In the latest release of AppSpider Pro version 7.0 you will find some great new features which will improve the crawling, attack and overall usability of the product. Below are a few of the key new enhancements you will find in the release.
With the introduction of the Chrome/WebKit browser, AppSpider Pro now supports both Chrome and Internet Explorer as default browsers. These integrated browsers facilitate AppSpider's crawling and attack functionality, so with the added support of the Chrome browser, AppSpider now has improved coverage for web applications that aren’t fully compatible with Internet Explorer.
Need a quick way to verify that a vulnerability has been remediated by your development team? AppSpider's new validation scan method allows users to target a scan against a previously scanned application and rescan only selected vulnerabilities rather than re-running a complete scan. Save time and get immediate visibility into remediation status.
Improved UI Updates
Looking for real-time and at-a-glance information of your scans? AppSpider Pro's main UI screen has been updated to give you visibility into scan status, number of vulnerabilities found, number of links crawled, authentication used and the attack policy which was used. All of your scan info in one place makes it easier than ever for you to monitor scan progress..
Confidence level for findings
Based on the experience and research of Rapid7’s engineering teams, a confidence level for findings is now available in HTML and JSON reports to provide users with a visual indicator of how certain AppSpider is that a particular finding is valid.
New Attack Modules
The following attack modules have been added as a part of this release:
- ASP.NET Serialization: ASP.NET Serialization security module checks for serialized binary objects. Serialized data can potentially be intercepted and read by malicious users. Furthermore, in some cases controls might use serialized data for internal processing, so a malicious code may be processed on the web server.
- Cross-site scripting (XSS), (DOM based Reflected via Ajax Request): DOM Based XSS (or as it is called in some texts, "type-0 XSS") is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim's browser used by the original client-side script, so that the client-side code runs in an “unexpected” manner.
- HTTP Query Session Check: HTTP Query Checks parameter values which can expose an application to various security risks.
- HTTP User Agent Check: HTTP User-Agent Check is performed to understand whether user-agent sniffing is turned on.
- Session Upgrade: Reports a risk factor for exposing or binding the user session between states of anonymous users and authenticated users.
For additional details on these feature please review the AppSpider Pro 7.0 User guide here (PDF).