Improved

• OpenAPI. We have added support to enable OpenAPI documents on authenticated scans to be retrieved without the use of credentials.
• Server-Side Request Forgery attacks. We have enhanced our SSRF attacks to reduce the number of false positives being returned by the module.
• Selenium ChromeDriver. The installed version of Selenium ChromeDriver is now 103.0.5060.53.
• SSL Strength Module. We have improved our SSL strength module to show the weak cipher it detected. We have also updated the severities.
• Content Security Policy Header Module. We have fixed a false positive in our CSP header module. We have removed the require-sri-for check in the CSP module as it is now deprecated. We have also updated our CSP module to scan for frame-ancestors instead of x-frame-options headers as they are now deprecated.
• Comment Check attack. We have fixed a Hardcoded password false positive with our Comment Check attack.
• Attack description. We have updated our CSP description and recommendation when using unsafe-inline or unsafe-eval.
• Out of Band Verification Monitor. We have enhanced the OOB Verification Monitor so that it no longer reports as a long-running task

Fixed

• The issue where Two WebService directories are created on the C: drive, when installing the REST Service on another drive, has been resolved.
• We have fixed an issue that caused PDF report generation to fail.
• Validation scans now correctly update vulnerability statuses.
• HTTP2 pseudo-headers are now handled correctly.
• In the CSP module where the none parameter is now correctly matched and reported on.
• We have updated our NGNIX config file to use the recommended SSL ciphers.
• The tokenReplacementList is no longer injecting duplicate keys into the URL query parameters.