This release includes new security checks, improvements, and fixes. We added a range of new security checks to help identify vulnerabilities. We improved the issues page to identify non-retestable issues, improved the PCI scan report export, business logic recorder, and more. We also fixed some bugs.
This update includes changes to the internal agents. The internal scan agent’s current version is 23.3.0. The internal authentication verifier agent’s current version is 23.3.0
New security checks
- Added package.json Configuration File attack pattern.
- Added new File Upload Injection pattern.
- Added SSRF (Equinix) vulnerability.
- Added Swagger user interface Out-of-Date vulnerability.
- Added a file upload injection pattern.
- Added StackPath CDN Identified vulnerability.
- Added Insecure Usage of Version 1 GUID vulnerability.
- Added JBoss Web Console JMX Invoker check.
- Added Windows Server check.
- Added Windows CE check.
- Added Cloudflare Identified, Cloudflare Bot Management, Cloudflare Browser Insights, and cdnjs checks.
- Added Varnish Version Disclosure vulnerability check.
- Added Stack Trace Disclosure (Apache Shiro) vulnerability check.
- Added Java Servlet Ouf-of-Date vulnerability check.
- Added AEM Detected vulnerability check.
- Added CDN Detected(JsDelivr) vulnerability check.
Improvements
Improvements in scans
- Improved the bulk update of those issues with the Fixed(Can’t Retest) status.
- Added a column on the Issues page to show users whether an issue is retestable.
- Improved the scan compression algorithm to lower the size of the scan data.
- Added a tooltip to show the full scan report name when it is too long.
- Added a progress indication while exporting a PCI scan report.
- Added an option to delete the stuck agents’ commands.
- Fixed the business logic recorder issue while using the Basic, NTLM/Kerberos Configurations.
Improvements in API
- Improved the descriptions for /api/1.0/issues/report endpoint and the integration parameter on the Allissues endpoint.
Improvements in security checks
- Improved WS_FTP Log vulnerability test pattern.
- Improved X-XSS-Protection Header Issue vulnerability template.
- Improved MySQL Database Error Message attack pattern.
- Improved XML External Entity Injection vulnerability test pattern.
- Improved Forced Browsing List.
- Added CWE classification for Insecure HTTP Usage.
- Added GraphQL Attack Usage to existing test patterns by default.
- Improved the internal agents on Windows to prevent possible Unquoted Service Path issues.
Fixes
- Fixed the internal agents naming issue.
- Fixed the update issue in the Proof node in the Knowledge Base panel.
- Fixed the API token reset issue for team members.
- Fixed the API documentation’s website that failed to show descriptions.
- Fixed the business logic recorder issue where the session is dropped because of a cookie.
- Fixed the default email address that appeared on the login page during the custom script window.
- Fixed the Out-of-Memory issue caused by the Text Parser when adding any extension to the parser.
- Fixed the Client Secret in raw text appearing in the scan report for OAuth2.
- Fixed the Hawk validation issue.
- Fixed the scan flow with different logic for incremental scans that are launched via CI/CD integrations and the user interface.
- Fixed the custom vulnerability deletion problem on the custom report policy.
- Fixed the vulnerability database issue that occurred because of a URL redirect problem.
- Fixed the internal server error on the Audit logs’ list endpoint.
- Fixed the issue of email notifications when a new scan is launched.
- Fixed the typo on the OAuth2 settings page.
- Fixed the issue updating timeout issue.
- Fixed the PCI scan icon issue that disappeared during the scan.