This Rapid7® AppSpider® 6.6 release includes:
- Added “comprehensiveness” setting to scan configuration – The fast scan option will reduce scan time by minimizing duplicate scanning. User can configure the settings for both the crawler and attacker modules to optimize scan speeds.
- Added encoder/decoder to the UI – Allows the encoding/decoding of items such as URL’s to assist with testing efforts. This enhancement is located in the "Tools" section in AppSpider.
New Attack Modules
- Persistent XSS (Cross-site scripting) – Persistent XSS is an XSS attack, where the attack loads within the vulnerable web application. The attack may be originated by improper neutralization of input during web page generation.
- Custom passive module – User can create a set of custom attacks using the sample attack within this module as an example.
- Clients cross domain policy – Verifies policy files for Adobe and Silverlight applications.
- Front Page check – Checks if FrontPage Extensions are correctly configured with permissions set to protect private information and operations.
- HTTP Headers – The module reports a missing character set in the content type header.
- Privilege escalation module – Checks pages to determine if users get access to more resources or functionality than they are normally allowed.
- Request method modification – HTTP Verb Tampering works by modifying the HTTP Web verb in order to bypass authentication of web applications.
- X-Content-Type options – Reports when missing or improperly configured X-Content Type HTTP header.
- Updated HTTP Auth brute force module – Reduces potential false positives in this particular module.
- Updated proxy server component – Enhancement to improve the overall scan quality by improved crawl coverage.