AppSpider Pro Release Notes / Oct 31, 2024

Oct 31, 20247.5.013

This is a round-up of all recent Scan Engine releases and updates for AppSpider users.

7.5.013 (released October 31, 2024)

New Attack features and enhancements

  • HTTP Headers Module enhancement - A best practice check was added to verify that the Referrer-Policy header is correctly set.
  • X-Powered-By HTTP Header and Server Configuration Module enhancements - Resolved an issue that prevented the Severity from changing from Information to Low.
  • Attacks Module enhancements - Added missing CWE IDs to the following attack modules: [ Apache Struts 2, Apache Struts Detection, Autocomplete Check, Front Page Checks, HTTP User Agent Checks, JavaScript Checks, JSON Injection, JSON Web Token, Personal Sensitive Information, Privacy Check, Profanity, Reflection, Request Method Modification , Reverse Clickjacking, Subdomain, Web DAV, Web Service Parameter Tampering ]

New Crawling/Scanning features and enhancements

  • Automated Login Finder (ALF) Enhancements
    • Improved logged-in and login-fail detection.
    • Improved the handling of 401 status codes.
    • Improved dictionary handling in Chromium and aligned it with Chrome.
    • General enhancements to outputs.
  • Improved the DOMContentLoaded checks for Macro authentication playback.
  • Upgraded Selenium ChromeDriver to version 130.0.6723.69.
  • Improved Report PDF generation by using the R7Crawler Playwright Browser.

7.5.012 (released September 26, 2024)

New Attack features and enhancements

  • Information Disclosure Module enhancements - Improved a regex issue which was resulting in false negatives and added a PIN code check attack to the ScriptCheck module.
  • Enhanced the XSS_DOM attacks - Resolved an issue with how the value is read from the scan config in the scan engine.
  • Passive Attacks - Improved support for Passive Attacks during validation scanning.
  • PCI - Improved PCI 4.0 report references

New Crawling/Scanning features and enhancements

  • The maximum size for binary responses imposed by the network layer has been made configurable via NetworkSettingsConfig.
  • Extended NODE_OPTIONS passed to the R7Crawler to allow support for legacy certificate encryption methods.
  • Prevent onmouseover events being added to the R7Crawler event list as these are blocked by the Engine.
  • Improved the R7Crawler logging to ensure that captured errors are always returned, even if macro playback is not successful.
  • Improved cookie handling to handle some scenarios which previously caused an error.
  • Improved the remote bootstrap authentication flow which was failing when JavaScriptEngine was set to Chromium due to overly strict validation of configured logged in regex and header regex.
  • Upgraded Selenium ChromeDriver to version 129.0.6668.58.
  • Updated the version of CEFSharp used by the UI integrated browser to v96 or higher.

7.5.011 (released August 20, 2024)

New Attack features and enhancements

  • Added a new payload to the Information Disclosure module searching for the default naming of a CSRF Token in ASP.NET.
  • Extended the JWT module to also look for JWTs in the Authorization Bearer token.
  • Improved description for X-Frame-Options best practices findings to give better directions on how to mitigate the finding.
  • Made improvements to FrontPage Attack Module to correct response analysis and fix an issue in vulnerability verification causing false positives.
  • Made improvements to JWT Attack Module to correctly recognize server response 500 and not report a vulnerability.
  • Made improvements to Resource Locator attack to fix validation scanning.

New Crawling/Scanning features and enhancements

  • ALF traffic is now included in the traffic metadata log even if authentication fails. This should help troubleshooting auth errors.
  • Improved how ALF maxRetry is handled within the R7Crawler and support arrays of ALF hooks.
  • Improved the browser process tidy up to ensure memory is released when R7Crawler process has successfully terminated.

Additional Fixes

  • Enhanced localStorage and sessionStorage handling with ALF and bootstrap login.
  • Optional JavaScript macro events now executable.
  • Template Login Macros now executable for JavaScript event types.

7.5.010 (released June 10, 2024)

New Attack features and enhancements

  • Information Disclosure module payload. We added a new payload to the Information Disclosure module searching for the default naming of a CSRF token in ASP.NET.
  • Sever type regex. We improved the regex for server type disclosures to reduce false positives.
  • Time-Based BSQL attacks. We improved Time-Based BSQL attacks to help reduce false positives.
  • Attack module severity. We reduced the severity of some of the Forced Browsing attack module findings.

New Crawling/Scanning features and enhancements

  • R7Crawler logic. We added a retry logic for the R7Crawler if a health check failure is detected.
  • Selenium ChromeDriver. We upgraded our Selenium ChromeDriver to version 124.0.6367.91.
  • Automated Login credentials. We improved the redaction of Automated Login credentials where the credentials contain double quotes.
  • Proxy Client Improvements. We resolved an issue that led to an excessive amount of client ID not found logs. This issue was caused by the Scan Engine cutting off requests before all messages could be sent successfully.
  • OpenAPI Parser Improvements. We fixed an issue in the that caused scans to fail due to the Scan Engine's inability to parse multipleStatementsExample.