AppSpider release announcements for November 2015

Document created by Kris Kaitanjian Employee on Jan 14, 2016Last modified by Kris Kaitanjian Employee on Apr 20, 2016
Version 6Show Document
  • View in full screen mode

This Rapid7® AppSpider® 6.6 release includes:


New Features

  • Added “comprehensiveness” setting to scan configuration – The fast scan option will reduce scan time by minimizing duplicate scanning. User can configure the settings for both the crawler and attacker modules to optimize scan speeds.
  • Added encoder/decoder to the UIAllows the encoding/decoding of items such as URL’s to assist with testing efforts. This enhancement is located in the "Tools" section in AppSpider.


New Attack Modules

  • Persistent XSS (Cross-site scripting)Persistent XSS is an XSS attack, where the attack loads within the vulnerable web application. The attack may be originated by improper neutralization of input during web page generation.
  • Custom passive moduleUser can create a set of custom attacks using the sample attack within this module as an example.
  • Clients cross domain policyVerifies policy files for Adobe and Silverlight applications.
  • Front Page check – Checks if FrontPage Extensions are correctly configured with permissions set to protect private information and operations.
  • HTTP HeadersThe module reports a missing character set in the content type header.
  • Privilege escalation moduleChecks pages to determine if users get access to more resources or functionality than they are normally allowed.
  • Request method modificationHTTP Verb Tampering works by modifying the HTTP Web verb in order to bypass authentication of web applications.
  • X-Content-Type options – Reports when missing or improperly configured X-Content Type HTTP header.



  • Updated HTTP Auth brute force moduleReduces potential false positives in this particular module.
  • Updated proxy server componentEnhancement to improve the overall scan quality by improved crawl coverage.