EVM Web Scan Changelog

Sylwia
Sylwia Posts: 44 WithSecure Employee

Elements Vulnerability Management Web Scan feature changes will be published under this announcement thread.

Every time there is a change, an entry will be created under this announcement describing new functionalities, improvements or bug fixes.

ūüďĚ Click here to see the most recent change log and¬†bookmark the discussion¬†to¬†be notified of any updates.

Tagged:

Comments

  • Sylwia
    Sylwia Posts: 44 WithSecure Employee

    Old change logs

    Publication time frame: January 2018 - April 2018


    Version 2.7.0, released January 10, 2018

    New features and improvements:

    • GetXss plugin was rewritten, some new XSS cases can be found.
    • Some plugins report the execution path in the 'Finding' field.
    • POST request in execution path contains body.
    • Form extraction was optimized.

    Fixed issues:

    • Fixed problem with stopping scan progress.
    • Invalid URLs in parsed HTML do not blow up the scan.
    • OpenRedirect plugin fixed.

    Version 2.7.1, released January 11, 2018

    Fixed issues:

    • Fixed NullReference issue in PostXss plugin.
    • Invalid URLs in parsed HTML do not stop the scan.

    Version 2.8.0, released January 12, 2018

    New features and improvements:

    • Some plugins report the execution path in the 'Finding' field.
    • Detection of vulnerabilities for GetXss and PostXss plugins improved.

    Fixed issues:

    • Fixed ESENT storage issue.

    Version 2.8.1, released January 15, 2018

    Fixed issues:

    • Technical change within the build process.

    Version 2.8.2, released January 23, 2018

    Fixed issues:

    • Fixed issue with too long string in 'issuedetails' field in raport.xml which precluded the RSC from loading it.

    Version 2.8.3, released January 24, 2018

    Fixed issues:

    • Fixed issue with overriding "Host" header by a parameter from configuration.

    Version 2.8.4, released January 26, 2018

    Fixed issues:

    • Fixed issue with invalid string in 'injection/value' field in report.xml.

    Version 2.9.0, released March 07, 2018

    New features and improvements:

    • Forceful browsing feature implemented:
      • Four plugins (that can report findings) responsible for various variants:
        • Common directories - looks for common directory names (only inside the root of the site)
        • Common files - looks for common file names (only inside the root of the site)
        • Backup directories - looks for some backups of directories, where directory names are generated dynamically from current crawling context (current resource)
        • Backup files - looks for some backups of files, where file names are generated dynamically from current crawling context (current resource)
      • The final report includes at most 20 findings from each forceful browser, but all findings are listed in the log file
      • Crawlable findings (that can be hit by crawling) of forceful browsing are not reported
      • Only confirmed findings are taken into account for further processing
    • Some other forceful browsing behavior was extracted from code and modeled explicitly as plugins (these cannot report findings, only generate new requests):
    • IntermediatePaths - generates requests for intermediate paths of the current request
    • GetWithoutParamsFromPost - generates a GET request without any parameters (neither post parameters nor query string parameters)
    • GetWithParamsFromPost - generates GET requests with query string parameters instead of post parameters
      • Every forceful browser plugin can be switched on and off independently (as every plugin)
    • All attacking plugins report the execution path inside the¬†Finding¬†field
    • Execution path items are cut carefully (if needed) to avoid discarding important information (e.g. the parameter that is just attacked)
    • Improved the handling of query string parameters:
      • Duplicate parameters are handled (injected) correctly
      • More reliable and natural API to ease the creation of new plugins
      • FormParamsExcludedFromAttacks - form (post) parameters that should not be attacked
      • CookiesExcludedFromAttacks - cookies that should not be attacked
      • HeadersAttacked - headers that should be attacked
    • Some hardcoded parameters were moved into configuration (not visible in the Radar GUI for now)
    • Refactoring that aims to clean up the scanner model and make further development easier

    Fixed issues:

    • Fixed generation of separate requests from every form select/radio value
    • Vulnerability checks are done with respect to response body only (without headers)
    • If auth validation request is not present in recordings, then it is not set to the login request

    Version 2.10.0, released April 24, 2018

    New features and improvements:

    • XSS detections rewritten from the scratch with assumptions:
      • final stage of the attack should inject an "executable" payload
      • injected payload should contain some random part to be distinguishable from old, stored attacks
      • all WAVSEP's RXSS basic tests (except exploiting the unsupported VBScript) should pass
    • New StaticAnalyzer plugin - Unsafe characters in¬†Location:¬†header
    • Some string-ignore-case comparison optimizations

    Fixed issues:

    • Corrected verification step of time-based sql injection attacks
    • Fixed issue with generating too many parameters in requests originating from GET forms
    • Fixed¬†¬†"Out of sessions"¬†ESENT issue

    Version 2.10.1, released April 25, 2018

    Fixed issues:

    • Findings per plugin limit decreased from 200 to 100

    Version 2.10.2, released April 26, 2018

    Fixed issues:

    • Fixed "System. ArgumentOutOfRangeException" issue related to plugin 44

    Version 2.10.3, released April 27, 2018

    Fixed issues:

    • Fixed "System. ArgumentOutOfRangeException" issue related to plugin 44 (v2.10.2 does not cover all cases)


  • Sylwia
    Sylwia Posts: 44 WithSecure Employee

    Old change logs

    Publication time frame: May 2018 - July 2018


    Version 2.11.0, released May 8, 2018

    New features and improvements:

    • As a part of the vulnerability report data, Web Scan engine saves the HTML body of the page on which the vulnerability was found. The whole page has been recorded. After applying a change, only the surroundings of the found fingerprint is recorded and sent back to Radar Security Center. This limits the report size and optimizes data processing.

    Fixed issues:

    • Fixed "System. ArgumentOutOfRangeException" issue related to plugin 44 (v2.10.2 does not cover all cases)
    • Removed duplication of payloads of the plugin 17

    Version 2.11.1, released May 14, 2018

    New features and improvements:

    • Changed the scan progress calculation to better reflect the scan state
    • Some optimizations in healthcheck mechanism

    Fixed issues:

    • Fixed issue with hanging scans
    • Added additional logging info in case of problems with parsing html forms

    Version 2.11.2, released May 16, 2018

    Fixed issues:

    • Fixed the¬†"Invalid URI: The Uri string is too long" issue

    Version 2.11.3, released May 29, 2018

    Fixed issues:

    • Fixed the¬†"Index and length must refer to a location within the string" issue in XSS checks

    Version 2.11.4, released June 1, 2018

    New features and improvements:

    • All hidden fields within authorization requests inside recordings are replaced by values from a fresh request (there is no need to remove them from the recording file)

    Fixed issues:

    • Checking request restrictions during authentication has been turned off (solves the issue when logout and login URLs are the same)
    • The¬†Solution¬†field in¬†PostFileInclusion¬†plugin has been supplemented

    Version 2.11.5, released June 5, 2018

    Fixed issues:

    • Pages that are problematic for the page clusterer are treated as unique (non-clustered) (RADAR-10206)

    Version 2.12.0, released June 8, 2018

    New features and improvements:

    • Finding's execution paths In¬†Finding¬†field were changed to more meaningful (RADAR-10591)
    • Changed the logic detection of the PrivateIpAddressDisclosure plugin (20) to minimize false positives (RADAR-10503)
    • Log events (messages, log levels) were rewieved and unified (RADAR-10382)
    • Added a second, JSON-structured log file for data processing and analysis (RADAR-10383)
    • Optimized the distribution of jobs related to processing requests and decreased the number of parallel processing threads (RADAR-10467)

    Fixed issues:

    • All timed out and response code 500 requests are rerun by the engine (some such requests were lost when the target site had some problems with processing requests) (RADAR-10668)

    Version 2.13.0, released June 19, 2018

    New features and improvements:

    • Authentication mechanism rewritten to handle non-trivial cases (RADAR-10689)

    Fixed issues:

    • Extracting forms mechanism ignores¬†form¬†tags inside HTML comments
    • Extracted form fields have properly encoded names

    Version 2.13.1, released June 21, 2018

    Fixed issues:

    • Scan terminates properly if the auth configuration is inconsistent (RADAR-10690)

    Version 2.14.0, released June 26, 2018

    New features and improvements:

    • New¬†-i¬†option for WSNG.exe that displays plugin information and vulnerability check statistics (RADAR-10662)
    • Memory usage¬†optimizations (RADAR-10816)

    Version 2.15.0, released July 13, 2018

    New features and improvements:

    • Scan log file is UTF-8 encoded now (RADAR-10885)
    • XSS checker detects XSS reflected as html attribute name (RADAR-7131)
    • Crawling engine looks for links inside "windows.href=..." and "windows.open(...)" patterns
    • Some code refactoring to clean up the code base (restriction checking, recording handling) (RADAR-6976, RADAR-10943)

    Fixed issues:

    • Engine components are disposed properly (RADAR-9384)
      • Removed noisy warning/error messages at the end of the scan log file
    • Authentication flow skips all-hidden-fields forms when it looks for a login form

    Version 2.16.1, released July 27, 2018

    New features and improvements:

    • Improved load balancing and health check mechanisms (RADAR-10869)
    • Added information to logs about header/cookie injections
    • Limited the number of requests generated from http forms with radio button/checkbox input (RADAR-10976)
    • Plugin 41 (Cacheable HTTPS response) does not report findings for permanent redirections (RADAR-10990)
    • XSS in-attribute-name onerror-payload is injected only for pertinent html elements (RADAR-7131)
    • Refactored the request object representation to enable various kind of payloads (JSON, XML) (RADAR-10741)

    Fixed issues:

    • Form extractor properly parses inappropriately encoded form values (RADAR-10975)
    • Referrer header is handled properly within the authentication flow for redirect requests (related to RADAR-10868)
    • Fixed login authentication flow to better support cases where the active session cookie is added to the scan configuration


  • Sylwia
    Sylwia Posts: 44 WithSecure Employee

    Old change logs

    Publication time frame: August 2018 - December 2018


    Version 2.17.0 released August 14, 2018

    New features and improvements:

    • Connections management (RADAR-10978)
      • Engine switched to sending HTTP/1.1 requests by default
      • Support for the¬†Connection: Keep-Alive¬†http header
      • Dropping connections that cannot be reused for some reason
    • Detection of blocked symbols in query parameter values in URLs (turned off by default for now) (RADAR-11116)
    • Request rerun provides info about the rerun reason in the log file

    Version 2.17.1 released August 14, 2018

    Fixed issues:

    • Blocked attacks against URLs returning 30x when some fingerprint is then searched (RADAR-11114)
    • Fixed "This operation is not supported" issue on gzip-compressed responses

    Version 2.17.2 released August 16, 2018

    New features and improvements:

    • Requests other than GET or POST in recording are filtered out instead of the exception being thrown (RADAR-10868)

    Version 2.17.3 released August 22, 2018

    New features and improvements:

    • The IP of the scanned host is now clearly visible at the start of the scan log - keyword: "TargetIp" (RADAR-11183)

    Version 2.17.4 released August 25, 2018

    Fixed issues:

    • Fixed handling of forms that have empty method attributes (RADAR-11184)

    Version 2.18.0 released September 3, 2018

    New features and improvements:

    • Additional scan phase for rechecking time-based findings¬†(RADAR-11134)
      • All findings of plugins 4, 7, 19, 29, and 32 are rechecked sequentially without any other traffic
      • Findings rechecked negatively are removed
      • Scan log contains information about what findings were rechecked and the result of the recheck

    Version 2.18.1 released September 11, 2018

    Fixed issues:

    • Fixed issue with proper scans finishing when the global timeout¬†was reached (RADAR-11311)
    • The 99% scan progress indication is presented during the recheck phase

    Version 2.19.0 released September 26, 2018

    New features and improvements:

    • Technical changes that move¬†the web scan functionality towards Linux compatibility (RADAR-6979)

    Version 2.20.0 released October 16, 2018

    New features and improvements:

    • Removed transformation of POST request into GET request (RADAR-11624)
    • "Duplicate" requests (the same query parameters but different values) found by the crawler are filtered out from attacks (RADAR-11638)
    • Many technical changes to improve the maintainability of the scanning engine (RADAR-11462,¬†RADAR-11610)

    Version 2.21.0 released October 30, 2018

    New features and improvements:

    • Reduced the number of generated requests (RADAR-11626,¬†RADAR-11627,¬†RADAR-11742,¬†RADAR-11625)
    • The fields in submitted forms are filled in with reasonable values if they are empty (RADAR-11688)
    • Crawler looks for links inside 'data-href' attributes (RADAR-11740)

    Version 2.21.1 released November 19, 2018

    Fixed issues:

    • Fixed issue with the wrong extraction of windows.location-type links inside HTML attributes (RADAR-11939)

    Version 2.22.1 released December 7, 2018

    New features and improvements:

    • Disk storage optimizations (RADAR-12133,¬†RADAR-11793)

    Version 2.22.2 released December 11, 2018

    Fixed issues:

    • Handling improper values of the Content-Type header (RADAR-12120)


  • Sylwia
    Sylwia Posts: 44 WithSecure Employee

    Old change logs

    Publication time frame: January 2019 - July 2019


    Version 2.23.0 released January 2, 2019

    New features and improvements:

    • Better progress reporting
    • Centralized and unified logging of the internal state of various components (at DEBUG level)
    • Many technical changes to make the solution ready for a headless crawler component (RADAR-12146, RADAR-11617)

    Version 2.23.1 released January 7, 2019

    Fixed issues:

    • Response encoding is set to UTF-8 when it cannot be deduced from the Content-Type header (RADAR-12246)

    Version 2.23.2 released January 14, 2019

    Fixed issues:

    • XML report sent is now UTF-8 encoded (RADAR-12246)

    Version 2.23.3 released January 16, 2019

    Fixed issues:

    • Fixed stopping the scan when the global timeout is reached (RADAR-12425)

    Version 2.23.4 released February 15, 2019

    • Bumped version to avoid warnings about an engine not being updated in Radar Security Center (RADAR-12581)

    Version 2.24.0 released March 1, 2019

    Fixed issues:

    • [RADAR-12789] - Fixed problems with memory overuse
    • [RADAR-12719] - Fixed issue manifesting with "An item with the same key has already been added." error log
    • [RADAR-12861] - Fixed issue with inappropriate extraction of links from 'window.open' javascript code
    • [RADAR-12795] - The "~1" check in forceful browsing plugins was discarded as it leads to false positives
    • [RADAR-12796] - Login bypass type of the SQL injection check was discarded as it leads to false positives

    Version 2.24.1 released March 4, 2019

    Fixed issues:

    • [RADAR-12892] - Fixed issue with forms authentication where a parameter name of a login form had to be encoded.

    Version 2.25.0 released March 10, 2019

    New features and improvements:

    • [RADAR-12892] - Improvements related to memory overuse.

    Version 2.25.1 released March 11, 2019

    Fixed issues:

    • [RADAR-12948] - Fixed path encoding inside URLs.

    Version 2.25.2 released March 13, 2019

    Fixed issues:

    • [RADAR-12892] - Further improvements related to memory overuse.

    Improvements:

    • [RADAR-12976] - Improved logging of crawled pages
    • [RADAR-12972] - Multipart request should not decode the param values

    Version 3.0.0 released July 17, 2019

    New features and improvements:

    • [RADAR-11238] - Porting WebScan to .NET Core - can be run on Linux (also RADAR-6979)
    • [RADAR-10783] - Headless crawler in WebScan
      • a new Chromium-based crawler is added to support the existing one
      • the new crawler runs for a configurable time (now set to 3 minutes), looks for links, forms, and events in the rendered DOM, and captures AJAX requests
      • the approachability check (with authentication) phase is done by the new crawler
    • [RADAR-13757] - New building pipeline incorporating new requirements (.NET Core, downloading Chromium binaries, etc.)
    • [RADAR-10211] - Added static backup guesses (.zip, .tar.gz, .tgz) to BackupDirectories and BackupFiles forceful browsing plugins
    • [RADAR-11324] - Added a common folder (.idea, .vs, .vscode) to the CommonDirectories forceful browsing plugin
    • [RADAR-13843] - Cookies specified in scan config always override ones obtained during the scan
    • [RADAR-13869] - Clusterer's limit of checked samples in a cluster was decreased to 100
    • [RADAR-13880] - Added a new scope restriction that is based on URL path depth (number of path segments)
    • [RADAR-13919] - Added a new scope restriction that is based on the detection of recurring URL path segments (detection of looped paths)
    • [RADAR-10365] - XSS attacks that execute remote JS script uses now real resources (JS script) that actually exploit (and confirm) the vulnerability

    Fixed issues:

    • [RADAR-13797] - Form has the wrong URL when it has a relative URL in the 'action' attribute
    • [RADAR-11556] - Static analysis of external responses within checking approachability phase is forbidden
    • [RADAR-13869] - Forcing to stop scan when "max. URLs to crawl" limit was reached
    • [RADAR-13965] - Web Scan cuts to big request body (not only response body) for a report
    • [RADAR-14012] - Fixed an issue with incorrect URL in _Findings_ field shown by forceful browsing plugins

    Version 3.1.0 released July 22, 2019

    New features and improvements:

    • [RADAR-869] - Grouping plugins to mitigate duplicated findings (e.g. time-based SQLi are executed only if error-based attacks fail)
    • [RADAR-9992] - New static analyzer: Missing 'X-Frame-Options' header
    • [RADAR-13995] - Fixed problem with disk storage overuse due to the accumulation of unprocessed responses
    • [RADAR-14148] - Build artifacts includes the xlsx sheet containing known vulnerabilities of well known broken web applications generated from test cases

    Fixed issues:

    • [RADAR-14125] - Excluded range 127/8 from the False positive: internal IP address disclosure¬†PrivateIpAddressDisclosure plugin
    • [RADAR-14268] - Fixed a bug within checking XSS fingerprint's procedure that produced false positives in some specific cases

    Version 3.2.0 released July 30, 2019

    New features and improvements:

    • [RADAR-12883] - Removing unwanted findings by forceful browsers
    • [RADAR-14399] - Headless crawler improved to minimize breaking connections because of moving on too fast
    • [RADAR-14388] - Memory usage optimizations

    Fixed issues:

    • [RADAR-14324]- Fixed issue related to missing some intermediate paths by the crawler
    • [RADAR-14367] - Fixed issue with reporting proper URL by static analyzers if they report only single finding
    • [RADAR-14371] - Fixed issue with wrong Content-Length header value for POST request mapped from headless crawler
    • [RADAR-14372] - Fixed issue with wrong Content-Length header value for some POST attack requests
    • [RADAR-869] - Fixed issue with breaking scans when a plugin's grouping mechanism received requests other than GET or POST
    • [RADAR-14388] - Fixed terminating the scan in case of MemoryException


  • Sylwia
    Sylwia Posts: 44 WithSecure Employee

    Old change logs

    Publication time frame: August 2019 - October 2019


    Version 3.2.1 released August 21, 2019

    Fixed issues:

    • [RADAR-14484] - Fixed an issue with authenticated scans of WordPress sites. Fixed the handling of the logout fingerprint, it is treated as a regular expression by default but some values cannot be parsed as a correct¬†regular expression, in which case it is treated as simple text. Fixed the progress percent info showing NaN in some rare cases.

    Version 3.3.0 released August 23, 2019

    New features and improvements:

    • [RADAR-14280] - Attacking JSON payloads (error-based SQLi so far)
    • [RADAR-14445] - Replaying recorded DOM events by the headless crawler (feature not available for the user)

    Fixed issues:

    • [RADAR-14578] - Removed "faultstring" SQLi fingerprint that causes false-positive findings
    • [RADAR-14568] - Fixed the "login form's 'submit' button hasn't been found" issue - a form's button without the 'type' attribute is recognized as a 'submit' button (in accordance with HTML spec)
    • [RADAR-14388] - Another fix related to proper scan termination in case of an exception inside headless crawler

    Version 3.3.1 released August 28, 2019

    Fixed issues:

    • [RADAR-14602] - Fixed OverflowException during report generation

    Version 3.4.0 released September 9, 2019

    New features and improvements:

    • [RADAR-14280] - Attacking JSON payloads (all but XSS attack types)
    • [RADAR-1209] - New plugin (id 59) that looks for old, vulnerable javascript libraries
    • [RADAR-13319] - Added references to OWASP Top 10 categories in all plugins (not visible for the user so far)

    Version 3.4.1 released September 16, 2019

    Fixed issues:

    • [RADAR-14773] -¬†WebSocket's 'upgrade' requests are blocked (they hang the crawler)

    Version 3.4.2 released September 19, 2019

    Fixed issues:

    • [RADAR-14773] - Another fix related to WebSocket's 'upgrade' mechanism

    Version 3.4.3 released September 20, 2019

    Fixed issues:

    • [RADAR-14804] - Fixed issue with¬†visibility of HTTP requests on reports

    Version 3.4.4 released September 26, 2019

    Fixed issues:

    • [RADAR-14876] - Fixed issue with attacking external hosted js libs

    Version 4.0.0 released October 2, 2019

    New features and improvements:

    • Attacking model redesigned and reimplemented:
      • attackers are defined in a declarative way
      • logic of popular types of attacks is abstracted and centralized
      • attackers can reuse results of other attackers
      • identifiers of all plugins have changed
      • "GET parameter" affected element name renamed to "query parameter", and "POST parameter" renamed to "form parameter"

    Version 4.0.1 released October 2, 2019

    Fixed issues:

    • [RADAR-14914] - Fixed issue with not applying HTTP headers from config by¬†Headless crawler

    Version 4.0.2 released October 4, 2019

    Fixed issues:

    • [RADAR-14941] -¬†Increased the headless browser's timeout for the approachability checking phase

    Version 4.0.3 released October 7, 2019

    Fixed issues:

    • [RADAR-14953] - Fixed issue with conflicts in javascript events registration during the authentication phase

    Version 4.0.4 released October 9, 2019

    Fixed issues:

    • [RADAR-14941] - Fixed issue with reporting outer javascript links as discovered pages

    Version 4.0.5 released October 14, 2019

    Fixed issues:

    • [RADAR-15049] - Fixed issue with¬†NullReferenceException when rechecking JSON findings

    Version 4.1.0 released October 16, 2019

    New features and improvements:

    • [RADAR-14987] - New attacker - difference-based SQL injection
    • [RADAR-15036] - Error-based SQL injection attacks XML element injection point
    • [RADAR-13319] - XML final report contains findings' OWASP references
    • [RADAR-14805] - Improvements in the logic of time-based attacks

    Fixed issues:

    • [RADAR-15059] - Fixed issue with false positives generated by BackupDirectories forceful browser
    • [RADAR-14909] - Fixed issue with hanging scans in case of OutOfMemoryException in starting phase

    Version 4.1.1 released October 17, 2019

    Fixed issues:

    • [RADAR-15090] - Fixed issue with¬†finding the proper submit button within the authentication form

    Version 4.1.2 released October 17, 2019

    Fixed issues:

    • [RADAR-15097] - Fixed issue with scanning all¬†URLs configured in "Add relative URLs for scanning"

    Version 4.1.4 released October 21, 2019

    Fixed issues:

    • [RADAR-14467] - Fixed issue with¬†proper scan termination in case of exception of initial scan phase
    • [RADAR-15129] - Fixed issue with the termination of the scan by not handling requests with JSON-array payload

    Version 4.1.5 released October 24, 2019

    Fixed issues:

    • [RADAR-15159] -¬†When authenticating, WebScan chooses the submit button if there are other non-button submit controls
    • [RADAR-15164] - WebScan returns a specific exit code when generating a report fails

    Version 4.1.6 released October 25, 2019

    Fixed issues:

    • [RADAR-15159] - Fixed issue with dialogs blocking authentication flow


  • Sylwia
    Sylwia Posts: 44 WithSecure Employee

    Old change logs

    Publication time frame: November 2019 - March 2020


    Version 4.1.10 released November 07, 2019

    Fixed issues:

    • [RADAR-15277] - Fixed issue with trying to use a non-visible DOM element during authentication

    Version 4.1.11 released November 12, 2019

    Fixed issues:

    • [RADAR-15303] - Fixed issue with an unhandled exception during the reporting phase

    Version 4.1.13 released November 21, 2019

    Fixed issues:

    • [RADAR-15381] -¬†Added 'input[type=image]' to queried selectors when searching the submit button of the login form
    • Fixed issue with broken links extraction in the headless crawler

    Version 4.1.14 released December 10, 2019

    Fixed issues:

    • [RADAR-15493] - Applied a workaround for an issue relating to blocking the permanent connections (e.g. "polling")

    Version 4.1.15 released December 11, 2019

    Fixed issues:

    • [RADAR-15491] - Fixed issue with looking for the LoginFingerprint when a page wasn't fully loaded
    • [RADAR-15478] - Skipping duplicate (not visible) inputs when typing credentials in a login form

    Version 4.1.16 released December 13, 2019

    Fixed issues:

    • [RADAR-15602] - Fixed issue with proper decoding form parameters created from a request body
    • [RADAR-15544] - Fixed broken payload in BlindCMDi¬†plugin
    • [RADAR-15493] - Fixed problem with timing out requests during approachability¬†checking

    Version 4.2.0 released January 9, 2020

    New features and improvements:

    • [RADAR-14445] - Replaying new recording format (from new recorder Chrome plugin)
    • [RADAR-14185] - Improved some payloads of SQL injection attacks
    • [RADAR-14185] - Upgraded all acceptance tests to a new format, added many new tests
    • [RADAR-15741] - Optimized the headless crawler starting mechanism

    Fixed issues:

    • [RADAR-15679] - Fixed issue with missing forceful browsers' findings
    • [RADAR-14185] - Fixed issue with SOAP requests missed by the crawler
    • [RADAR-15602] - Reauthentication check skips looking for logout fingerprint in javascript files

    Version 4.2.1 released January 21, 2020

    Fixed issues:

    • [RADAR-15602] - Fixed issue with blocking initial request

    Version 4.2.2 released January 29, 2020

    Fixed issues:

    • [RADAR-15995] - Relaxed the conditions for a 'good' health testing response

    Version 4.2.3 released February 02, 2020

    Fixed issues:

    • [RADAR-15995] - Fixed "NullReferenceException" issue

    Version 4.2.4 released February 10, 2020

    Fixed issues:

    • [RADAR-16087] - Fixed issue with unnecessary scan termination on headless browser closing timeout

    Version 4.2.5 released February 13, 2020

    New features and improvements:

    • [RADAR-15995] - Some¬†performance optimization of disk data storage (caching component)

    Fixed issues:

    • [RADAR-15995] - Fixed issue with XSS payload serialization, fixed issue with memory statistics not showing in the log file

    Version 4.2.6 released February 26, 2020

    New features and improvements:

    • [RADAR-15995] - Performance optimization - response body is cached/stored separately from exchange data
    • [RADAR-15995] - Performance optimization - handling the logic of the¬†PrivateIpAddressDisclosure plugin
    • Other minor performance optimizations

    Fixed issues:

    • [RADAR-15995] - Fixed problem with memory leak caused by specific component registration in application container
    • [RADAR-15995] - Fixed problem with counting memory size of disk's cache structure

    Version 4.2.7 released March 13, 2020

    Fixed issues:

    • [RADAR-16396] - Fixed problem with negative index when generating finding info in the log file

    Version 4.3.0 released March 31, 2020

    New features and improvements:

    • [RADAR-16429] -¬†Handling a new configuration format produced by improved WebScan's configuration wizard in the Radar
    • [RADAR-16435] - Crawled (and attacked) request can be filtered out by HTTP methods

    Fixed issues:

    • [RADAR-16517] - Fixed dates in WebScan's report
    • [RADAR-16516] - fixed issue with¬†NetworkInformationException


  • Sylwia
    Sylwia Posts: 44 WithSecure Employee

    Old change logs

    Publication time frame: April 2020 - October 2020


    Version 4.4.0 released April 3, 2020

    New features and improvements:

    • [RADAR-16593] -¬†Handling mouse-over type of events in a recording

    Fixed issues:

    • [RADAR-16591] - Fixed issue with replaying a recording 'change' event when the input's selector had changed during typing

    Version 4.4.1 released April 9, 2020

    Fixed issues:

    • [RADAR-16706] - Fixed issue with broken basic authentication in classical crawler
    • [RADAR-16740] - Fixed issue with not executing¬†some Forceful Browsers' checks when only this kind of checks are configured

    Version 4.4.2 released April 9, 2020

    Fixed issues:

    • [RADAR-16769] - Fixed issue with a¬†timeout during the approachability check

    Version 4.4.3 released May 19, 2020

    New features and improvements:

    • [RADAR-16922] -¬†Upgraded Chromium to rev. 722234 (ver. 80.0.3987.0)

    Version 4.4.4 released May 20, 2020

    New features and improvements:

    • [RADAR-17081] - Fixed issue with launching Chromium

    Version 4.4.5 released May 21, 2020

    New features and improvements:

    • [RADAR-17057] - Applied a workaround to enable finding the element with changing CSS selector when replaying authentication flow

    Version 4.5.0 released June 18, 2020

    New features and improvements:

    • [RADAR-16286] -¬†Follow redirects option in engine (turned off by default)

    Fixed issues:

    • [RADAR-17029] - Fixed issue with Chromium orphans left after scan
    • [RADAR-17279] - Fixed issue with¬†handling the first POST request after successful authentication
    • [RADAR-17306] - LoginFingerprint and LogoutFingerprint in WebScan config override recorded values
    • [RADAR-17165] - Fixed issue with false positives caused by prefixing payloads in forceful browsing checks

    Version 4.5.1 released June 23, 2020

    Fixed issues:

    • [RADAR-17279] - Fixed issue with starting URLs not being added to the blocklist
    • [RADAR-17368] - Fixed issue with¬†not respecting HTTP method restrictions for a POST request to start crawling

    Version 4.5.2 released June 25, 2020

    Fixed issues:

    • [RADAR-17279] - Fixed issue with replaying events when starting request is POST

    Version 4.6.0 released July 1, 2020

    Fixed issues:

    • [RADAR-17460] - Fixed issue with¬†hanging scan if the target responds with JSON content type
    • [RADAR-17450] - Fixed error in log entry informing about redirection

    Version 4.6.1 released July 2, 2020

    Fixed issues:

    • [RADAR-17279] -¬†Fixed issue with improper starting URL for crawling
    • [RADAR-17506] - Fixed issue with hanging headless crawler on print dialog

    Version 4.6.2 released July 8, 2020

    Fixed issues:

    • [RADAR-17557] -¬†Fixed issue with input field not being cleared before typing in the headless crawler
    • [RADAR-17558] - Fixed issue with handling navigation when replaying manual crawling

    Version 4.7.0 released July 29, 2020

    New features and improvements:

    • [RADAR-1054] - Handling HTML forms protected by one-time anti-CSRF token

    Version 4.7.1 released August 19, 2020

    Fixed issues:

    • [RADAR-17811] -¬†Fixed issue with approachability phase¬†failure

    Version 4.7.2 released August 20, 2020

    Fixed issues:

    • [RADAR-17826] -¬†Fixed issue with starting request being restricted via HTTP method restriction

    Version 4.7.3 released August 20, 2020

    Fixed issues:

    • [RADAR-17851] -¬†Fixed issue with proper selection of starting request

    Version 4.7.4 released August 26, 2020

    Fixed issues:

    • [RADAR-17866] -¬†Fixed issue with improper handling of CRLF (end of line) in LoginFingerprint

    Version 4.7.5 released September 19, 2020

    Fixed issues:

    • [RADAR-18010] -¬†Fixed issue with redirection made by Javascript code in a browser
    • [RADAR-18102] -¬†Fixed issue with race condition while reading the recording file

    Version 4.7.6 released October 16, 2020

    Fixed issues:

    • [RADAR-18379] -¬†Fixed issue with basic authentication

    Version 4.8.0 released October 20, 2020

    New features and improvements:

    • [RADAR-18312] -¬†Configuration settings and handling cleaned up
    • [RADAR-9211]¬†- NTLM authentication implemented
    • [RADAR-18244] - Added HTTP header¬†"Accept-Encoding: gzip, deflate" to default headers
    • [RADAR-17986] - Configurable query parameters that are distinguishable for the crawler
    • [RADAR-18004] -¬†Build directory does not contain Chromium revision number
    • Some internal changes with no visible impact for end users


  • Sylwia
    Sylwia Posts: 44 WithSecure Employee
    edited November 2022

    Old change logs

    Publication time frame: November 2020 - March 2021


    Version 5.0.0 released November 24, 2020

    New features and improvements:

    • [RADAR-17349] - Clustering mechanism reimplemented
    • [RADAR-15138]¬†- New checker for Cross-Site Request Forgery detection
    • [RADAR-18471] - Improved detection of vulnerable Bootstrap library
    • [RADAR-18371] - Solution reorganization and code cleanup (no visible impact for end users)
    • [RADAR-18290] - Improvements in¬†Difference-based SQL injection¬†checker

    Fixed issues:

    • [RADAR-18596] -¬†Fixed issue with healthcare mechanism
    • [RADAR-18606] -¬†Fixed issue with reading a recording containing illegal characters

    Version 5.0.1 released November 25, 2020

    Fixed issues:

    • [RADAR-18734] -¬†Fixed issue with unlimited length of form's¬†AffectedName¬†field

    Version 5.0.2 released November 25, 2020

    Fixed issues:

    • [RADAR-18745] -¬†Fixed issue with authentication from a recording

    Version 5.0.3 released November 25, 2020

    Fixed issues:

    • [RADAR-18758] -¬†Fixed issue with scan getting¬†terminated when manual crawling action can't be replayed

    Version 5.0.4 released November 30, 2020

    Fixed issues:

    • [RADAR-18763] -¬†Fixed issue with omitted logic that marks some form parameters as not being attackable when the form comes from a¬†headless crawler
    • [RADAR-18771] -¬†Fixed issue with too long¬†<issueDetails>¬†elements in an XML report¬†

    Version 5.0.5 released December 2, 2020

    Fixed issues:

    • [RADAR-18796] -¬†Fixed issue with¬†System. InvalidOperationException raised by some checkers

    Version 5.0.6 released December 3, 2020

    Fixed issues:

    • [RADAR-18795] - Fixed issue with false positive findings reported by cross-site request forgery plugin

    Version 5.1.0 released December 22, 2020

    New features and improvements:

    • [RADAR-18618] - Fixed a problem with finding formatted payload in difference-based SQLi plugin
    • [RADAR-18777] - Cleaned up the HTTP exchange API
    • Improvements in DNS resolver and recheck process

    Version 5.1.1 released December 22, 2020

    Fixed issues:

    • [RADAR-18939] - Fixed chaining sequence for SQLi plugins

    Version 5.2.0 released January 11, 2021

    New features and improvements:

    • [RADAR-18920] - Add crawling restrictions for JS src urls
    • [RADAR-18944] - Difference-based SQLi - ignore changing content in HTML comments
    • [RADAR-19061] -¬†Difference-based SQLi - ignore similar differences
    • [RADAR-19062] -¬†Difference-based SQLi - ignore broken responses

    Version 5.3.0 released January 21, 2021

    New features and improvements:

    • [RADAR-19107] - Make finding the description from the difference-based blind SQLi plugin more human friendly
    • [RADAR-19080] - Improve selectors generated by Recorder

    Version 5.4.0 released February 01, 2021

    New features and improvements:

    • [RADAR-19194] - Ignore mailchimp plugin form fields
    • [RADAR-19176] - Scanned page source code in the crawled URL fixed

    Version 5.5.0 released March 23, 2021

    New features and improvements:

    • [RADAR-19382] - Improved HTTP response reading and parsing

    Version 5.5.1 released March 29, 2021

    New features and improvements:

    • [RADAR-19657] - Fixed issue with duplicated request id in clustering


  • Sylwia
    Sylwia Posts: 44 WithSecure Employee

    Old change logs

    Publication time frame: April 2021 - February 2022


    Version 5.5.2 released April 07, 2021

    New features and improvements:

    • [RADAR-19705] - Added handling for cases where the content encoding header is set to identity

    Version 5.5.3 released April 26, 2021

    New features and improvements:

    • [RADAR-19841] - Added a failproof HTTP response parser to parse HTTP responses without reason phrases

    Version 5.6.0 released April 29, 2021

    New features and improvements:

    • [RADAR-19737] - Limited plugins access to URLs marked as a JS file
    • [RADAR-18639] - Changed the callback URL for XSS attack
    • [RADAR-18908] - Added an option to allow requests to a domain different from the target domain
    • [RADAR-19740] - Improved the CSRF token search in the case of a known token

    Version 5.7.0 released June 15, 2021

    New features and improvements:

    • [RADAR-19757] - Updated .NET framework version to .NET 5
    • [RADAR-19958] - Replaced insecure binary formatter
    • [RADAR-19959] - Replaced obsolete SSL configuration values
    • [RADAR-20005] - Updated Puppeteer and Chromium to the newest version
    • [RADAR-20023] - Improved difference-based SQLi plugin

    Version 5.7.1 released June 17, 2021

    Fixed issues:

    • [RADAR-20289] - Restored the previously used Chromium version (dependency problem on Linux)

    Version 5.8.0 released July 13, 2021

    New features and improvements:

    • [RADAR-20336] - Changed a NuGet source

    Version 5.9.0 released August 09, 2021

    New features and improvements:

    • [RADAR-19670] - Improved headless crawler
    • [RADAR-20007] - Fixed Web Scan Web Console
    • [RADAR-20495] - Improved difference-based SQLi algorithm
    • [RADAR-20587] - Allowed requests to ReCaptcha API

    Version 5.10.0 released August 30, 2021

    New features and improvements:

    • [RADAR-19465] - Improved Web Scan RAM usage

    Version 5.10.1 released September 13, 2021

    New features and improvements:

    • [RADAR-20831] - Fixed the issue with calling ToString on an empty page state

    Version 5.11.0 released September 18, 2021

    New features and improvements:

    • [RADAR-20793] - Added HTTP response splitting check
    • [RADAR-20797] - Improved difference-based SQLi check, ignored 429 response code, and changed the reporting conditions for a 5xx response code.

    Version 5.12.0 released September 30, 2021

    New features and improvements:

    • [RADAR-20387] - A customized OpenSSL library is used on Linux
    • [RADAR-20912] - Enabled changing the follow redirects option by configuration
    • [RADAR-20926] - Handling of a login fingerprint check on frame-based sites

    Version 5.13.0 released October 13, 2021

    New features and improvements:

    • [RADAR-20525] - Extended an SPA attack surface
    • [RADAR-20801] - Added additional health checks

    Version 5.14.0 released November 04, 2021

    New features and improvements:

    • [RADAR-21068] - Headless crawler improvements

    Version 5.15.0 released November 25, 2021

    New features and improvements:

    • [RADAR-21110] - Added additional field to a scan report

    Version 5.16.0 released January 11, 2022

    New features and improvements:

    • [RADAR-20461] - Scanner accepts and handles a scan configuration with checks selected by a user
    • [RADAR-21346] - Added new HTTP header checks (x-content-type, x-powered-by, missing SameSite cookie attribute)
    • [RADAR-21392] - Added a size limit for a scan report
    • [RADAR-21436] - Fixed issue with a null reference in some rare cases during scanner start

    Version 5.17.0 released February 01, 2022

    New features and improvements:

    • [RADAR-21637] - Limited number of analyzers to run on requests to external JS resources
    • [RADAR-21677] - Fixed issue with not persistent Run Attack option in the scan configurator

    Version 5.17.1 released February 15, 2022

    New features and improvements:

    • [RADAR-21907] - Fixed issue with a hostname resolved to IPv6 instead of an IPv4


  • Sylwia
    Sylwia Posts: 44 WithSecure Employee

    Old change logs

    Publication time frame: March 2022 - September 2022


    Version 5.18.0 released March 09, 2022

    New features and improvements:

    • [RADAR-21508] - Added Log4Shell vulnerability check
    • [RADAR-21654] - Fixed issue with a scan that takes more than 24 hours when the target has multiple pages with the same form
    • [RADAR-21794] - Fixed issue with a failed Web Scan recording replay in some cases
    • [RADAR-21829] - Fixed issue with enabled plugins defined in a template not inherited by a scan configuration

    Version 5.19.0 released March 31, 2022

    New features and improvements:

    • [RADAR-20855] - Changed an HTTP connection implementation. New implementation is based on HTTP Client.
    • [RADAR-22177] - Updated .NET framework version to .NET 6 (LTS)
    • [RADAR-22181] - Updated build definition to use a new build node

    Version 5.20.1 released May 16, 2022

    New features and improvements:

    • [RADAR-22051] - Fixed issue with a headless crawler throwing exception when a response contains compress content encoding
    • [RADAR-22403] - Fixed issue with a headless crawler blocked by a website allow notifications popup
    • [RADAR-22230] - Updated build definition to use a Linux build node

    Version 5.21.0 released June 28, 2022

    New features and improvements:

    • [RADAR-20980] - Improved authentication with redirections handling
      • Introduced an additional external URL access configuration option. This addresses the case of an SPA target with a complicated API (lots of different URLs) and external authentication provider (URLs with unique session/request query parameters).
      • Added Login Fingerprint URL to the recording. This will allow for redirection from the target URL specified in the scan configuration as a start URL to the fingerprint URL (URL where the target lands after an authentication process).
      • Changed the way how HTTP requests are intercepted by the headless crawler and replaced an HTTP request execution backend. Those changes extend our support of HTTP versions to any version supported by the .NET framework and the browser. HTTP 2 pages are fully supported now.
    • [RADAR-22693] - Improved headless crawler
      • Changed the finish conditions for the headless crawler
      • Improved the new page URL reporting. Crawler will report each new address bar URL (same document navigation)
    • [RADAR-22600] - Added a minor version update after hotfix/bugfix
    • [RADAR-22542] - Improved HTTP request and response model
      • Internal change: the internal HTTP model was refactored and prepared for the next improvements to the headless crawler.
    • [RADAR-18909] - Added an additional method for identifying elements in a recording
      • Added XPath as an additional ID for a recorded element (CSS selector is treated as a main ID).

    Version 5.21.1 released July 28, 2022

    New features and improvements:

    • [RADAR-23046] -¬†Fixed issue with a headless crawler crashing when trying¬†to open an external page in a new tab

    Version 5.22.4 released September 05, 2022

    New features and improvements:

    • [RADAR-23205] - Improved Time Based Blind SQLi implementation
      • Algorithm is more robust and conditions for accepting vulnerability are hardened
    • [RADAR-23088] - Fixed an issue in which the scanner automatically logged out in some cases
    • [RADAR-23318] - Changed timeout handling during authentication
      • Fixed an issue in which a scanned target took long to load or made a lot of requests during the authentication process and triggered timeout
    • [RADAR-18472] - Improved cookies handling
    • [RADAR-19124] - Updated dependencies
    • [RADAR-23375] - Changed the main identifier for web page elements in Headless Crawler to XPath
      • Fixed an issue in which the CSS identifier was changing or was not unique

    Version 5.23.0 released September 16, 2022

    New features and improvements:

    • [RADAR-23471] - Added recording of logout actions to the Web Scan Recorder plugin
      • In addition to blocking logout URLs, the scanner will block actions performed during the logout process

    Version 5.23.1 released September 22, 2022

    New features and improvements:

    • [RADAR-23562] - Fixed an issue with the Cookie manager throwing exceptions in some rare cases


  • Arasz
    Arasz Posts: 13 WithSecure Employee

    Old change logs

    Publication time frame: October 2022 - November 2022


    Version 5.24.0 released October 6, 2022

    New features and improvements:

    • [RADAR-23624] - Updated a User-Agent header used by the scanner
      • User-Agent header contains a current version of¬†the scanner¬†

    Version 5.25.0 released October 24, 2022

    New features and improvements:

    • [RADAR-23753] - Improved a login fingerprint search algorithm¬†
    • [RADAR-23756] - Added a size limit to the HTTP response cache file
    • [RADAR-23704] - Improved a build result observability and fixed unstable unit tests

    Version 5.26.0 released November 03, 2022

    New features and improvements:

    • [RADAR-23828] - Fixed issue with an unhandled logout during a scan in rare cases¬†¬†
      • Improved logout detection and reauthentication algorithm in general¬†
    • [RADAR-23781] - Added an experimental ARM64 build target


  • Arasz
    Arasz Posts: 13 WithSecure Employee

    Version 5.27.0 released January 18, 2023

    New features and improvements:

    • [RADAR-24395] - Fixed issue with a failing scan when recording didn't have any requests¬†
    • [RADAR-23894] - Updated User-Agent header used by the scanner¬†
    • [RADAR-24225] - Reduced vulnerability checking load on the target when crawling is active


  • Arasz
    Arasz Posts: 13 WithSecure Employee

    Version 5.28.0 released February 14, 2023

    New features and improvements:

    • [RADAR-24023] - Added 401 Unauthorized response code as a correct return code for the login page
    • [RADAR-24401] - Added support for the CVSSv3¬†¬†
    • [RADAR-24450] - Fixed unhandled exception in the headless crawler
    • [RADAR-24503] - Fixed issue with a disappearing recording state between page changes in the Web Scan Recorder Chrome extension (version 2.4.0)
    • [RADAR-24583] - Fixed issue with not intercepted responses headers during authorization
  • Arasz
    Arasz Posts: 13 WithSecure Employee

    Version 5.29.0 released March 01, 2023

    New features and improvements:

    • [RADAR-24788] -¬†Fixed null reference exception in the headless browser HTTP request interceptor
    • [RADAR-24730] - Fixed an error "element.href.startsWith is not a function" in the headless browser interop code¬†
    • [RADAR-24737] - Added logout monitoring to the regular crawler


  • Arasz
    Arasz Posts: 13 WithSecure Employee
    edited April 20

    Version 5.30.0 released April 20, 2023

    New features and improvements:

    • [RADAR-24832] - Fixed issue with the variable query parameters in the recorded login fingerprint URL
    • [RADAR-23881] - Improved consistency between scan executions by moving reported vulnerabilities selection at the end of the scan

  • Arasz
    Arasz Posts: 13 WithSecure Employee

    Version 5.31.0 released May 17, 2023

    New features and improvements:

    • [RADAR-25108] - Updated included Chromium to the newest revision
      • Improved update process

  • Arasz
    Arasz Posts: 13 WithSecure Employee
    edited June 7

    Version 5.31.1 released June 05, 2023

    New features and improvements:

    • [RADAR-25427] - Changed Chromium for Windows version to the last version with support for Windows server 2012 r2

  • Arasz
    Arasz Posts: 13 WithSecure Employee

    Version 5.32.0 released July 05, 2023

    New features and improvements:

    • [RADAR-25487] - Added Chromium dependencies for supported Linux distributions

  • Arasz
    Arasz Posts: 13 WithSecure Employee

    Version 5.33.0 released July 07, 2023

    New features and improvements:

    • [RADAR-25403] - Fixed issue with the incorrectly displayed discovered pages

  • Arasz
    Arasz Posts: 13 WithSecure Employee

    Version 5.34.0 released July 13, 2023

    New features and improvements:

    • [RADAR-25516] - Fixed issue with case sensitive HTTP headers
    • [RADAR-25587] - Fixed issue with a report size limit errors when limit was not reached

  • Arasz
    Arasz Posts: 13 WithSecure Employee
    edited July 14

    Version 5.34.1 released July 14, 2023

    New features and improvements:

    • [RADAR-25630] - Fixed issue with a null reference exception during report creation for some vulnerability checks

  • Arasz
    Arasz Posts: 13 WithSecure Employee
    edited August 2

    Version 5.35.0 released July 28, 2023

    New features and improvements:

    • [RADAR-25683] - Fixed issue with a CSRF check execution where CSRF check state counters were not managed properly and a scan never reached normal ending conditions
    • [RADAR-25683] - Improved a scan performance monitoring

  • Arasz
    Arasz Posts: 13 WithSecure Employee

    Version 5.36.0 released August 2, 2023

    New features and improvements:

    • [RADAR-25711] - Added 502 HTTP response code to ignored response codes in blind difference SQLi vulnerability check to reduce false positives
    • [RADAR-25711] - Improved vulnerability check execution in cases where async execution was necessary
    • [RADAR-25722] - Fixed issue with a CSRF check execution where for some cases execution finished response was not sent and a scan never reached normal ending conditions