May 17, 20237.4.052

New

  • All API Modules attack template. We added a new All API Modules attack template.
  • HTTP Strict Transport Security attack. We added a new HTTP Strict Transport Security attack that checks if the max-age header is set to zero. Setting max-age to zero disables HTTP Strict Transport Security and may lead to insecure access via HTTP.

Improved

  • File inclusion. We updated the File Inclusion attack module with a null byte injection attack.
  • Selenium ChromeDriver. We upgraded Selenium ChromeDriver to version 113.0.5672.63.
  • MaxDatabaseSize. We increased the default MaxDatabaseSize value from 1GB to 4GB.
  • SSL Strength. We updated the SSL Strength attack module so that specific severities are applied where SSL certs are about to expire or have expired. We flag SSL certs that expire in 21 to 15 days as Informational, certs that expire in 14 to 1 days as Low, and expired certs as High.

Fixed

  • We fixed an issue with parsing OpenAPI (Swagger) documents that contained multipart or form-data content types.
  • The scan engine now correctly parses the ASP.NET view state.
  • The scan engine no longer crashes as a result of a structured exception.
  • The AppSec Toolkit now successfully installs on Windows Server 2022.