Acunetix Web Vulnerability Scanner (WVS) is an automated web application security testing tool that audits your web applications by checking for exploitable hacking vulnerabilities. Automated scans may be supplemented and cross-checked with the variety of manual tools to allow for comprehensive web site and web application penetration testing.
Unicode Transformation Issues
This new security test is looking for issues that can occur when working with Unicode data. Specifically, it is looking for Best-Fit mappings, Overlong byte sequences and Ill-Formed Subsequences issues.
Best-Fit Mappings occurs when a character X gets transformed to an entirely different character Y. For example, in some situations the Unicode character U+FF1C FULLWIDTH LESS-THAN SIGN can be transformed into U+003C LESS-THAN SIGN (<). This can cause serious security problems for the affected web application.
Overlong byte sequences (non-shortest form) – UTF-8 allows for different representations of characters that also have a shorter form. For security reasons, a UTF-8 decoder must not accept UTF-8 sequences that are longer than necessary to encode a character. For example, the character U+000A (line feed) must be accepted from a UTF-8 stream only in the form 0x0A, but not in any of the following five possible overlong forms:
- 0xC0 0x8A
- 0xE0 0×80 0x8A
- 0xF0 0×80 0×80 0x8A
- 0xF8 0×80 0×80 0×80 0x8A
- 0xFC 0×80 0×80 0×80 0×80 0x8A
Ill-Formed Subsequences – As REQUIRED by UNICODE 3.0, and noted in the Unicode Technical Report #36, the web application should not consume a leading byte when it is followed by an invalid successor byte. For example, at some point PHP was consuming the control characters leading to XSS and SQL injection vulnerabilities.
Analyze Parameter Values
Another script introduced with this update is Analyze_Parameter_Values.script. This script is analyzing parameter values and performs various actions based on their values. For example, if the parameter value contains a filename or a file path, the script will pass this information to the crawler and these files will be crawled and tested in the next scan iteration.
Hidden Virtual Hosts
Finally, the latest update contains a script that is trying to find hidden Virtual Hosts on the tested web server. Virtual hosting is a method for hosting multiple domain names on a single web server.
Sometimes developers hosts internal/test applications on production systems without making them public. These virtual hosts are not directly accessible unless you guess the name of their virtual host, connect to the web server’s IP address and specify the virtual host in the Host header.
This script is looking for common Virtual Host names and compares the responses received with the normal response. When it finds differences, it will issue alerts for these names.
Full Changelog: here