Acunetix Web Vulnerability Scanner (WVS) 是一款老牌web安全扫描器，可协助网络安全工程师进行自动/手工辅助安全检测。
Unicode Transformation Issues This new security test is looking for issues that can occur when working with Unicode data. Specifically, it is looking for Best-Fit mappings, Overlong byte sequences and Ill-Formed Subsequences issues. Best-Fit Mappings occurs when a character X gets transformed to an entirely different character Y. For example, in some situations the Unicode character U+FF1C FULLWIDTH LESS-THAN SIGN can be transformed into U+003C LESS-THAN SIGN (<). This can cause serious security problems for the affected web application. Overlong byte sequences (non-shortest form) – UTF-8 allows for different representations of characters that also have a shorter form. For security reasons, a UTF-8 decoder must not accept UTF-8 sequences that are longer than necessary to encode a character. For example, the character U+000A (line feed) must be accepted from a UTF-8 stream only in the form 0x0A, but not in any of the following five possible overlong forms: 0xC0 0x8A 0xE0 0×80 0x8A 0xF0 0×80 0×80 0x8A 0xF8 0×80 0×80 0×80 0x8A 0xFC 0×80 0×80 0×80 0×80 0x8A Ill-Formed Subsequences - As REQUIRED by UNICODE 3.0, and noted in the Unicode Technical Report #36, the web application should not consume a leading byte when it is followed by an invalid successor byte. For example, at some point PHP was consuming the control characters leading to XSS and SQL injection vulnerabilities. Analyze Parameter Values Another script introduced with this update is Analyze_Parameter_Values.script. This script is analyzing parameter values and performs various actions based on their values. For example, if the parameter value contains a filename or a file path, the script will pass this information to the crawler and these files will be crawled and tested in the next scan iteration. Hidden Virtual Hosts Finally, the latest update contains a script that is trying to find hidden Virtual Hosts on the tested web server. Virtual hosting is a method for hosting multiple domain names on a single web server. Sometimes developers hosts internal/test applications on production systems without making them public. These virtual hosts are not directly accessible unless you guess the name of their virtual host, connect to the web server’s IP address and specify the virtual host in the Host header. This script is looking for common Virtual Host names and compares the responses received with the normal response. When it finds differences, it will issue alerts for these names.