New
- More attacks for existing modules: We added new attacks to the following attack modules to improve attack coverage:
- Cross-site scripting (XSS) in the Document Object Model (DOM)
- Unvalidated redirects
- AppSpider scan engines now use the x64 processor architecture.
- The AppSpider installer can now consume installation configuration parameters from a configuration file as an alternative to having them supplied on the command line.
- We added a Swagger download feature to the AppSpider engine available through the REST API.
- We added support for the Selenium
.side
file format.
Improved
- We updated our login macro playback algorithm to fix a playback failure that could occur with some sites.
- We updated the FrontPage Server Extension vulnerability tests.
- We upgraded the installed Selenium ChromeDriver to version 87.0.4280.20.
- We now support error logging for JavaScript macro events.
- We improved the algorithm for our Brute Force Form Authentication attack module to resolve a false positive finding.
- We updated the analysis algorithm for the Session Strength attack module.
- We added token extraction and injection capabilities to our authentication method for the REST API.
- We expanded the Server Side Request Forgery (SSRF) attack module to include Azure cloud.
Fixed
- The following attack modules were updated to address false positive findings:
- NoSQLi Injection
- Blind SQL Injection
- File Inclusion
- SSRF
- We fixed an issue that prevented login macro files from executing if they used JavaScript.
- We relaxed the conditions of Session Loss Header Regex to prevent it from triggering unnecessarily.
- We fixed a scan crash condition caused by network errors.
- We fixed a login failure during login traffic playback.
- We fixed a condition that could cause scan engines to crash during engine tear-down.
- We fixed an excessive memory usage issue caused by the Brute Force Form Authentication attack module.
- We fixed a web service WSDL parsing error.
- We fixed an issue that prevented the last message from being added to the operation and user logs at the end of the scan.
- We fixed a login macro playback failure caused by the inclusion of truncated JavaScript code.