Version 1.1 with new tests is out now
A few hours ago we released version 1.1.0 of SmartScanner. You can download the Windows version on the download page.
Here are major changes in this version.
Expression Language Injection
When it is possible to change the expressions in the applications, there’s an Expression Language Injection vulnerability. Expressions are programming statements that evaluate to a value or perform an action. They are usually used in templates of a web application for creating different pages. That’s why another common name for this vulnerability is Template Injection. If an attacker could change expressions in the application, he can extract sensitive information or run commands on the application server so this is a serious issue. This test has been added to SmartScanner and you can select it in the Tests section of scan configs. (it’s selected by default)
WordPress User Enumeration
User enumeration vulnerabilities reveal users of the application. This is a great start for hackers to prepare a list of users and passwords for performing a brute force attack. The default installation of WordPress allows the extraction of users. Now SmartScanner can test for this issue if you select WordPress tests in scan configs.
Sitemaps are an easy way for webmasters to inform search engines about pages on their sites that are available for crawling. SmartScanner now crawls sitemaps and referenced URLs in them.
By using test profiles you can easily select a set of tests together instead of selecting one by one. Check out the guide here for more.
Weak Password checks got a whole lot better and now it supports WordPress login as well. False-positives got fixed in Source Code Disclosure test. A crash got fixed and dozens of tests enhanced.
Check out the change log for more.