AppSpider release announcements for July 2016

Document created by Gary Sabala Employee on Jul 14, 2016Last modified by Gary Sabala Employee on Aug 8, 2016
Version 10Show Document
  • View in full screen mode

Rapid7 releases coverage updates for AppSpider to help you protect your environment against ever-evolving security threats. This page contains detailed announcements for the most recent AppSpider coverage releases:


This Rapid7® AppSpider® 6.14.06 release includes:


Scanning enhancements |  product

Better scan performance helps you to retrieve scan results more quickly with improved accuracy and more efficient use of resources:

  • Redundant server type disclosure findings have been reduced for less repetitive information within a single scan and better tracking between scans.


Application enhancements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • We have addressed an issue with an incorrect default value in IEHost timeouts affecting AppSpider Enterprise scan configurations.

This Rapid7® AppSpider® 6.14 release includes:


Coverage enhancements | content

New coverage expands your visibility into assets and threats in your environment:

  • The crawler engine within AppSpider has been enhanced to improve scanning capability of single page applications that have been created using ReactJS.
  • New attack modules have been added to AppSpider to detect Out of Band Cross Site Scripting (XSS) vulnerabilities
  • New attack modules have been added to AppSpider in order to bypass conflicting cross-site scripting filters.


Scanning enhancements |  product

Better scan performance helps you to retrieve scan results more quickly with improved accuracy and more efficient use of resources:

  • We have improved typical scan speeds by optimizing persistent reflection analysis.


Application enhancements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • The Request Builder now supports sending requests through proxies.
  • The Simple Form Authentication now handles log on forms with a custom button or image button HTML element, in addition to the existing handling of Submit buttons.
  • The Defend functionality which allow the ability to generate WAF rules to protect against detected vulnerabilities has been added into AppSpider Pro.
  • AppSpider Pro has been updated to reduce CPU consumption when running large scans.
  • We have updated the Swagger Utility parser to better align to the functionality supported in common Swagger REST API validation tools.
  • We have updated the default Content-Type header value of the REST API in order to enable specification of output encoding.
  • We have updated the default Accept-Charset header value in order to address an issue with log ons.
  • The SOAP and REST APIs no longer use Windows Services for upgrade processing.
  • The SOAP and REST options are mutually exclusive for new installations. New messaging has been added to the installer with details about the options.
  • We have resolved an issue with the Swagger Utility crashing with the use of certain types of JSON REST API files.
  • The REST API no longer uses base 64 encoding on the method that returns information about modules, in order to improve the formatting of the output.
  • Accuracy has been improved for the disk space properties returned by the REST API method that returns information about the system.
  • AppSpider now correctly loads recorded traffic that was saved as a paros traffic file (.txt).
  • Passwords that contain special characters are now properly obscured in the traffic log.
  • The Traffic Recorder has been updated so that if it is opened from the top menu or from the Request Builder it will open starting with a blank page rather than with webscantest.com.
  • We have updated the version of ProxyServer.dll in order to address an issue with the Traffic Recorder.
  • We have addressed an inconsistency with how rules were generated in AppSpider Defend.
  • We have addressed an issue where the user interface could become unresponsive when running scans with large numbers of requests.
  • We have resolved an issue that could cause the AppSpider Scan Engine to crash when adding a vulnerability in certain instances.
  • We have resolved an issue that could cause the Web Services Description Language (WSDL) parser to encounter an error for certain WSDLs.
  • We have resolved an issue that could cause the user interface to display findings incorrectly when the results of a completed scan were reloaded.
  • We have resolved an issue where the interface could continue to display "initializing" after a failed scan in certain circumstances.
  • We have resolved an issue with AppSpider product keys not working with AppSpider Enterprise installations.
  • We have updated cookie value detection in order to improve cookie attacks. This update should also address the "Unable to set HTTP headers: The parameter is incorrect." error.

 

 

Accuracy enhancements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • We have improved scan coverage by addressing an issue where a scanner could skip requests to scan the same URL again with a different method (GET, PUSH, etc.).
  • We have improved the Parameter Tampering module to address false positives caused by misclassified vulnerabilities.
  • We have improved the restrictions in the crawler and attack functionality to address crawling and attacks on out of scope targets in certain scenarios.
  • HTML reports now use actual variance rather than characteristic variance, in order to improve the accuracy of the original traffic information.
  • Passive finding variances that differ only by method will now be retained rather than regarded as duplicate variances.

This Rapid7® AppSpider® 6.12.13 release includes:


Application enhancements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • We have updated cookie handling to ensure proper handling of expired cookies.
  • We have addressed the Unquoted Service Path Privilege Escalation vulnerability within the optional REST service. Thanks to Gjoko Krstic of Zero Science Lab for identifying this issue to Rapid7.

Accuracy enhancement | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • We have improved the Parameter Tampering module to address false positives caused by misclassified vulnerabilities.

This Rapid7® AppSpider® 6.12.12 release includes:

Accuracy enhancements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

    • We have updated cookie value detection in order to improve cookie attacks. This update should also address the "Unable to set HTTP headers: The parameter is incorrect." Error
    • Updated HTTP Headers module to alert about none UTF-8 charsets.
    • Added REST request origination to default attack policies to improve the performance of the REST Swagger API scanning capabilities.

Application enhancements | product

Improvements to how the application functions and presents scan data, and how it performs overall, helps you to manage security issues more effectively in your environment:

    • Resolved issue to ensure that all description and recommendation is passed as a raw readable text to AppSpider Enterprise and OnDemand web sites.
    • Fixed a problem in UI Request Builder causing it to error out while sending network requests.

Attachments

    Outcomes