May 12, 20227.4.041

New

  • Out-of-Band SQL Injection module. We added a new Out-of-Band SQL Injection module that checks the application for SQLi vulnerabilities that can be detected by monitoring external DNS and HTTP network interactions.
  • Config options. We added three new configuration options:
    • LimitToOneBrowser, to limit the engine to only use one browser instance during scans.
    • DenylistAllForms, to prevent the engine from populating or attacking any type of form on a site.
    • Max404FindingsPerModule, to enable customers to limit the number of vulnerabilities found against 404 pages.

Improved

  • Remote Code Execution module. We updated the Remote Code Execution module severity from medium to high.
  • Selenium ChromeDriver. The installed version of Selenium ChromeDriver is now 100.0.4896.60.
  • Reflected XSS attack module. We improved the Reflected Cross-site Scripting (XSS) simple attack module to catch a previously unreported vulnerability.
  • AppSpider report. AppSpider reports now show redacted versions of any known credit cards, telephone numbers, and all other sensitive information.
  • Expression Language Injection attack. We added a new Expression Language Injection attack.
  • X-Content-Type-Options attack. We updated the X-Content-Type-Options attack to only run against HTML, XML, and JSON types.
  • Attack description. We updated the attack description for the Content Security Policy.

Fixed

  • Proxy exceptions are now being honored.
  • Macro recordings can now be saved from the Pro UI.
  • The OpenAPI content type application/form is no longer incorrect.
  • The engine now correctly parses Swagger documents and no longer inputs null values.