v3.0-stable

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Revised: Improvement regarding identifying the indicated web-page charset.
• Added: Support for Python 3.x
• Updated: Beautiful Soup (third party) module has been updated.
• Added: Six (third party) module has been added.
• Revised: Improvement regarding parsing nested JSON objects that contain boolean values.
• Replaced: The --ignore-401 option has been replaced with --ignore-code option.
• Added: New option ( --ignore-code) for ignoring (problematic) HTTP error code (e.g. 401).

Note: For more check the detailed changeset.

v2.9-stable

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Fixed: Bug-fix regarding parsing hostname and port from URL.
• Revised: Improvement regarding automatically decoding deflate and gzip HTTP responses.
• Fixed: Bug-fix regarding parsing HTTP header values that contain multiple ":".
• Revised: Improvement regarding updating "Content-Length" HTTP header, in case it's provided by user (i.e. -r, --header, --header options).
• Revised: Improvement regarding parsing raw HTTP headers from a file (i.e. -r option).
• Revised: Improvement regarding parsing nested JSON objects.
• Added: Flatten_json (third party) module has been added.
• Revised: Bug-fixes and improvements regarding parsing JSON objects.
• Added: GPL Cooperation Commitment (COMMITMENT.txt) has been added.
• Updated: Minor update regarding HTTP authentication (i.e. Basic, Digest).
• Revised: Minor improvements regarding preventing false negative results, due to parameters tampering during the detection phase.
• Revised: Minor improvements regarding "reverse_tcp" and "bind_tcp" shell options.

Note: For more check the detailed changeset.

v2.8-stable

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Updated: Minor update regarding accepting overly long result lines.
• Revised: Minor bug-fixes and improvements regarding --file-upload option.
• Revised: Minor bug-fixes and improvements regarding HTTP authentication dictionary-based cracker.
• Revised: Minor bug-fixes and improvements regarding HTTP authentication (i.e. Basic, Digest).
• Fixed: Minor bug-fix regarding ignoring HTTP Error 401 (Unauthorized) (for --ignore-401 option).
• Added: Support for writing crawling results to a temporary file (for eventual further processing with other tools).
• Added: Support for Windows "Python" on "reverse_tcp" shell option.

Note: For more check the detailed changeset.

v2.7-stable

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Revised: The suffixes list has been shortly revised.
• Updated: With each commix run end users are obligated to agree with the "Legal disclaimer" prelude message.
• Fixed: Minor improvent regarding local HTTP server (for --file-upload option).
• Added: A list of extensions to exclude from crawling.
• Revised: Minor improvements regarding crawler.
• Revised: Minor update of redirection mechanism.
• Revised: Minor improvement regarding identifying the target web server.
• Revised: Minor improvement regarding identifying corrupted .pyc file(s).
• Added: New tamper script "dollaratsigns.py" that adds dollar-sign followed by an at-sign ($@) between the characters of the generated payloads.
• Fixed: Bug-fix regarding proxying SSL/TLS requests.
• Revised: Minor improvement regarding checking for potentially miswritten (illegal '=') short option.
• Revised: Minor improvement regarding checking for illegal (non-console) quote and comma characters.
• Revised: Minor improvement regarding merging of tamper script arguments.
• Revised: Minor improvement regarding ignoring the parameter(s) that carrying anti-CSRF token(s) in all scanning attempts.
• Updated: Beautiful Soup (third party) module has been updated.
• Added: New tamper script "xforwardedfor.py" that appends a fake HTTP header X-Forwarded-For.
• Fixed: Minor bug-fix regarding loading tamper scripts.
• Revised: Minor improvement regarding INJECT_HERE tag (i.e. declaring injection position) to be case insensitive.

Note: For more check the detailed changeset.

v2.6-stable

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Revised: Minor improvement in session handler regarding IPv6 targets.
• Added: New option --list-tampers for listing available tamper scripts.
• Revised: Minor improvement regarding resolving target hostname.
• Added: Support for "Ncat" on "reverse_tcp" and "bind_tcp" shell options.
• Added: Support for "Bash" (via /dev/tcp) on "reverse_tcp" shell option.
• Added: Support for "Netcat-Openbsd" (i.e. nc without -e) on "reverse_tcp" and "bind_tcp" shell options.
• Added: Support for "Socat" on "reverse_tcp" and "bind_tcp" shell options.
• Revised: Minor improvement regarding counting the total of HTTP(S) requests, for the identified injection point(s) during the detection phase.
• Fixed: Minor bug-fix regarding providing the target host's root directory.
• Added: New tamper script "sleep2timeout.py" that uses "timeout" function for time-based attacks.
• Added: New tamper script "sleep2usleep.py" that replaces sleep with usleep command in the time-related generated payloads.
• Replaced: The --purge-output option has been replaced with --purge option.
• Fixed: Minor bug-fix regarding performing injections through cookie parameters.
• Revised: Minor improvement regarding ignoring the Google Analytics cookie in all scanning attempts.
• Fixed: Minor bug-fix regarding "bind_tcp" shell option.

Note: For more check the detailed changeset.

v2.5-stable

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Revised: Improvement regarding identifying the appropriate format parameters, in the provided POST data.
• Added: Support regarding recognition of generic "your ip has been blocked" messages.
• Added: Support regarding checking for potential browser verification protection mechanism.
• Added: Support regarding checking for potential CAPTCHA protection mechanism.
• Revised: The separators list, has been shortly revised.
• Revised: Minor improvement regarding the extracted HTTP response headers.
• Added: New tamper script "nested.py" that adds double quotes around of the generated payloads.
• Fixed: Minor bug-fix regarding performing injections through HTTP Headers (e.g. User-Agent, Referer, Host etc).
• Fixed: Major bug-fixes regarding testing time-related payloads (i.e. "time-based", "tempfile-based").
• Added: New tamper script "backslashes.py" that adds back slashes (\) between the characters of the generated payloads.
• Fixed: Minor bug-fix regarding unicode decode exception error due to invalid codec, during connection on target host.
• Revised: Improvement regarding combining tamper script "multiplespaces.py" with other space-related tamper script(s).
• Added: New tamper script "multiplespaces.py" that adds multiple spaces around OS commands.

Note: For more check the detailed changeset.

v2.4-stable

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Fixed: Minor bug-fix regarding ignoring invalid and/or empty tamper scripts.
• Updated: Colorama (third party) module has been updated.
• Revised: Minor improvement regarding keeping the git folder 'clean' (via @g0tmi1k).
• Fixed: Minor bug-fix regarding loading multiple tamper scripts (during the exploitation phase).
• Added: New tamper script "caret.py" that adds the caret symbol (^) between the characters of the generated payloads.
• Added: New tamper script "singlequotes.py" that adds single quotes (') between the characters of the generated payloads.

Note: For more check the detailed changeset.

v2.3-stable

• Fixed: Multiple bug-fixes regarding several reported unhandled exceptions.
• Revised: Minor improvement regarding testing the Host HTTP header.
• Added: Support for Host HTTP header command injections.
• Revised: Minor improvement regarding testing SOAP/XML POST data.
• Added: Support for automatically creating a Github issue with unhandled exception information.
• Revised: Improvement for masking sensitive data in the detailed message about occurred unhandled exception.
• Added: Support for returning detailed message about occurred unhandled exception.
• Revised: The --charset option has been revised to force the usage of custom charset in order to speed-up the data retrieval process (during time-related injections).
• Replaced: The --charset option has been replaced with --encoding option.
• Revised: Improvement regarding batch mode, for testing the payloads for both OS - if it's not able to identify the target OS.
• Added: Support for SOAP/XML POST data.
• Fixed: Bug-fix regarding the SSL implementation (via @td4b).
• Revised: Improvement regarding testing json-formated POST data with empty value(s).
• Revised: Minor improvement regarding verbose mode for removing the first and/or last line of the html content (in case there are/is empty).

Note: For more check the detailed changeset.

v2.2-stable

• Revised: Minor improvement in "updater", for supporting verbose mode.
• Fixed: Minor bug-fix regarding cookie-based command injections.
• Revised: Minor improvement regarding option -p for bypassing the dependence on value of --level (in case of user-defined HTTP headers).
• Revised: Minor improvement regarding option -p for testing user-defined HTTP headers.
• Added: New option --failed-tries for setting a number of failed injection tries, in file-based technique.
• Revised: Minor improvement regarding session handler.
• Revised: Minor improvement regarding checking stored time-related payloads (i.e. "time-based", "tempfile-based").
• Revised: Minor improvement regarding Python version check (no more crashes on Python >= "3" and < "2.6").
• Revised: Minor improvement in "updater", for checking commit hash number.
• Added: New option --skip regarding excluding certain parameter(s) from testing.
• Added: New option --skip-technique regarding excluding certain injection technique(s) from testing.

Note: For more check the detailed changeset.

v2.1-stable

• Added: New option --header for providing a single extra HTTP header (e.g. X-Forwarded-For: 127.0.0.1).
• Added: New option --check-internet that checks internet connection before assessing the target.
• Fixed: Minor bug-fix regarding performing injections through HTTP Headers (i.e. Cookie, User-Agent, Referer).
• Revised: Minor improvement regarding checking stored payloads and enabling appropriate tamper scripts during the exploitation phase.
• Added: New tamper script "space2vtab.py" that replaces every space (%20) with vertical tab (%0b).
• Replaced: The tamper script "space2tab.py" has been replaced with "space2htab.py".
• Fixed: Minor bug-fix regarding checking for similarity in provided parameter name and value (GET, POST).
• Added: New option --backticks that uses backticks instead of $(), for commands substitution.
• Revised: Minor improvement in Netcat shells, for giving to the end-user the choice of using the /bin standard subdirectory.
• Added: New option --disable-coloring that disables console output coloring.
• Added: New option --check-tor that checks if Tor is used properly.
• Fixed: Minor improvement for fetching random HTTP User-Agent header in initial request, when --random-agent is used.
• Revised: Minor improvement regarding options --purge-output and --wizard, were added in the mandatory options list.
• Fixed: Major bug-fix regarding connection problem over HTTPS.
• Added: New option --purge-output to turn on safe removal of all content(s) from output directory.

Note: For more check the detailed changeset.