What's new in HCL AppScan® Enterprise

Features and enhancements new to AppScan® Enterprise.

Important Notice

Support for IBM licenses in new releases of HCL AppScan Enterprise will end in Q3 (August/September) 2020. From then on, new versions will support HCL Licenses only. For instructions on obtaining and installing an HCL License refer to the product documentation. For more information contact your HCL representative or contact Support.

New in HCL AppScan® Enterprise 10.0.1

This section describes new product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

Action-Based Explore

Improved accuracy and coverage for Automatic Action-Based Exploring.

Testing enhancements
  • Improved error page detection for more accurate results.
  • New variant for CVE-2018-7600: Remote Command execution on DRUPAL: Now uses AppScan DNS capability.
  • New test for CVE-2018-9206: Unrestricted FileUpload using Blueimp jQuery-File-Upload.
  • New variant for SSRF: Dotless Hex IP.
  • Directory Guessing: Added 50 new directory guessing rules.
  • Multi-Step Operations: When configured, the validation of subsequent steps in the sequence, when testing a specific step, now includes SQL Injection, Command Injection, and Path Traversal (in addition to XSS). See Multi-Step Operations: Validation.

Issue consolidation

Consolidation of certain frequently occurring Issues, to produce a more compact set of results. For example, Issues that share a single source (such as a server configuration) that occur in multiple locations across the application. Consolidation reduces the overall number of Issues, but without losing the details.

Note: This may result in a new scan of an unchanged site showing less Issues than were found in an earlier scan (but may list more variants of those Issues).

Compliance Reports

Supports the latest DISA Standard Report V4R10.

Application Tree

You can now see the application tree by clicking the View link in Scan Statistics > Pages Found.

Engine Version

DAST engine version is now shown in the AppScan Enterprise console. This replaces the security rules version.

Report generation enhancements

For XML reports generated using the REST API, the request-response traffic data is truncated by default. A new <href> attribute has been added under elements <test-http-traffic> and <original-http-traffic>, that contains a link to the full request-response traffic data for the specific variant.

REST API enhancements
  • API: GET jobs/search and GET /folders/{folderid}/folderitems now provides information on availability of scan related data like logs and scan files.
  • API: GET /services/variants/{variantid} is added, to return request-response traffic data for a variant.

Will be removed in a future release

The following will be removed in a future release:

  • Generic Service Client (GSC)
  • X-Force categorization in Advisories and Issue Details
  • HCL AppScan Enterprise server on 32bit Windows OS
  • HCL AppScan Enterprise plug-in for IE browser
  • Manual Explorer