Apr 01, 20222022.04.01

New

  • Scan for the Spring4Shell vulnerability with the updated Remote Code Execution (RCE) attack module. The Spring4Shell vulnerability (CVE-2022-22965) affects Spring MVC and Spring WebFlux applications running Java Development Kit (JDK) versions 9 and later. A new feature was introduced in JDK 9 that allows access to the ClassLoader from a class. This vulnerability can be exploited for RCE on Tomcat applications because of the features provided by the ClassLoader, but exploits for other ClassLoaders may be discovered.
  • Added ability to manage session tokens. We added the ability to manage session tokens when given as a URL parameter.
  • Added attack template and report. We added a new OWASP Top 10 attack template for 2021.

Improved

  • Improved Automated Login detection. We improved the Automated Login detection of CAPTCHA technologies.
  • Improved exceptions and parameters. We improved exception handling and parameter processing with the Microsoft Authentication Library feature.
  • Updated ChromeDriver version. The installed version of Selenium ChromeDriver is now 99.0.4844.51.
  • Improved Server Side Request Forgery module. We improved the SSRF module to reduce false positives.

Fixed

  • Automated Login is no longer prevented from logging into several customer sites.
  • An accumulation of cookies is no longer causing requests to be too long.
  • Remote bootstrap authenticated scans are no longer timing out upon re-authentication when a logout occurs during the scan.
  • An HTTP authentication header is no longer missing when running scans through the Scan Engine with traffic log enabled.
  • Scanning REST APIs no longer results in an HSTS false positive.