New
- New Crawler updates. New crawling technology, R7Crawler, is a new option over the existing crawler, ChromeHost.
- ChromeHost is still the default crawler.
- You can configure using the scan config settings to use the new crawler. Within the advanced options, a value of "Chromium" in ScanConfig.JavascriptEngine uses the new R7Crawler. “Chrome” remains the default value, enabling the ChromeHost crawler
- We added the ability for you to specify the R7Crawler event selector type (text-based, CSS and xPath). We also added the ability for you to specify whether the R7Crawler should respect screen responsiveness for height and width. In addition, we added JavaScript macro redaction in the R7Crawler.
- New Rest Service. The REST service has been reimplemented. You will see no difference between the new and previous REST services.
- The new implementation leverages the Kestrel server.
- The new service allows you to define your own SSL certificates.
- This improves REST service diagnostics.
- This improves stability.
- This maintains compatibility with the existing API.
- The IAS installer handles the new local API password requirements. No action is required by users.
- Swagger/Open API upgrade. The Swagger Parser has been replaced with Microsoft's OpenAPI implementation.
- API Behavior remains consistent.
- Existing swagger documents continue to be supported.
- Parsing performance has increased.
- This upgrade allows for handling of larger sized documents.
- The service defaults to the new implementation.
- You can switch to the old implementation using the scan config option by setting UseSwaggerV1 to 1. For users using the Swagger UI tool, an environmental variable needs to be set.
- Attack Modules.
- Swagger UI. We added two new attacks to detect exposed Swagger UI client secrets (Swagger UI XSS / Swagger UI Dom based).
- Injection attacks. We added JSON webtoken and JSON injection attacks.
- File Inclusion attacks. We added new File Inclusion attacks for URL encoded directory traversal.
- JSON Web Token attack module. We added a new JSON Web Token attack module to check for expired JWT tokens.
- Resource Finder attack. We added a new Resource Finder attack to look for ASP Elmah.axd files.
- Local File Include module. We added a new attack payload to the Local File Include module to search for vendor.js.
- x-content-type-options header. We added a new recommendation for HTTPHeadersCharset002 that omits the reference to the
x-content-type-options
header. - Session Upgrade module. We improved the Session Upgrade module to process
set-cookie
within 302 responses. - Browser Cache Directive attack module. We improved the Browser Cache Directive attack module by adding the ability to check if the server is responding to a preflight CORS options request.
- Clients Cross-Domain Policy attack module. We improved the logic of our Clients Cross-Domain Policy attack module.
- Attack modules documentation. We updated the documentation and recommendations for the HTTPHeaders, Information Leakage, and Session Strength attack modules.
- Blind SQL. An issue with Time-Based attacks in the Blind SQL Attack Module has been resolved.
- FrontPage Checks. This resolves an issue that was causing false positives.
Improved
- Selenium ChromeDriver. We upgraded Selenium ChromeDriver to version 123.0.6312.58.
- OpenAPI. The OpenAPI Library has been upgraded to version 1.6.13.
- JavaScript. We added the ability to extract browser cookies set via JavaScript.
- Swagger UI. The Swagger UI client secret is now partially redacted from showing in the reports.
- HTTPHeadersConfig. DoNotAttackUserAgent has been added as an option to the HTTPHeadersConfig advanced scan config section. This prevents the Out of Band Log4Shell attack from attacking custom user agents.
- BrowserDoNotDownloadExtensions. We extended BrowserDoNotDownloadExtensions to include .woff2, .webm, or .mov files.
- MSAL. We added an option to configure the MSAL authority URL.
- RedactLogFiles. We added a new config option, RedactLogFiles, so that you can enable the redaction of name and value parameters in URL data requests in HAR files.