AppSpider release announcements for August 2016

Document created by tdoan Employee on Aug 5, 2016Last modified by Gary Sabala on Aug 25, 2016
Version 6Show Document
  • View in full screen mode

Rapid7 releases coverage updates for AppSpider to help you protect your environment against ever-evolving security threats. This page contains detailed announcements for the most recent AppSpider coverage releases:

 

 


This Rapid7® AppSpider® 6.14.08 release includes:

 

Scanning enhancements | product

Better scan performance helps you to retrieve scan results more quickly with improved accuracy and more efficient use of resources:

  • Updated the AppSpider scan engine to stop processing DELETE VERbs to improve scan performance.

 

Application enhancements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • Updated the list of supported Web Application Firewalls (WAFs) to ensure accuracy.
  • The VulnerabilitiesSummary file now properly populates the MatchedString field of the Vuln element for parameter findings.
  • Improved handling of special characters in the macro recorder to improve the features usability.
  • A warning is now added to the user log concerning potential conflicts between cookie configuration settings and authentication settings.
  • Added additional encoding to SOAP API OAUTH parameters to ensure protection of customer data.
  • The AppSpider reporting now includes a crawled and attacked data export. The new filename is AttackLocations.json which contains this new data.
  • Resolved issue with the AppSpider request builder which impacted the imports of Swagger API documents in certain cases.

 

Accuracy enhancements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • Updated privilege Escalation module to use HTTP Credentials during attack (when provided)
  • The OWASP 2013 attack policy now includes the Apache Struts 2 Framework Checks module.
  • Updated Module Cookie attributes to report multiple vulnerabilities for multiple parameters instead of reporting one vulnerability and multiple variances.
  • Updated Browser Cache Directive module to fix False Positive finding reported AppSpider users.

 

________________________________________________________________________________ ________________________________________________________

This Rapid7® AppSpider Enterprise 3.8.044 release includes:

 

Application enhancements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • Added a property to the configuration files, so sql timeout can be modified.
  • Fixed non SSL URL when sending to JIRA.
  • New method has been added to SOAP API that returns only critical errors

 

________________________________________________________________________________ ________________________________________________________

This Rapid7® AppSpider® 6.14.07 release includes:


Scanning enhancements |  product

Better scan performance helps you to retrieve scan results more quickly with improved accuracy and more efficient use of resources:

  • We have addressed an issue that could cause the Scan Engine to crash in rare situations due to a race condition.
  • We have modified how scan engine handles cookies. The scan engine now uses a single cookie set and stops trying to crawl the site with different cookie values at the same time.
  • We have updated the execution of passive attacks to reduce memory consumption on large scans.
  • To reduce the scan speed and improve the quality of results, we have added a ResultsFeedback attack configuration option that prevents feeding guessed subdomains into the crawler.


Application enhancements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • We have addressed an invalid macro format that was causing macro playback failures.
  • We have updated the saved traffic format to convert relative URLs to absolute URLs and store them in the traffic recorded by the built-in proxy.
  • The VulnerabilitiesSummary.xml file now contains the "OriginalValue" field for findings.
  • The VulnerabilitiesSummary.xml file now contains more details about session strength findings.
  • The DELETE method has been disabled for crawls and attacks by the Scan Engine.
  • Custom Authorization headers are now updated for imported traffic that has stale Authorization headers.

Accuracy enhancements | product

Better accuracy of scan results helps you to assess your security posture and prioritize remediation more effectively:

  • We have addressed BlindSQL false positives caused by response variations related to cookie values.
  • To reduce false positives in the CORS module, CORS issues on guessed links are no longer reported.

 


This Rapid7® AppSpider Enterprise 3.8.030 release includes:


Scanning enhancements |  product

Better scan performance helps you to retrieve scan results more quickly with improved accuracy and more efficient use of resources:

  • We have resolved an issue that causes scans to rerun in certain circumstances after a report regeneration request failure.


Application enhancements | product

Improvements to how the application integrates and presents scan data, and how it performs overall, help you to manage security issues more effectively in your environment:

  • We have resolved a code injection vulnerability in AppSpider Enterprise.
  • We have added the ability for proxy logs from AppSpider Pro, Burp, and other supported proxies to be used for authentication within AppSpider Enterprise.
  • We have added the ability to use a user's e-mail address during SAML authentication.

 

Attachments

    Outcomes