Acunetix WVS v6.5 build 20091124 released
Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing
An updated build for Acunetix WVS Version 6.5 has been released with a number of improvements, bug fixes, and most important of all, a good number of new security checks.
New:
- New security checks of AcuSensor Technology
- curl_exec() url is controlled by user
- PHP preg_replace used on user input
- PHP super-globals-overwrite
- PHP unseriazlie used on user input
- Other new security checks of Acunetix WVS
- osCommerce authentication bypass
- Apache Tomcat insecure default administrative password
- Apache Tomcat directory traversal
- Checks for PHP invalid data type error messages
- Check for possible remote SWF inclusion
- Added further checks for possible sensitive files; general tests per server
- Added further checks for possible sensitive directories; general tests per server
- Added a new security check for SQL injection in the authentication header (basic authentication, base64 encoded)
- Added AlertIfTextNotFound group parameter to invert search and issue an alert if a specified text is not found
Improvements:
- Renamed Weak password module to Authentication module; now it also includes a good number of new authentication security checks
- Improved Cross-site scripting in URI checks to include a number of Ruby on rails security checks
- Improved Application errors security checks
- Introduced 3 new setting parameters for the crawler in Settings.XML file:
-
262144 -
256 -
1000
Bug Fixes:
- Fixed: false positives issued in weak password alert
- Fixed: WSDL importer crash when importing recursive complex elements
- Fixed: Crawler proxy request handling changed to decode the input name/value
- Fixed Vulnerability Editor to show group parameters with default values if no VulnXML template is used
- Changed HTTP_Anomalies to log PHP errors and save the results in a file instead of alerts
- Hidden VulnXML properties for alerts that are not using VulnXML default template in Vulnerability Editor
- Adjusted VulnXML to reduce the number of false positives for Blind SQL injection timing tests
- Updated CSA engine; delete the BOM characters from script sources
- Updated URL_Helper; UrlEncode/Decode modified not to use str := str + ch and to validate hex characters after %
- Updated File_Inputs; possible values are limited in size now
Post scriptum
Compliance Mandates
|
Related Articles
Acunetix |
|
Application Scanner |
|
Vulnerability Scanner |
|