New
- YAML Swagger/OpenAPI. You can now upload YAML Swagger / OpenAPI files.
- SSL Strength Module. We added a new check for the SSL Strength module to check for HTTPS key length.
- GraphQL. You can now scan and attack GraphQL.
Improved
- Anonymous Access module. We refreshed the Anonymous Access module to reduce false positives.
- Search fields. We improved the way the engine interacts with search fields to reduce false positives returned.
- OpenAPI. We added the ability to access OpenAPI documents without credentials.
- NoSQLi. We improved the NoSQLi attack module logic to help reduce false positives.
- Privacy Policy module. We reduced the severity of the Privacy Policy module from Low to Informational
- X-XSS-Protection module. We updated the X-XSS-Protection module to flag if header not found or set to value other than 0. The module will also no longer flag against 3xx response codes.
- X-Content-Type-Options module. We updated the X-Content-Type-Options module to no longer flag vulnerabilities against 3xx response codes.
- Swagger/OpenAPI. We improved Swagger/OpenAPI support to honor redirection requests.
- Selenium ChromeDriver. The installed version of Selenium ChromeDriver is now 104.0.5112.79.
Fixed
- The engine webhook now returns the correct CrawlResultReference ID.
- Specific scan config chosen by the user is now being correctly used during report regeneration.
- Automated login has been enhanced to fix an issue that caused it not to be able to click an element on a customer site.
- The engine is now correctly substituting the @File placeholder in the File Inclusion module.
- The VectorString in VulnerabilitiesSummary.json is no longer empty.
- The OOB SQL attack CVSS scores are now populating.