Changelog

Every shipped version. No hidden updates.

Web Iron Shield releases openly. Auto-updates are SHA-256 signed. Here's what changed, when, and why.

LATEST 2026-04-17

v2.8 โ€” Anomaly Hunter & History Restore

๐ŸŽฏ New: 0-Day Anomaly Hunter

New Phase 4 of every scan with 10 independent hunters catching what rule-based checks miss:

  • Stack traces & debug output across PHP, Python, Java, Ruby, .NET, Node
  • Filesystem path disclosure (/var/www/..., cPanel paths, Windows paths)
  • Suspicious response headers (version leaks, debug/staging markers)
  • Dangerous HTTP methods accepted (PUT, DELETE, TRACE, PATCH)
  • Default installation pages (Apache/Nginx/IIS welcome, Tomcat, Plesk)
  • Debug & admin endpoint probing (40+ paths including /actuator/env, /.git/HEAD, /.env, /heapdump)
  • HTTP parameter pollution behaviour
  • Content-Type mismatches (JSON as text/html โ†’ XSS vector)
  • Login timing oracles (user enumeration)
  • Parameter reflection surfaces (XSS precursors)

๐Ÿ“œ New: History Click-to-Restore

Double-click any row in the History tab to restore full findings into the Issues tab. Every feature (detail popup, Verify Now, Copy Commands) works on restored findings exactly as on fresh scans.

2026-04-17

v2.7 โ€” Code Review & Verification Upgrade

๐Ÿ”ฌ Advanced Exploit Verification Engine

Replaced "No auto-verification" fallback with 9 category-specific verifiers. Each produces verdict + confidence + HTTP log + evidence + attacker walkthrough + copy-paste remediation code.

  • Command Injection: canary + time-based blind (Unix & Windows)
  • SQL Injection: error signatures (14 DB types) + boolean diff + time-blind
  • Reflected XSS: 5 context-aware payloads with canary detection
  • Path Traversal / LFI: 5 bypass payloads + content-signature matching
  • Open Redirect, CORS, Security Headers, Exposed Files, Cookie Flags

๐Ÿ”ด Security

  • Moved license signing secret from client to server (webironshield.com/api/)
  • Auto-updater now verifies SHA-256 signature of downloaded ZIPs
  • Added Zip-Slip path-traversal protection to update installer

๐ŸŸก Bug Fixes

  • Fixed "Total issues: 0" when clicking findings during active scan
  • Fixed Windows taskbar minimize/restore bug
  • JWT weak-algorithm finding now includes weakness field in description
  • Port scanner: removed dead StringVar never bound to any widget
  • Replaced bare except: clauses so Ctrl+C works during scans

๐ŸŽจ UI

  • Custom shield icon on main window, tool popups, and installer
  • New icon appears in taskbar, Start Menu, Desktop shortcut

๐Ÿ”ง Build System

  • BUILD.bat now uses python -m PyInstaller (PATH-independent) โ€” fixes the "pyinstaller not recognized" error
  • Pip errors no longer hidden by 2>nul
  • Python presence verified up front with clear error

๐ŸŸข Code Quality

  • Removed 74 redundant f-string prefixes
  • Removed ~20 unused imports and dead local variables
Earlier releases

v2.6 โ€” Authorization & Active Pentest

  • Mandatory legal authorization with dual-checkbox confirmation and owner email verification
  • Added 3 new active penetration tests: XXE injection, JWT weakness detection, IDOR testing
  • Audit logging to scan_audit.log with timestamp, target, owner email

v2.5 โ€” AI Integration

  • Optional Claude-powered AI scanning for business logic vulnerabilities
  • AI bounty hunter mode with estimated payout ranges

v2.4 โ€” Real-Time Progress

  • Live scan progress display (watch payloads fire in real time)
  • Expanded CVE database to 70+ known vulnerabilities
  • Sensitive file bruteforce (120+ paths)