What's new in HCL AppScan® Enterprise
Features and enhancements new to AppScan® Enterprise.
Important Notice
Support for IBM licenses in new releases of HCL AppScan Enterprise will end in Q3 (August/September) 2020. From then on, new versions will support HCL Licenses only. For instructions on obtaining and installing an HCL License refer to the product documentation. For more information contact your HCL representative or contact Support.
New in HCL AppScan® Enterprise 10.0.1
This section describes new product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
Action-Based Explore
Improved accuracy and coverage for Automatic Action-Based Exploring.
- Improved error page detection for more accurate results.
- New variant for CVE-2018-7600: Remote Command execution on DRUPAL: Now uses AppScan DNS capability.
- New test for CVE-2018-9206: Unrestricted FileUpload using Blueimp jQuery-File-Upload.
- New variant for SSRF: Dotless Hex IP.
- Directory Guessing: Added 50 new directory guessing rules.
- Multi-Step Operations: When configured, the validation of subsequent steps in the sequence, when testing a specific step, now includes SQL Injection, Command Injection, and Path Traversal (in addition to XSS). See Multi-Step Operations: Validation.
Issue consolidation
Consolidation of certain frequently occurring Issues, to produce a more compact set of results. For example, Issues that share a single source (such as a server configuration) that occur in multiple locations across the application. Consolidation reduces the overall number of Issues, but without losing the details.
Compliance Reports
Supports the latest DISA Standard Report V4R10.
Application Tree
You can now see the application tree by clicking the View link in Scan Statistics > Pages Found.
Engine Version
DAST engine version is now shown in the AppScan Enterprise console. This replaces the security rules version.
Report generation enhancements
For XML reports generated using the REST API, the request-response traffic data is truncated by
default. A new <href>
attribute has been added under elements
<test-http-traffic>
and <original-http-traffic>
, that
contains a link to the full request-response traffic data for the specific variant.
- API: GET jobs/search and GET /folders/{folderid}/folderitems now provides information on availability of scan related data like logs and scan files.
- API: GET /services/variants/{variantid} is added, to return request-response traffic data for a variant.
Will be removed in a future release
The following will be removed in a future release:
- Generic Service Client (GSC)
- X-Force categorization in Advisories and Issue Details
- HCL AppScan Enterprise server on 32bit Windows OS
- HCL AppScan Enterprise plug-in for IE browser
- Manual Explorer