What's new in HCL AppScan® Enterprise
New in HCL AppScan® Enterprise 10.0.7
- Support for scanning of target application configured for TLS 1.3
- MFA: Support for TOTP and URL-generated OTP (see Configure OTP)
- New Industry Standard reports:
- "CWE/SANS Top 25 Most Dangerous Errors" is replaced by "CWE Top 25 Most Dangerous Software Weaknesses 2021"
- OWASP TOP 10 - 2021
- IAST improvements - Issue Information:
- New "Additional Information" section
- Exploit example included for many more issues
New in 10.0.7.28150
Added a security update to test for zero day Spring4Shell vulnerability CVE-2022-22965. Note that no version of AppScan was or is subject to this vulnerability.
Fixes and security updates
New security rules in this release include:-
attApacheHttpPathTraversalUnix - Path traversal vulnerability in Apache HTTP Server (CVE-2021-41773)
-
attZencartRemoteCommandExecutionAdns - Authenticated RCE on ZenCart (CVE-2021-3291)
-
attApacheHttpPathTraversalUnix - Apache HTTP Server Path traversal and RCE (CVE-2021-42013)
-
attAPIBrokenFunctionLevelAuthorization - API Security Rule on Broken function level authorization (Check with Original request with other HTTP Methods)
-
attConfluenceRemoteCommandExecutionAdns - Confluence Server Webwork OGNL injection (CVE-2021-26084) using ADNS
- attAPIMassAssignment - API Security Rule on Mass Assignment (request with admin parameters/objects and gain access)
- attAPILackResourcesRateLimit - API Security Rule on Lack of resources and Rate Limiting (set larger values for the request parameters which puts the server under stress)
- attCSRFinGraphQL - Detect CSRF vulnerability in GraphQL endpoints
- attCSPInjection - Detect if website is vulnerable to CSP policy injection
- attAPIImproperAssetsManagement - API Security Rule on ImproperAssets Management (Request for unexposed paths)
- attAPIImproperAssetsManagementDomain - API Security Rule on ImproperAssets Management (Request for unexposed domains)
- attbootstrapXSS - Outdated Bootstrap rule detection
The complete list of fixes, updates, and RFEs in this release is listed here.
Upcoming changes
The following will be removed in a future release:
- The Web Services, The Vital Few, Developer Essentials test policies will be removed as similar results can now be achieved using other policies. For information, see Predefined Test Policies.
- Internet Explorer (IE) browser support will be removed.