New
- Scan for the Spring4Shell vulnerability with the updated Remote Code Execution (RCE) attack module. The Spring4Shell vulnerability (CVE-2022-22965) affects Spring MVC and Spring WebFlux applications running Java Development Kit (JDK) versions 9 and later. A new feature was introduced in JDK 9 that allows access to the ClassLoader from a class. This vulnerability can be exploited for RCE on Tomcat applications because of the features provided by the ClassLoader, but exploits for other ClassLoaders may be discovered.
- Added ability to manage session tokens. We added the ability to manage session tokens when given as a URL parameter.
- Added attack template and report. We added a new OWASP Top 10 attack template for 2021.
Improved
- Improved Automated Login detection. We improved the Automated Login detection of CAPTCHA technologies.
- Improved exceptions and parameters. We improved exception handling and parameter processing with the Microsoft Authentication Library feature.
- Updated ChromeDriver version. The installed version of Selenium ChromeDriver is now 99.0.4844.51.
- Improved Server Side Request Forgery module. We improved the SSRF module to reduce false positives.
Fixed
- Automated Login is no longer prevented from logging into several customer sites.
- An accumulation of cookies is no longer causing requests to be too long.
- Remote bootstrap authenticated scans are no longer timing out upon re-authentication when a logout occurs during the scan.
- An HTTP authentication header is no longer missing when running scans through the Scan Engine with traffic log enabled.
- Scanning REST APIs no longer results in an HSTS false positive.