portals
· Fixed a text wrapping issue in the compliance reports
· Fixed an issue where the CSA engine was being executed multiple times against the same file during a scan
· User-Agent header is now included with the in-session check request
· Login Sequence Recorder now uses the timeout value specified from settings
· Fixed several crashes when the Login Sequence Recorder was used against some specific websites
May 8th, 2012New Security Check:
· Acunetix WVS 8 checks if your PHP-CGI installation is vulnerable to remote code execution. For further information regarding this type of vulnerability, read the PHP-CGI advisory article here.
· Ability to edit scheduled scans. No need for scheduling new scans every time you wish to change a scan setting.
· Amend multiple scheduled scans simultaneously by selecting them and applying the required global changes.
· Save all your scanned results and access them at any time from your scheduler’s scan history. You can also delete your scanned results from the web-based scheduler.
· A new setting has been introduced to configure the maximum number of pages during a crawl.
· Improved Cross-Site Scripting (XSS) tests.
· The web-based scheduler has been improved to run better in the latest version of Internet Explorer.
· Enhanced SQL injection tests to reduce the false positives reporting even more.
· The scheduled scans can be correctly imported after upgrading to a more recent build of Acunetix WVS 8.
· The false positives settings node can now support changes from multiple instances at the same time.
· Web Service Definition Language (WSDL) Scanner URL edit box is now able to save history.
April 26th, 2012
· Automatic verification of discovered web vulnerabilities.
April 26th, 2012New Security Checks:
· Acunetix WVS 8 runs security tests for Joomla 1.6.x/1.7.x/2.5.x Privilege Escalation
· Acunetix WVS 8 provides security tests Joomla 1.7/2.5 Core SQL Injection
· More advanced security checks for MongoDB and Rails Mass Assignment.
· The crash in the Login Sequence Recorder has been fixed.
· The Login Sequence Recorder is accurately parsing websites which send back GZIP encoded content, even if it was not specified in the Accept-Encoding header.
· The Acunetix Reporter has improved the handling of missing scans reports.
· The Acunetix Reporter Console supports spaces within the specified parameters.
· The Acunetix Reporter accepts longer input names.
April 26th, 2012New Security Checks:
· Scanning of Web Statistics Software Applications such as AWStats and Webalizer. Acunetix WVS crawls the result pages of your website(s) statistics software application and notifies you if sensitive data is disclosed in such pages.
· Automatic checks for ASP Code injection vulnerability.
· Further security checks for SQLite Databases.
· Security checks for Rails Mass Assignment.
· Ability to stop the website crawling and proceed with the scan at anytime.
· Posibility to choose a scan report template that you would like to use when scheduling a scan.
· Scripts are being executed faster thus the scans are taking less time to complete.
· Improved security scripts for Blind SQL injection, Remote File Inclusion XSS, File Inclusion and Directory Traversal.
· If a variant check for a specific vulnerability times out, the next variant checks assigned for that type of vulnerability will be launched automatically.
· Crawler: input encoding was not correct for _EVENTTARGET = and /
· Ansi string was not working correctly when using specific languages other than English.
January 5th, 2011New features:
· DOM XSS will now report the filename in which the attack was executed
· DOM XSS checks on document.open, window.open, window.navigate and more
· Fixed: Aborting analysis while executing events not always worked in CSA
· Fixed: CSA engine crashing with “worker already executing” exception
· Fixed: Crawler was not considering maximum number of variations in case of links from comments
· Fixed: In some cases during a WSDL service scan, port address query params where not properly used
· Fixed: False positive for ASP.NET padding oracle test
· Bugfix: HTML parser; Fixed regex for extracting URLs from HTML comments
February 9th, 2010New security checks:
· 8.3 DOS filename source code disclosure
· Apache Tomcat Directory Host Appbase authentication bypass vulnerability
· Apache Tomcat WAR File directory traversal vulnerability
· Apache stronghold-info enabled
· Apache stronghold-status enabled
· ColdFusion 9 Solr Service exposed
· Error page path disclosure
· Error page web server version disclosure
· File inclusion RFI list
· Checks for multiple vulnerabilities in XAMPP
· Server-Side Includes (SSI) injection on Unix
· Server-Side Includes (SSI) injection on Windows
· ASP.NET error messages when requesting URL like |.aspx
· Added more variants to FCKeditor arbitrary file upload
· Updated cross site scripting in path security checks
· Updated directory listing security checks
· Updated directory traversal on Unix security checks
· Updated file upload security checks
· Updated LDAP injection security checks
· Updated possible sensitive files security checks
· Updated XPath injection security checks
· Workaround for window.open used with NULL parameter
· Notify elements that they are unbidden
· Notify form if an input was removed
· Include select element values in submitted data
· Fixed: HttpProt was sending content length with CONNECT
· Fixed: Crawler didn't consider post data for links from CSA engine; some where ignored
· Fixed: Login sequence recorder was sending requests synchronously
October 31st, 2008
· New Revolutionary AcuSensor Technology for more accurate results
· New Blind SQL Injector Tool New Port Scanner and Network Alerts
· Further customization of false positives possible
· Generates list of uncommon HTTP responses
· Scans websites with NTLMv2 authentication
June 15th, 2007
· Compliance Reports Templates: OWASP, PCI, Sarbanes-Oxley, HIPAA ..
· New Web services tools
· New subdomain scanner tool
· New test for stored XSS
· Manual Choice of Files from the Site Structure before scanning
· Mail Notifications from scheduler