7.5.011 (released August 20, 2024)
New Attack features and enhancements
- Added a new payload to the Information Disclosure module searching for the default naming of a CSRF Token in ASP.NET.
- Extended the JWT module to also look for JWTs in the Authorization Bearer token.
- Improved description for X-Frame-Options best practices findings to give better directions on how to mitigate the finding.
- Made improvements to FrontPage Attack Module to correct response analysis and fix an issue in vulnerability verification causing false positives.
- Made improvements to JWT Attack Module to correctly recognize server response 500 and not report a vulnerability.
- Made improvements to Resource Locator attack to fix validation scanning.
New Crawling/Scanning features and enhancements
- ALF traffic is now included in the traffic metadata log even if authentication fails. This should help troubleshooting auth errors.
- Improved how ALF maxRetry is handled within the R7Crawler and support arrays of ALF hooks.
- Improved the browser process tidy up to ensure memory is released when R7Crawler process has successfully terminated.
Additional Fixes
- Enhanced localStorage and sessionStorage handling with ALF and bootstrap login.
- Optional JavaScript macro events now executable.
- Template Login Macros now executable for JavaScript event types.