InsightAppSec Release Notes / Mar 15, 2024

Mar 15, 20242024.03.15

This is a round-up of all recent Scan Engine 7.5 releases and updates for AppSec users.

7.5.006 (released February 9, 2024)

New

  • Selenium ChromeDriver. We upgraded Selenium ChromeDriver to version 120.0.6099.109.

Improved

  • r7Crawler. We added the ability for users to specify the r7Crawler event selector type (text-based, CSS and xPath). We also added the ability for users to specify whether the r7Crawler should respect screen responsiveness for height and width. In addition, we added JavaScript macro redaction in the r7Crawler.

Fixed

  • An issue with Time-Based attacks in the Blind SQL Attack Module has been resolved.
  • We fixed a false negative against the Directory Traversal Attack Module.
  • Cookie expiry dates are now being set correctly within the r7Crawler.
  • We fixed an issue with logged-in checks within the r7Crawler.
  • The r7Crawler now correctly handles about:blank URLs for sequence macro playback.
  • Redaction no longer causes HTTP authentication to fail.
  • We fixed an issue with xPath selectors for SVG elements in the r7Crawler.
  • An issue with the accuracy of the CrawlDOMTask counters has been addressed.

7.5.007 (released February 13, 2024)

Fixed

  • We fixed an issue that prevented the Reverse Clickjacking module from returning findings.
  • Expired licenses no longer report a valid status.

7.5.008 (released March 14, 2024)

New

  • Selenium ChromeDriver. We upgraded Selenium ChromeDriver to version 122.0.6261.57.

Improved

  • r7Crawler. The r7Crawler now allows extra time for uncaught exceptions to be logged. We also improved the efficiency of web storage extraction and injection when loading pages in the browser via r7Crawler. As well as this, we improved the r7Crawler ALF logging, handling of navigations when loading ALF and retry logic for failed operations
  • OpenAPI. The OpenAPI Library has been upgraded to version 1.6.13.
  • JSON. We resolved an issue causing JSON Injection false positives.
  • x-content-type-options header. We added a new recommendation for HTTPHeadersCharset002 that omits the reference to the x-content-type-options header.

Fixed

  • 401 messages are now correctly logged for attacks.
  • We fixed an issue with how sitemaps defined in robot txt were being parsed in a case-sensitive manner.
  • We fixed an issue in the XSS Reflected Attack Module to address a false negative.
  • Scans no longer fail in the OpenAPI Parser as the engine is now able to parse strings with a type of byte.
  • Incorrect values are no longer being reported when using the REST API for attacks attempted, attacks performed, and vulnerabilities found.