v2.0-stable

• Revised: Minor improvement for automatically increasing default --time-sec value when --tor used.
• Fixed: Minor improvement for not re-testing Tor SOCKS proxy settings (in case of multiple targets).
• Revised: Multiple minor eye-candy revisions have been performed.
• Fixed: Major improvement regarding not sending requests with GET HTTP mothod in case of POST HTTP method, in injection levels 2, 3.
• Updated: The --sys-info option has been enriched with distribution description and release information.
• Revised: Minor improvement in dynamic code evaluation, regarding the users extraction payload.
• Fixed: Minor fix regarding not raising the detection phase in the case of 4xx and/or 5xx HTTP error codes.
• Revised: Minor improvement regarding not re-performing requests in case of stored session.
• Revised: Minor improvement in time-related techinques for checking the reliability of the used payload (in case of a false positive result).
• Updated: Minor update in the list of the User-Agents (regarding the --random-agent option).
• Added: New option --mobile that imitates smartphone through HTTP User-Agent header.
• Added: New option --retries that retries request(s) when the connection timeouts.

Note: For more check the detailed changeset.

v1.9-stable

• Revised: Minor improvement in results-based techniques, for delaying the OS responses depending on the user-supplied time delay.
• Revised: The time-related payloads (i.e. "time-based", "tempfile-based"), have been shortly revised.
• Revised: Minor improvement in file-based technique, for delaying the OS responses depending on the user-supplied time delay.
• Fixed: Minor improvement in file-based technique, regarding τhe directory path that the output file is saved.
• Added: New option --ignore-redirects that ignoring redirection attempts.
• Added: New functionality for identifying and following URL redirections.
• Fixed: Minor improvement for adding / at the end of the user provided root dir (in case it does not exist).
• Revised: The file-based payload for deleting files with execution output, has been shortly revised.
• Replaced: The --root-dir option has been replaced with --web-root option.
• Added: New option --wizard that shows a simple wizard interface for beginner users.

Note: For more check the detailed changeset.

v1.8-stable

• Added: New feauture for installing Unicorn tool (if not installed on host).
• Removed: The pre-installed version of Unicorn tool has been removed.
• Added: New feauture for checking and updating current version of Unicorn tool.
• Revised: The --delay option has been revised to delay between each HTTP request.
• Replaced: The --delay option has been replaced with --time-sec option.
• Fixed: Minor improvement regarding gnureadline module for better support on MacOS X hosts.
• Added: New option --charset that forces character encoding used for data retrieval.
• Added: New prefix ('%26) and suffix (%26') have been added.
• Fixed: Removal of unnecessary command substitution in semiblind technique (i.e. "file-based").
• Updated: The Unicorn tool has been updated to version 2.4.2.
• Added: Support for the Regsvr32.exe Application Whitelisting Bypass technique.
• Fixed: Minor improvement for checking for established TCP connections.
• Fixed: Minor improvement for not reopening meterpreter sessions (in case of user abortion).

Note: For more check the detailed changeset.

v1.7-stable

• Fixed: Minor improvement regarding unverified SSL context(s).
• Added: New values ("URIPATH", "SRVPORT") have been added to "Set" option.
• Revised: Minor improvements regarding "reverse_tcp" and "bind_tcp" shell options.
• Fixed: Minor improvement for checking missing mandatory option(s).
• Fixed: Minor improvement regarding the file path of the null device.
• Fixed: Minor improvement regarding automated scan level increasing.
• Fixed: Improvement regarding skipping the testing of problematic URL(s) and proceeding with next ones (in case of scanning multiple targets).
• Fixed: Improvement regarding printing current assessment state in case of user abortion.
• Revised: Minor improvement for proceeding with semiblind technique (i.e. "file-based"), once the user provides the path of web server's root directory.
• Fixed: Minor fix regarding the lack of http/s to the user-defined URL(s).
• Added: New option --skip-empty for skipping the testing of the parameter(s) with empty value(s).
• Fixed: Improvement regarding testing the parameter(s) with empty value(s).
• Added: New CGI shellscript path /cgi-bin/cgiCmdNotify (vulnerable to shellshock) has been added.

Note: For more check the detailed changeset.

v1.6-stable

• Fixed: Improvement regarding json-formated POST data, where whitespace before (and/or after) the ":" exists.
• Fixed: Minor fix regarding empty value(s) in provided parameter(s).
• Added: New option --batch that never asks for user input (using the default behaviour).
• Added: New option -x for parsing target(s) from remote sitemap(.xml) file.
• Added: New option --offline for working in offline mode.
• Fixed: Improvement regarding the IP address grabbing (in case of internet in-accessibility).
• Fixed: Improvement regarding HTTPS based websites, for which scanning fails.
• Added: New option -r for loading HTTP request from a file.
• Fixed: Improvement regarding the response time estimimation, in which the target URL was requested without its POST data.
• Added: New option -m for scanning multiple targets given in a textual file.
• Fixed: Minor fix regarding the newline display in dynamic code evaluation (i.e. "eval-based") and semiblind technique (i.e. "file-based").
• Revised: The dynamic code evaluation (i.e. "eval-based") payloads have been shortly revised.
• Added: The executed command and the execution results output has been added to log file.

Note: For more check the detailed changeset.

v1.5-stable

• Fixed: Minor improvement in the "ICMP exfiltration" module.
• Fixed: Minor improvement for choosing default value when pressing enter.
• Added: New tamper script "hexencode.py" that encodes the payload to Hex format.
• Fixed: Minor improvements in executed commands history.
• Added: New verbosity level (4) for printing the HTTP response page content.
• Added: New option -t for logging all HTTP traffic into a textual file.
• Added: New option --msf-path for specifying a path where metasploit is installed.
• Added: New verbosity level (3) for printing the HTTP response headers.
• Added: New verbosity level (2) for printing the performed HTTP requests headers.

Note: For more check the detailed changeset.

v1.4-stable

• Added: Support on crawler for checking target for the existence of 'sitemap.xml'.
• Revised: The payload for Ruby reverse-shell has been shortly revised.
• Added: Support for bind TCP shell (via "bind_tcp" option).
• Added: New option --crawl (1,2) for crawling of a given website, starting from the target url.
• Updated: The Unicorn tool has been updated to version 2.3.5.
• Added: The project's official URL has been added in the menu banner.
• Fixed: Minor improvements in tab completion.
• Fixed: Minor improvement in the function that checks for updates on start up.
• Fixed: Minor improvements in enumeration options (added failure messages).

Note: For more check the detailed changeset.

v1.3-stable

• Fixed: Minor improvements in "reverse_tcp" option.
• Added: Support for the metasploit "web_delivery" script.
• Added: Support for generating Python/PHP meterpreter reverse TCP payloads via metasploit.
• Fixed: Minor improvements for enumeration options (if --url-reload is used).
• Added: The ability for generating and injecting native x86 shellcode (Powershell).
• Added: New option --skip-calc that skips the mathematic calculation during the detection phase.
• Fixed: Minor improvement in Shellshock module for ignoring junk output on response.
• Fixed: Minor improvement in Shellshock module for finding RCE results on page's response.

Note: For more check the detailed changeset.

v1.2-stable

• Added: The ability for setting custom (PHP / Python) working directory.
• Fixed: License file minor inaccurancy issue has been fixed.
• Revised: The Windows-based payloads for every supported technique, had been shortly revised.
• Revised: The dynamic code evaluation technique (i.e. "eval-based") has been shortly revised.
• Added: New tamper script "space2tab.py" that replaces every space (%20) with horizontal tab (%09).
• Added: The ability for generating powershell attack vectors via TrustedSec's Magic Unicorn.
• Added: The ability for checking if there is a new version available.
• Added: The ability for target application extension recognition (i.e. PHP, ASP etc).
• Fixed: Minor improvement for finding the URL part (i.e. scheme:[//host[:port]][/]path).
• Fixed: Minor fix for conflicted shells (i.e. regular, alternative) from session file.

Note: For more check the detailed changeset.

v1.1-stable

• Added: The ".gitignore" file has been added.
• Added: Support for injections against ASP.NET applications.
• Added: Support for warning detection regarding create_function() function.
• Fixed: Minor improvent of the HTTP server for --file-upload option.
• Fixed: Minor fix for conflicted executed commands from session file in HTTP Headers.
• Added: The ability to store injection level into session files for current target.
• Added: Support for automated enabling of an HTTP server for --file-upload option.
• Fixed: Minor fix for "Python-urllib" User-Agent exposure.

Note: For more check the detailed changeset.