19 Sep 2018

19-Sep-2018

NEW FEATURES

Added support to save and re-use filters on the list pages (Recents Scans, Websites, Issues etc)
Added out of the box integration for Slack and ServiceNow
Introduced Report Policy Editor which allows to customize Scan Report results
Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

Added Out of Band Server Side Template Injection security checks
Added signature detection check for Caddy web server
Added signature detection check for aah Go server
Added signature detection check for JBoss application server
Added CakePHP framework detection
Added CakePHP version disclosure detection
Added CakePHP out-of-date version detection
Added CakePHP Stack Trace Disclosure
Added CakePHP default page detection
Added Out of Date checks for CKEditor 5

IMPROVEMENTS

Configured scanner agent's service options to recover automatically if it stops
Improved display order of vulnerabilities in several reports
Improved the wording in OWASP and Trend Matrix reports
Updated the licensing model
Allowed team members to manage their IP restrictions (previously only account administrators were allowed)
Scheduled Scans will not be queued if a delayed one already exists in scan queue
Improved Agent List page to display unavailable agents
Improved the wording in Website and Global Dashboard pages
Improved '/websites/get' API endpoint to allow filtering by URL
Improved validation messages for SSO settings
Improved styling of Permission Matrix on New Team Member page
Fixed error where Scheduled Scans were disabled by the system on license expiry (they're now available again on license renewal)
Updated .NET Framework version requirement to 4.7.2
All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into a single vulnerability
Added Label field for JIRA Send To actions
Added Tags field for Manuscript (FogBugz) Send To actions
Improved SQL Injection proof data by stripping HTML tags
Improved CSRF token detection in cookie values

BUG FIXES

Fixed wrong PDF scaling issue which causes fonts to be rendered very small for Report templates
Fixed pagination problem on Scheduled Scans and Website Group pages
Fixed a bug where screenshots are displayed for Scans run by Internal Agents
Fixed the incorrect Content-Type header sent during Form Authentication requests
Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were blocking the other HTTP methods too
Fixed the URL encoding issue for vulnerabilities that are send to Manuscript (formerly FogBugz)
Fixed the error where the ExpectCT header was reported as an interesting header
Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
Fixed the incorrect response displayed for Server Side Request Forgery (SSRF) vulnerabilities when the request was redirected to another page
Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
Fixed an incorrect possible LFI vulnerability when the response was redirected
Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
Fixed broken case sensitivity check for crawled links
Fixed FormatException that occurred while parsing cookies
Fixed a JsonReaderException that occured while trying to parse a Swagger document
Fixed parsing URLs with encoded chars
Fixed hanging Open Redirect checks caused by binary responses
Fixed the issue where a Swagger YAML file cannot be imported
Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie's HttpOnly flag
Fixed the Weak Signature Algorithm that is not reported for a self-signed root certificate