AppSpider release announcements for April 2016

Document created by Rapid7 Learning Team Employee on Apr 20, 2016Last modified by Rapid7 Learning Team Employee on Apr 28, 2016
Version 7Show Document
  • View in full screen mode

Rapid7 releases coverage updates for AppSpider to help you protect your environment against ever-evolving security threats. This page contains detailed announcements for the most recent AppSpider coverage releases:

 


This Rapid7® AppSpider® 6.10.205 release includes:


Accuracy enhancements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • We have improved the detection quality of the CSRF attack module.


Application enhancements | product

Improvements to how the application functions and presents scan data, and how it performs overall, helps you to manage security issues more effectively in your environment:

  • We have updated document compatibility mode to support Internet Explorer 11. This solved a problem with Browser Macro login sequences.
  • Rapid7 digital signatures are now required for installer updates attempted by a REST Web Service. Attempting an upgrade without a Rapid7 digital signature will be unsuccessful.
  • Cleanup of the Internet Explorer temporary folder will now occur at the end of scans with a duration greater than one hour. This solves a concern with the IE temp folder growing too large and creating disk space issues.
  • We have updated the default user-agent in the HTTP Headers settings to the Internet Explorer 11 user-agent.
  • We have added blacklisting capabilities that enable users to blacklist case-sensitive HTTP verbs within a scan configuration. Users can edit the .scfg file of a scan configuration using the following code as a guideline:

 

<ScopeConstraint>

<URL>http://www.webscantest.com/*</URL>

<Method>PUT</Method>

<MatchCriteria>Wildcard</MatchCriteria>

<Exclusion>Exclude</Exclusion>

</ScopeConstraint>

 

Note: Path to .scfg file location: C:\Users\Documents\AppSpider\Scans\NameOfYourScanConfiguration\NameOfYourScanCo nfiguration.scfg


This Rapid7® AppSpider® 6.10 release includes:


  Accuracy enhancements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • We have improved the accuracy of the SQL Injection Auth Bypass and Reflected XSS attack modules.


  Application enhancements | product

Improvements to how the application functions and presents scan data, and how it performs overall, helps you to manage security issues more effectively in your environment:

  • Simple form authentication now supports web applications that implement JavaScript login forms.
  • We have improved logging capabilities by creating a log entry every time AppSpider discards a duplicate vulnerability.
  • Regeneration of proxy certificates will now occur prior to each scan. This improvement benefits scans that require access to HTTPS sites through the use of an internal proxy.
  • We have addressed an issue with the Fiddler proxy logs that was attempting to create a temp folder under Program Files. Imported Fiddler proxy logs are temporarily stored in /AppSpider/Scratchpad.
  • We have released a JSON file with the Vulnerabilities Summary report. Once a report is generated, this easier-to-use alternative to XML can be imported into third party applications.
  • We have added a new Windows service configured to remove the requirement to run AppSpider with administrative privileges.
  • We have addressed an issue with importing multiple .trec files to the Recorded Traffic page where only one of several files were included during a bulk import. All selected .trec files will now be successfully added after a bulk files import.
  • We implemented SHA-2 into the installer code signing certificate to comply with Windows' signature verification policy. Windows (version 7 and higher) and Windows Server will no longer trust new code that is signed with SHA-1.
  • We removed the custom attack module requirement of providing DisplayName as a custom AttackType value. This solved problems which would result in missing data in the VulnerabilitiesSummary file.
  • A shortcut to regenerate reports for previous scans has been added to each scan configuration in the Main settings window. Users can expand the details per scan configuration and then right click on the results to regenerate a report. See image below.
     

6.10-RegenerateReport.png

 

Attachments

    Outcomes