AppSpider Pro Release Notes / Dec 02, 2020

Dec 02, 20207.4.019

New

  • More attacks for existing modules: We added new attacks to the following attack modules to improve attack coverage:
    • Cross-site scripting (XSS) in the Document Object Model (DOM)
    • Unvalidated redirects
  • AppSpider scan engines now use the x64 processor architecture.
  • The AppSpider installer can now consume installation configuration parameters from a configuration file as an alternative to having them supplied on the command line.
  • We added a Swagger download feature to the AppSpider engine available through the REST API.
  • We added support for the Selenium .side file format.

Improved

  • We updated our login macro playback algorithm to fix a playback failure that could occur with some sites.
  • We updated the FrontPage Server Extension vulnerability tests.
  • We upgraded the installed Selenium ChromeDriver to version 87.0.4280.20.
  • We now support error logging for JavaScript macro events.
  • We improved the algorithm for our Brute Force Form Authentication attack module to resolve a false positive finding.
  • We updated the analysis algorithm for the Session Strength attack module.
  • We added token extraction and injection capabilities to our authentication method for the REST API.
  • We expanded the Server Side Request Forgery (SSRF) attack module to include Azure cloud.

Fixed

  • The following attack modules were updated to address false positive findings:
    • NoSQLi Injection
    • Blind SQL Injection
    • File Inclusion
    • SSRF
  • We fixed an issue that prevented login macro files from executing if they used JavaScript.
  • We relaxed the conditions of Session Loss Header Regex to prevent it from triggering unnecessarily.
  • We fixed a scan crash condition caused by network errors.
  • We fixed a login failure during login traffic playback.
  • We fixed a condition that could cause scan engines to crash during engine tear-down.
  • We fixed an excessive memory usage issue caused by the Brute Force Form Authentication attack module.
  • We fixed a web service WSDL parsing error.
  • We fixed an issue that prevented the last message from being added to the operation and user logs at the end of the scan.
  • We fixed a login macro playback failure caused by the inclusion of truncated JavaScript code.