From a6143edd978cef67ae7ff772c8e0b65e52c8449a Mon Sep 17 00:00:00 2001 From: Kr1ss Date: Sat, 20 Feb 2021 21:39:41 +0100 Subject: update: wapiti 3.0.4-1 upstream release --- ChangeLog | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) (limited to 'ChangeLog') diff --git a/ChangeLog b/ChangeLog index 75cba8b..947f2b2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,25 @@ +20/02/2021 + Wapiti 3.0.4 + XSS: improved context awareness of HTML webpage, payloads can now use the existing HTML tags without closing them + XSS: greatly reduced number of false negatives while slightly reducing false positives + XSS: the module will also check for the CSP header and warn if reflection was found while a strong CSP seems present + XSS: reduced memory and CPU consumption + XSS: added more payloads to bypass filters and WAF + Exec: added a few more payloads + SQL: more heuristics to detect DBMS used on the target + Wappalyzer module allows to detect software used by a website, along with versions + New module to check the security settings of Cookies (HttpOnly, secure, etc) + New module to check the security settings for HTTP headers (Strict-Transport-Security, X-Frame-Options, etc) + New module to check the security settings for Content-Security-Policy + New module to check for forms vulnerable to CSRF (either no anti-CSRF token is present or it is not well implemented) + New module to brute-force found login forms with known default credentials (admin/admin, demo/demo, etc) + New --update option allows to get last updates for detections databases (Wappalyzer and Nikto) + New --max-attack-time options allows to limit the execution time of each attack module + New --store-config options allows to set the path for Wapiti configuration files (detection databases) + Combining the new "-a post" authentication option along with -s allows to login on the target without using wapiti-getcookie + Removed jQuery dependency + Fixed several issues with endpoints + 20/02/2020 Wapiti 3.0.3 An important work was made to reduce false positives in XSS detections. -- cgit v1.2.3-70-g09d2