What's new in HCL AppScan® Enterprise

New in HCL AppScan® Enterprise 10.0.7

This section describes new product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.
  • Support for scanning of target application configured for TLS 1.3
  • MFA: Support for TOTP and URL-generated OTP (see Configure OTP)
  • New Industry Standard reports:
    • "CWE/SANS Top 25 Most Dangerous Errors" is replaced by "CWE Top 25 Most Dangerous Software Weaknesses 2021"
    • OWASP TOP 10 - 2021
  • IAST improvements - Issue Information:
    • New "Additional Information" section
    • Exploit example included for many more issues

New in 10.0.7.28150

Added a security update to test for zero day Spring4Shell vulnerability CVE-2022-22965. Note that no version of AppScan was or is subject to this vulnerability.

Fixes and security updates

New security rules in this release include:
  • attApacheHttpPathTraversalUnix - Path traversal vulnerability in Apache HTTP Server (CVE-2021-41773)

  • attZencartRemoteCommandExecutionAdns - Authenticated RCE on ZenCart (CVE-2021-3291)

  • attApacheHttpPathTraversalUnix - Apache HTTP Server Path traversal and RCE (CVE-2021-42013)

  • attAPIBrokenFunctionLevelAuthorization - API Security Rule on Broken function level authorization (Check with Original request with other HTTP Methods)

  • attConfluenceRemoteCommandExecutionAdns - Confluence Server Webwork OGNL injection (CVE-2021-26084) using ADNS

  • attAPIMassAssignment - API Security Rule on Mass Assignment (request with admin parameters/objects and gain access)
  • attAPILackResourcesRateLimit - API Security Rule on Lack of resources and Rate Limiting (set larger values for the request parameters which puts the server under stress)
  • attCSRFinGraphQL - Detect CSRF vulnerability in GraphQL endpoints
  • attCSPInjection - Detect if website is vulnerable to CSP policy injection
  • attAPIImproperAssetsManagement - API Security Rule on ImproperAssets Management (Request for unexposed paths)
  • attAPIImproperAssetsManagementDomain - API Security Rule on ImproperAssets Management (Request for unexposed domains)
  • attbootstrapXSS - Outdated Bootstrap rule detection

    The complete list of fixes, updates, and RFEs in this release is listed here.

Upcoming changes

The following will be removed in a future release:

  • The Web Services, The Vital Few, Developer Essentials test policies will be removed as similar results can now be achieved using other policies. For information, see Predefined Test Policies.
  • Internet Explorer (IE) browser support will be removed.