AppSpider release announcements for May 2016

Document created by Rapid7 Learning Team Employee on May 2, 2016Last modified by Rapid7 Learning Team Employee on Jun 7, 2016
Version 12Show Document
  • View in full screen mode

Rapid7 releases coverage updates for AppSpider to help you protect your environment against ever-evolving security threats. This page contains detailed announcements for the most recent AppSpider coverage releases:

 


This Rapid7® AppSpider® 6.12.005 release includes:

 

Accuracy enhancements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • We have improved the accuracy of the Privilege Escalation attack module. This update will discard false positives related to Privilege Escalation from being reported.

Application enhancements | product

Improvements to how the application functions and presents scan data, and how it performs overall, helps you to manage security issues more effectively in your environment:

  • We have addressed an issue with the end of scan data cleanup that was causing scan engine failure.
  • We have updated the scan engine to improve session stability. This resolves a session loss issue where under certain conditions, AppSpider would crawl links defined in the Logout Link Regex.
  • We resolved an issue with the Extra Header settings. The Authorization header will no longer be excluded from scans.
  • AppSpider now ensures encoding of the referrer. This will prevent dropped requests due to a wrong request format.
  • We have addressed an issue in the VulnerabilitiesSummary.xml and now identify the attack types for findings that previously lacked a value.
  • We have updated the Executive Summary report to link to the PCI 3.1 report. Previous builds were linked to the PCI 3.0 report.
  • We have updated the uninstaller to remove the Nginx web server.

 


This Rapid7® AppSpider® 6.12.003 release includes:

 

Accuracy enhancements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • We have improved the accuracy of the Privacy Disclosure attack module by no longer reporting duplicate findings. 
  • We have improved the accuracy of the Nginx NULL byte injection module which reduces the number of false positives.
  • We have improved the detection quality of the CSRF attack module.
  • We have added new cross-site scripting attacks to bypass conflicting cross-site scripting filters.

 

Application enhancements | product

Improvements to how the application functions and presents scan data, and how it performs overall, helps you to manage security issues more effectively in your environment:

  • AppSpider now enables an end to end automated test of a REST API that is documented with the Open API (Swagger). Users can point AppSpider to the URL that contains the Swagger definition (.json) file; AppSpider will automatically consume it and begin to take action.
  • Improved accuracy and re-usablity for Swagger API testing. AppSpider now supports API parameter training so that users can ensure each scan leverages expected data for each parameter (Last Name=Smith, Date=05/16/2016). Once the user trains AppSpider for a given Swagger API, AppSpider will then re-use that sample data on subsequent scans.
  • A Google Chrome browser plugin is now available to validate findings in AppSpider's HTML reports. This functionality replaces the current Java-based applet which is no longer supported by Chrome.
  • We have addressed an issue with cookie handling by the browser during macro login execution in order to prevent login failure.
  • Improvements to the attack scheduler have been made to increase scan speed.
  • The ability to perform a scan using host name and IP address has been added as an advanced option for scan configurations.
  • We have enhanced a user's ability to reset the severity settings of findings at a group level.
  • Users now have the ability to add a top-level domain to the crawler restrictions.
  • We have addressed an issue with license verification that was causing a product key exception.
  • Description text has been updated in the All Links report to correctly identify the meaning of the bullseye icon which indicate links with found vulnerabilities.
  • Rapid7 digital signatures are now required for installer updates attempted by a REST Web Service. Attempting an upgrade without a Rapid7 digital signature will be unsuccessful.
  • We have addressed an issue with the Browser Macro Recorder. This eliminates user interface failure during a login macro recording.
  • We have improved the accuracy of the parameter parser to resolve an issue with URL parsing.
  • We have updated the description text for the File Inclusion vulnerability check to clarify that it identifies LFI, RFI, and/or a PHP file.
  • We have updated the description and recommendations text in the Vulnerabilities Report for the SQL injection, Blind SQL injection, and Local File Inclusion attack modules.
  • The DISA STIG website link in the Best Practices and Compliance Reports has been updated.
  • We have updated the uninstaller to remove the Nginx web server.

 


This Rapid7® AppSpider® 6.10.209 release includes:

 

Application enhancements | product

Improvements to how the application functions and presents scan data, and how it performs overall, helps you to manage security issues more effectively in your environment:

  • We have resolved an issue impacting LoggedInHeader regular expression functionality. This allows users to establish an authentication condition based on the HTTP Header.

 


This Rapid7® AppSpider® 6.10.207 release includes:

 

Accuracy enhancements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • Improvements to the Nginx NULL byte injection module have been made to reduce false positives.

 

Application enhancements | product

Improvements to how the application functions and presents scan data, and how it performs overall, helps you to manage security issues more effectively in your environment:

  • We have updated cookie handling by the browser during macro login execution in order to prevent login failure.
  • *We have improved the LDAP account updating mechanism to resolve issues with user account configuration.

*AppSpider Enterprise Only (Build 3.8.18)

Attachments

    Outcomes