- Crawler update which gives more control over the injection test
scheduling. This comes with the --checks and --checks-toggle
flags to display and enable/disable checks.
- Pages where the response varies are no longer completely
discarded. Instead now we only disable tests that require stability
which increases scan coverage.
- Split the traversal and disclosure test to increase coverage:
traversal checks require stable pages, the disclosure checks can be
performed on all.
- Updated dictionaries and converted them to use the dictionary
optimisations we introduced in 2.03b
- Fixed offline report viewing (thanks to Sebastian Roschke)
- Added NULL byte file disclosure tests
- Added JSP inclusion error check to analyse.c
- Added XSS injection tests for cookies
- Directory listings are now reported as individual (info-type) issues
- Added warning in case the negotiated SSL cipher turns out to be a
weak one (leaving the cipher enumeration to network scanners)
- Added experimental -v flag which can be used to enable (limited)
runtime reporting. This output is written to stderr and should be
redirected to a file, unless you use the -u flag.
- The man page has been rewritten and now includes detailed
descriptions
and examples.
- A whole bunch of small bug fixes
- Option -V eliminated in favor of -W / -S.
- Option -l added to limit the maximum requests per second
(contributed by Sebastian Roschke)
- Option -k added to limit the maximum duration of a scan (contributed
by Sebastian Roschke)
- Support for #ro, -W-; related documentation changes.
- HTTPS -> HTTP form detection.
- Added more diverse traversal and file disclosure tests (including
file:// scheme tests)
- Improved injection detection in <script> sections, where a ' or "
is all we need to inject js code.
- Added check to see if our injection strings end up server
Set-Cookie,
Set-Cookie2 and Content-Type reponse headers
- URLs that give us a Javascript response are now tested with a
"callback=" parameter to find JSONP issues.
- Fixed "response varies" bug in 404 detection where a stable page
would be marked unstable.
- Bugfix to es / eg handling in dictionaries.
- Added the "complete-fast.wl" wordlist which is an es / eg optimized
version of "complete.wl" (resulting in 20-30% fewer requests).
- Substantial improvement to SQL injection checks.
- Improvements to directory traversal checks (courtesy of Niels Heinen).
- Fix to numerical brute-force logic.
- Major improvement to directory brute force: much better duplicate elimination in some webserver configurations.
- Added a check for attacker-controlled prefixes on inline responses. This currently leads to UTF-7 BOM XSS, Flash, Java attacks (thanks to Niels Heinen).
- Minor bug fix to path parsing to avoid problems with /.$foo/,
- Improved PHP error detection (courtesy of Niels Heinen),
- Improved dictionary logic (courtesy of Niels Heinen) and new documentation of the same,
- Improved support for file.ext keywords in the dictionary,
- Fixed missing content_checks() in unknown_check_callback()(courtesy of Niels Heinen),
- Improved an oversight in dictionary case sensitivity,
- Improved pivots.txt data,
- Support for supplementary read-only dictionaries (-W +dict),
- Change to directory detection to work around a certain sneaky server behavior.
- TODO: Revise dictionaries!!!
Steve Pinkham