18-May-2015

NEW SECURITY TESTS

• Form Hijacking Security Checks added
• Base Tag Hijacking Security Checks added

IMPROVEMENTS

• Added several new backup file checks to improve the coverage
• Improved the number of combinations that Common Directory checks find
• Added support for using digits in custom URL rewrite parameter names
• Added new XSS attack patterns to detect a full URL vulnerability and remote XSS attacks
• Added HTTP POST method support for Open Redirection security tests
• Improved resource finder behavior by falling back to GET requests when HEAD requests are failing
• Improved detection of XSS vulnerabilities in CSS blocks
• Improved vulnerability template for Open Redirection vulnerabilities
• Increased coverage by finding LFI vulnerabilities exposed to file:// protocol
• Set default maximum vulnerability report limit to 1000 for active engines
• Improved detection of Remote Code Execution and DoS in HTTP.sys vulnerability

FIXES

• Fixed a race condition issue which occurs while adding new links on DOM simulation
• Fixed an InvalidOperationException issue which occurs while trying to apply token parameter values
• Fixed incorrect parsing of multiple response headers with same name on DOM simulation and DOM XSS attacks
• Fixed a vulnerability template generation issue where temporary files were being kept on disk
• Fixed installer to handle .NET framework versions released after 4.5.2
• Fixed the incorrect description text for SQL Injection security test on scan policy editor dialog
• Fixed "Maximum 404 Pages to Attack" scan policy option which was previously limiting the maximum page number to 10 no matter what set with this option