InsightAppSec Release Notes / Dec 11, 2023

Dec 11, 20232023.12.11

This is a round-up of all recent Scan Engine 7.5 releases and updates for AppSec users.

7.5.002 (released August 15, 2023)

New

  • Attack modules. We added two new attacks to detect exposed Swagger UI client secrets (Swagger UI XSS / Swagger UI Dom based).
  • Injection attacks. We added JSON webtoken and JSON injection attacks.

Fixed

  • We resolved an issue that was causing a SCAN_RESULT_UPLOAD_FAILURE error.
  • We resolved two issues causing scans to crash.

7.5.003 (released September 20, 2023)

New

  • JavaScript. Added the ability to extract browser cookies set via JavaScript.
  • RedactLogFiles. We added a new config option RedactLogFiles to enable users to enable the redaction of name and value parameters in URL data requests in HAR files.
  • File Inclusion attacks. We added new File Inclusion attacks for URL encoded directory traversal.
  • JSON Web Token attack module. We added a new JSON Web Token attack module to check for expired JWT tokens.
  • Resource Finder attack. We added a new Resource Finder attack to look for ASP Elmah.axd files.
  • Local File Include module. We added a new attack payload to the Local File Include module to search for vendor.js.

Improved

  • Selenium ChromeDriver. We upgraded Selenium ChromeDriver to version 117.0.5938.62.
  • Swagger UI. The Swagger UI client secret is now partially redacted from showing in the reports.
  • FrontPage Checks. We improved our 404 detection on FrontPage Checks to reduce false positives.
  • Browser Cache Directive attack module. We improved the Browser Cache Directive attack module by adding the ability to check if the server is responding to a preflight CORS options request.
  • Clients Cross-Domain Policy attack module. We improved the logic of our Clients Cross-Domain Policy attack module.
  • Attack modules. We updated the documentation and recommendations for the HTTPHeaders, Information Leakage, and Session Strength attack modules.

Fixed

  • We resolved an issue that was causing the engine to be unable to access remote Swagger files behind authentication.
  • We resolved an issue causing JSON injection false positives.
  • We resolved an engine crash that was causing some machines to run out of disk space.
  • Single quote comments no longer cause a GraphQL SDL parsing issue.
  • We resolved an issue causing a Secure Attribute Finding false positive.
  • Scans are no longer crashing due to a structured exception.
  • We fixed an issue that was causing the following error message ‘Unable to set HTTP headers. Value: error code 87, The parameter is incorrect.’
  • We fixed an issue that was causing some validation scans to crash.
  • We fixed a Local File Inclusion false positive for package.json identification.
  • Input field names containing a space no longer cause an R7Crawler error.
  • We fixed a Browser Cache Directive false positive.

7.5.004 (released October 24, 2023)

New

  • RedactLogFiles. The RedactLogFiles config option has been disabled by default.
  • Swagger UI. We added new detection paths to Swagger UI (DOM Based) attack modules.

Improved

  • Selenium ChromeDriver. We upgraded Selenium ChromeDriver to version 118.0.5993.88.
  • Session Upgrade module. We improved the Session Upgrade module to process set-cookie within 302 responses.

Fixed

  • We fixed an issue that caused the Swagger UI (DOM Based) attack module to miss a finding.
  • We fixed an issue with the JSON Web Token attack module that was causing false positives.
  • We fixed typos in the JSON Web Token, Information Leakage, and HTTPHeader attack modules.
  • We fixed an issue that caused a Swagger UI (DOM based) false positive.
  • Cookie names and values that start/end with '[' / ']' (or '{' / '}') are now handled correctly by the R7Crawler.
  • The OpenAPI v3 parser now handles trailing slashes in server field correctly.
  • Swagger files no longer cause the engine to run out of memory.
  • We fixed an issue that caused HTTP Brute Force false positive.