This document contains important information regarding F-Secure Radar Web Scan. We strongly recommend that you read this entire document to check for changes that may affect your service.
Product updates
This section lists the changes implemented for Radar Web Scan.
Version 5.13.0 released October 13, 2021
New features and improvements:
- [RADAR-20525] – Extended an SPA attack surface
- [RADAR-20801] – Added additional health checks
Version 5.12.0 released September 30, 2021
New features and improvements:
- [RADAR-20387] – A customized OpenSSL library is used on Linux
- [RADAR-20912] – Enabled changing the follow redirects option by configuration
- [RADAR-20926] – Handling of a login fingerprint check on frame-based sites
Version 5.11.0 released September 18, 2021
New features and improvements:
- [RADAR-20793] – Added HTTP response splitting check
- [RADAR-20797] – Improved difference-based SQLi check, ignored 429 response code, and changed the reporting conditions for a 5xx response code.
Version 5.10.1 released September 13, 2021
New features and improvements:
- [RADAR-20831] – Fixed the issue with calling ToString on an empty page state
Version 5.10.0 released August 30, 2021
New features and improvements:
- [RADAR-19465] – Improved Web Scan RAM usage
Version 5.9.0 released August 09, 2021
New features and improvements:
- [RADAR-19670] – Improved headless crawler
- [RADAR-20007] – Fixed Web Scan Web Console
- [RADAR-20495] – Improved difference-based SQLi algorithm
- [RADAR-20587] – Allowed requests to ReCaptcha API
Version 5.8.0 released July 13, 2021
New features and improvements:
- [RADAR-20336] – Changed a NuGet source
Version 5.7.1 released June 17, 2021
Fixed issues:
- [RADAR-20289] – Restored the previously used Chromium version (dependency problem on Linux)
Version 5.7.0 released June 15, 2021
New features and improvements:
- [RADAR-19757] – Updated .NET framework version to .NET 5
- [RADAR-19958] – Replaced insecure binary formatter
- [RADAR-19959] – Replaced obsolete SSL configuration values
- [RADAR-20005] – Updated Puppeteer and Chromium to the newest version
- [RADAR-20023] – Improved difference-based SQLi plugin
Version 5.6.0 released April 29, 2021
New features and improvements:
- [RADAR-19737] – Limited plugins access to URLs marked as a JS file
- [RADAR-18639] – Changed the callback URL for XSS attack
- [RADAR-18908] – Added an option to allow requests to a domain different from the target domain
- [RADAR-19740] – Improved the CSRF token search in the case of a known token
Version 5.5.3 released April 26, 2021
New features and improvements:
- [RADAR-19841] – Added a failproof HTTP response parser to parse HTTP responses without reason phrases
Version 5.5.2 released April 07, 2021
New features and improvements:
- [RADAR-19705] – Added handling for cases where the content encoding header is set to identity
Version 5.5.1 released March 29, 2021
New features and improvements:
- [RADAR-19657] – Fixed issue with duplicated request id in clustering
Version 5.5.0 released March 23, 2021
New features and improvements:
- [RADAR-19382] – Improved HTTP response reading and parsing
Version 5.4.0 released February 01, 2021
New features and improvements:
- [RADAR-19194] – Ignore mailchimp plugin form fields
- [RADAR-19176] – Scanned page source code in the crawled URL fixed
Version 5.3.0 released January 21, 2021
New features and improvements:
- [RADAR-19107] – Make finding the description from the difference-based blind SQLi plugin more human friendly
- [RADAR-19080] – Improve selectors generated by Recorder
Version 5.2.0 released January 11, 2021
New features and improvements:
- [RADAR-18920] – Add crawling restrictions for JS src urls
- [RADAR-18944] – Difference-based SQLi – ignore changing content in HTML comments
- [RADAR-19061] – Difference-based SQLi – ignore similar differences
- [RADAR-19062] – Difference-based SQLi – ignore broken responses
Version 5.1.1 released December 22, 2020
Fixed issues:
- [RADAR-18939] – Fixed chaining sequence for SQLi plugins
Version 5.1.0 released December 22, 2020
New features and improvements:
- [RADAR-18618] – Fixed a problem with finding formatted payload in difference-based SQLi plugin
- [RADAR-18777] – Cleaned up the HTTP exchange API
- Improvements in DNS resolver and recheck process
Version 5.0.6 released December 3, 2020
Fixed issues:
- [RADAR-18795] – Fixed issue with false positive findings reported by cross-site request forgery plugin
Version 5.0.5 released December 2, 2020
Fixed issues:
- [RADAR-18796] – Fixed issue with System. InvalidOperationException raised by some checkers
Version 5.0.4 released November 30, 2020
Fixed issues:
- [RADAR-18763] – Fixed issue with omitted logic that marks some form parameters as not being attackable when the form comes from a headless crawler
- [RADAR-18771] – Fixed issue with too long <issueDetails> elements in an XML report
Version 5.0.3 released November 25, 2020
Fixed issues:
- [RADAR-18758] – Fixed issue with scan getting terminated when manual crawling action can’t be replayed
Version 5.0.2 released November 25, 2020
Fixed issues:
- [RADAR-18745] – Fixed issue with authentication from a recording
Version 5.0.1 released November 25, 2020
Fixed issues:
- [RADAR-18734] – Fixed issue with unlimited length of form’s AffectedName field
Version 5.0.0 released November 24, 2020
New features and improvements:
- [RADAR-17349] – Clustering mechanism reimplemented
- [RADAR-15138] – New checker for Cross-Site Request Forgery detection
- [RADAR-18471] – Improved detection of vulnerable Bootstrap library
- [RADAR-18371] – Solution reorganization and code cleanup (no visible impact for end users)
- [RADAR-18290] – Improvements in Difference-based SQL injection checker
Fixed issues:
- [RADAR-18596] – Fixed issue with healthcare mechanism
- [RADAR-18606] – Fixed issue with reading a recording containing illegal characters
Version 4.8.0 released October 20, 2020
New features and improvements:
- [RADAR-18312] – Configuration settings and handling cleaned up
- [RADAR-9211] – NTLM authentication implemented
- [RADAR-18244] – Added HTTP header “Accept-Encoding: gzip, deflate” to default headers
- [RADAR-17986] – Configurable query parameters that are distinguishable for the crawler
- [RADAR-18004] – Build directory does not contain Chromium revision number
- Some internal changes with no visible impact for end users
Version 4.7.6 released October 16, 2020
Fixed issues:
- [RADAR-18379] – Fixed issue with basic authentication
Version 4.7.5 released September 19, 2020
Fixed issues:
- [RADAR-18010] – Fixed issue with redirection made by Javascript code in a browser
- [RADAR-18102] – Fixed issue with race condition while reading the recording file
Version 4.7.4 released August 26, 2020
Fixed issues:
- [RADAR-17866] – Fixed issue with improper handling of CRLF (end of line) in LoginFingerprint
Version 4.7.3 released August 20, 2020
Fixed issues:
- [RADAR-17851] – Fixed issue with proper selection of starting request
Version 4.7.2 released August 20, 2020
Fixed issues:
- [RADAR-17826] – Fixed issue with starting request being restricted via HTTP method restriction
Version 4.7.1 released August 19, 2020
Fixed issues:
- [RADAR-17811] – Fixed issue with approachability phase failure
Version 4.7.0 released July 29, 2020
New features and improvements:
- [RADAR-1054] – Handling HTML forms protected by one-time anti-CSRF token
Version 4.6.2 released July 8, 2020
Fixed issues:
- [RADAR-17557] – Fixed issue with input field not being cleared before typing in the headless crawler
- [RADAR-17558] – Fixed issue with handling navigation when replaying manual crawling
Version 4.6.1 released July 2, 2020
Fixed issues:
- [RADAR-17279] – Fixed issue with improper starting URL for crawling
- [RADAR-17506] – Fixed issue with hanging headless crawler on print dialog
Version 4.6.0 released July 1, 2020
Fixed issues:
- [RADAR-17460] – Fixed issue with hanging scan if the target responds with JSON content type
- [RADAR-17450] – Fixed error in log entry informing about redirection
Version 4.5.2 released June 25, 2020
Fixed issues:
- [RADAR-17279] – Fixed issue with replaying events when starting request is POST
Version 4.5.1 released June 23, 2020
Fixed issues:
- [RADAR-17279] – Fixed issue with starting URLs not being added to the blocklist
- [RADAR-17368] – Fixed issue with not respecting HTTP method restrictions for a POST request to start crawling
Version 4.5.0 released June 18, 2020
New features and improvements:
- [RADAR-16286] – Follow redirects option in engine (turned off by default)
Fixed issues:
- [RADAR-17029] – Fixed issue with Chromium orphans left after scan
- [RADAR-17279] – Fixed issue with handling the first POST request after successful authentication
- [RADAR-17306] – LoginFingerprint and LogoutFingerprint in WebScan config override recorded values
- [RADAR-17165] – Fixed issue with false positives caused by prefixing payloads in forceful browsing checks
Version 4.4.5 released May 21, 2020
New features and improvements:
- [RADAR-17057] – Applied a workaround to enable finding the element with changing CSS selector when replaying authentication flow
Version 4.4.4 released May 20, 2020
New features and improvements:
- [RADAR-17081] – Fixed issue with launching Chromium
Version 4.4.3 released May 19, 2020
New features and improvements:
- [RADAR-16922] – Upgraded Chromium to rev. 722234 (ver. 80.0.3987.0)
Version 4.4.2 released April 9, 2020
Fixed issues:
- [RADAR-16769] – Fixed issue with a timeout during the approachability check
Version 4.4.1 released April 9, 2020
Fixed issues:
- [RADAR-16706] – Fixed issue with broken basic authentication in classical crawler
- [RADAR-16740] – Fixed issue with not executing some Forceful Browsers’ checks when only this kind of checks are configured
Version 4.4.0 released April 3, 2020
New features and improvements:
- [RADAR-16593] – Handling mouse-over type of events in a recording
Fixed issues:
- [RADAR-16591] – Fixed issue with replaying a recording ‘change’ event when the input’s selector had changed during typing
Version 4.3.0 released March 31, 2020
New features and improvements:
- [RADAR-16429] – Handling a new configuration format produced by improved WebScan’s configuration wizard in the Radar
- [RADAR-16435] – Crawled (and attacked) request can be filtered out by HTTP methods
Fixed issues:
- [RADAR-16517] – Fixed dates in WebScan’s report
- [RADAR-16516] – fixed issue with NetworkInformationException
Version 4.2.7 released March 13, 2020
Fixed issues:
- [RADAR-16396] – Fixed problem with negative index when generating finding info in the log file
Version 4.2.6 released February 26, 2020
New features and improvements:
- [RADAR-15995] – Performance optimization – response body is cached/stored separately from exchange data
- [RADAR-15995] – Performance optimization – handling the logic of the PrivateIpAddressDisclosure plugin
- Other minor performance optimizations
Fixed issues:
- [RADAR-15995] – Fixed problem with memory leak caused by specific component registration in application container
- [RADAR-15995] – Fixed problem with counting memory size of disk’s cache structure
Version 4.2.5 released February 13, 2020
New features and improvements:
- [RADAR-15995] – Some performance optimization of disk data storage (caching component)
Fixed issues:
- [RADAR-15995] – Fixed issue with XSS payload serialization, fixed issue with memory statistics not showing in the log file
Version 4.2.4 released February 10, 2020
Fixed issues:
- [RADAR-16087] – Fixed issue with unnecessary scan termination on headless browser closing timeout
Version 4.2.3 released February 02, 2020
Fixed issues:
- [RADAR-15995] – Fixed “NullReferenceException” issue
Version 4.2.2 released January 29, 2020
Fixed issues:
- [RADAR-15995] – Relaxed the conditions for a ‘good’ health testing response
Version 4.2.1 released January 21, 2020
Fixed issues:
- [RADAR-15602] – Fixed issue with blocking initial request
Version 4.2.0 released January 9, 2020
New features and improvements:
- [RADAR-14445] – Replaying new recording format (from new recorder Chrome plugin)
- [RADAR-14185] – Improved some payloads of SQL injection attacks
- [RADAR-14185] – Upgraded all acceptance tests to a new format, added many new tests
- [RADAR-15741] – Optimized the headless crawler starting mechanism
Fixed issues:
- [RADAR-15679] – Fixed issue with missing forceful browsers’ findings
- [RADAR-14185] – Fixed issue with SOAP requests missed by the crawler
- [RADAR-15602] – Reauthentication check skips looking for logout fingerprint in javascript files
Version 4.1.16 released December 13, 2019
Fixed issues:
- [RADAR-15602] – Fixed issue with proper decoding form parameters created from a request body
- [RADAR-15544] – Fixed broken payload in BlindCMDi plugin
- [RADAR-15493] – Fixed problem with timing out requests during approachability checking
Version 4.1.15 released December 11, 2019
Fixed issues:
- [RADAR-15491] – Fixed issue with looking for the LoginFingerprint when a page wasn’t fully loaded
- [RADAR-15478] – Skipping duplicate (not visible) inputs when typing credentials in a login form
Version 4.1.14 released December 10, 2019
Fixed issues:
- [RADAR-15493] – Applied a workaround for an issue relating to blocking the permanent connections (e.g. “polling”)
Version 4.1.13 released November 21, 2019
Fixed issues:
- [RADAR-15381] – Added ‘input[type=image]’ to queried selectors when searching the submit button of the login form
- Fixed issue with broken links extraction in the headless crawler
Version 4.1.11 released November 12, 2019
Fixed issues:
- [RADAR-15303] – Fixed issue with an unhandled exception during the reporting phase
Version 4.1.10 released November 07, 2019
Fixed issues:
- [RADAR-15277] – Fixed issue with trying to use a non-visible DOM element during authentication
Version 4.1.6 released October 25, 2019
Fixed issues:
- [RADAR-15159] – Fixed issue with dialogs blocking authentication flow
Version 4.1.5 released October 24, 2019
Fixed issues:
- [RADAR-15159] – When authenticating, WebScan chooses the submit button if there are other non-button submit controls
- [RADAR-15164] – WebScan returns a specific exit code when generating a report fails
Version 4.1.4 released October 21, 2019
Fixed issues:
- [RADAR-14467] – Fixed issue with proper scan termination in case of exception of initial scan phase
- [RADAR-15129] – Fixed issue with the termination of the scan by not handling requests with JSON-array payload
Version 4.1.2 released October 17, 2019
Fixed issues:
- [RADAR-15097] – Fixed issue with scanning all URLs configured in “Add relative URLs for scanning”
Version 4.1.1 released October 17, 2019
Fixed issues:
- [RADAR-15090] – Fixed issue with finding the proper submit button within the authentication form
Version 4.1.0 released October 16, 2019
New features and improvements:
- [RADAR-14987] – New attacker – difference-based SQL injection
- [RADAR-15036] – Error-based SQL injection attacks XML element injection point
- [RADAR-13319] – XML final report contains findings’ OWASP references
- [RADAR-14805] – Improvements in the logic of time-based attacks
Fixed issues:
- [RADAR-15059] – Fixed issue with false positives generated by BackupDirectories forceful browser
- [RADAR-14909] – Fixed issue with hanging scans in case of OutOfMemoryException in starting phase
Version 4.0.5 released October 14, 2019
Fixed issues:
- [RADAR-15049] – Fixed issue with NullReferenceException when rechecking JSON findings
Version 4.0.4 released October 9, 2019
Fixed issues:
- [RADAR-14941] – Fixed issue with reporting outer javascript links as discovered pages
Version 4.0.3 released October 7, 2019
Fixed issues:
- [RADAR-14953] – Fixed issue with conflicts in javascript events registration during the authentication phase
Version 4.0.2 released October 4, 2019
Fixed issues:
- [RADAR-14941] – Increased the headless browser’s timeout for the approachability checking phase
Version 4.0.1 released October 2, 2019
Fixed issues:
- [RADAR-14914] – Fixed issue with not applying HTTP headers from config by Headless crawler
Version 4.0.0 released October 2, 2019
New features and improvements:
- Attacking model redesigned and reimplemented:
- attackers are defined in a declarative way
- logic of popular types of attacks is abstracted and centralized
- attackers can reuse results of other attackers
- identifiers of all plugins have changed
- “GET parameter” affected element name renamed to “query parameter”, and “POST parameter” renamed to “form parameter”
Version 3.4.4 released September 26, 2019
Fixed issues:
- [RADAR-14876] – Fixed issue with attacking external hosted js libs
Version 3.4.3 released September 20, 2019
Fixed issues:
- [RADAR-14804] – Fixed issue with visibility of HTTP requests on reports
Version 3.4.2 released September 19, 2019
Fixed issues:
- [RADAR-14773] – Another fix related to WebSocket’s ‘upgrade’ mechanism
Version 3.4.1 released September 16, 2019
Fixed issues:
- [RADAR-14773] – WebSocket’s ‘upgrade’ requests are blocked (they hang the crawler)
Version 3.4.0 released September 9, 2019
New features and improvements:
- [RADAR-14280] – Attacking JSON payloads (all but XSS attack types)
- [RADAR-1209] – New plugin (id 59) that looks for old, vulnerable javascript libraries
- [RADAR-13319] – Added references to OWASP Top 10 categories in all plugins (not visible for the user so far)
Version 3.3.1 released August 28, 2019
Fixed issues:
- [RADAR-14602] – Fixed OverflowException during report generation
Version 3.3.0 released August 23, 2019
New features and improvements:
- [RADAR-14280] – Attacking JSON payloads (error-based SQLi so far)
- [RADAR-14445] – Replaying recorded DOM events by the headless crawler (feature not available for the user)
Fixed issues:
- [RADAR-14578] – Removed “faultstring” SQLi fingerprint that causes false-positive findings
- [RADAR-14568] – Fixed the “login form’s ‘submit’ button hasn’t been found” issue – a form’s button without the ‘type’ attribute is recognized as a ‘submit’ button (in accordance with HTML spec)
- [RADAR-14388] – Another fix related to proper scan termination in case of an exception inside headless crawler
Version 3.2.1 released August 21, 2019
Fixed issues:
- [RADAR-14484] – Fixed an issue with authenticated scans of WordPress sites. Fixed the handling of the logout fingerprint, it is treated as a regular expression by default but some values cannot be parsed as a correct regular expression, in which case it is treated as simple text. Fixed the progress percent info showing NaN in some rare cases.
Version 3.2.0 released July 30, 2019
New features and improvements:
- [RADAR-12883] – Removing unwanted findings by forceful browsers
- [RADAR-14399] – Headless crawler improved to minimize breaking connections because of moving on too fast
- [RADAR-14388] – Memory usage optimizations
Fixed issues:
- [RADAR-14324]- Fixed issue related to missing some intermediate paths by the crawler
- [RADAR-14367] – Fixed issue with reporting proper URL by static analyzers if they report only single finding
- [RADAR-14371] – Fixed issue with wrong Content-Length header value for POST request mapped from headless crawler
- [RADAR-14372] – Fixed issue with wrong Content-Length header value for some POST attack requests
- [RADAR-869] – Fixed issue with breaking scans when a plugin’s grouping mechanism received requests other than GET or POST
- [RADAR-14388] – Fixed terminating the scan in case of MemoryException
Version 3.1.0 released July 22, 2019
New features and improvements:
- [RADAR-869] – Grouping plugins to mitigate duplicated findings (e.g. time-based SQLi are executed only if error-based attacks fail)
- [RADAR-9992] – New static analyzer: Missing ‘X-Frame-Options’ header
- [RADAR-13995] – Fixed problem with disk storage overuse due to the accumulation of unprocessed responses
- [RADAR-14148] – Build artifacts includes the xlsx sheet containing known vulnerabilities of well known broken web applications generated from test cases
Fixed issues:
- [RADAR-14125] – Excluded range 127/8 from the False positive: internal IP address disclosure PrivateIpAddressDisclosure plugin
- [RADAR-14268] – Fixed a bug within checking XSS fingerprint’s procedure that produced false positives in some specific cases
Version 3.0.0 released July 17, 2019
New features and improvements:
- [RADAR-11238] – Porting WebScan to .NET Core – can be run on Linux (also RADAR-6979)
- [RADAR-10783] – Headless crawler in WebScan
- a new Chromium-based crawler is added to support the existing one
- the new crawler runs for a configurable time (now set to 3 minutes), looks for links, forms, and events in the rendered DOM, and captures AJAX requests
- the approachability check (with authentication) phase is done by the new crawler
- [RADAR-13757] – New building pipeline incorporating new requirements (.NET Core, downloading Chromium binaries, etc.)
- [RADAR-10211] – Added static backup guesses (.zip, .tar.gz, .tgz) to BackupDirectories and BackupFiles forceful browsing plugins
- [RADAR-11324] – Added a common folder (.idea, .vs, .vscode) to the CommonDirectories forceful browsing plugin
- [RADAR-13843] – Cookies specified in scan config always override ones obtained during the scan
- [RADAR-13869] – Clusterer’s limit of checked samples in a cluster was decreased to 100
- [RADAR-13880] – Added a new scope restriction that is based on URL path depth (number of path segments)
- [RADAR-13919] – Added a new scope restriction that is based on the detection of recurring URL path segments (detection of looped paths)
- [RADAR-10365] – XSS attacks that execute remote JS script uses now real resources (JS script) that actually exploit (and confirm) the vulnerability
Fixed issues:
- [RADAR-13797] – Form has the wrong URL when it has a relative URL in the ‘action’ attribute
- [RADAR-11556] – Static analysis of external responses within checking approachability phase is forbidden
- [RADAR-13869] – Forcing to stop scan when “max. URLs to crawl” limit was reached
- [RADAR-13965] – Web Scan cuts to big request body (not only response body) for a report
- [RADAR-14012] – Fixed an issue with incorrect URL in _Findings_ field shown by forceful browsing plugins
Version 2.25.2 released March 13, 2019
Fixed issues:
- [RADAR-12892] – Further improvements related to memory overuse.
Improvements:
- [RADAR-12976] – Improved logging of crawled pages
- [RADAR-12972] – Multipart request should not decode the param values
Version 2.25.1 released March 11, 2019
Fixed issues:
- [RADAR-12948] – Fixed path encoding inside URLs.
Version 2.25.0 released March 10, 2019
New features and improvements:
- [RADAR-12892] – Improvements related to memory overuse.
Version 2.24.1 released March 4, 2019
Fixed issues:
- [RADAR-12892] – Fixed issue with forms authentication where a parameter name of a login form had to be encoded.
Version 2.24.0 released March 1, 2019
Fixed issues:
- [RADAR-12789] – Fixed problems with memory overuse
- [RADAR-12719] – Fixed issue manifesting with “An item with the same key has already been added.” error log
- [RADAR-12861] – Fixed issue with inappropriate extraction of links from ‘window.open’ javascript code
- [RADAR-12795] – The “~1” check in forceful browsing plugins was discarded as it leads to false positives
- [RADAR-12796] – Login bypass type of the SQL injection check was discarded as it leads to false positives
Version 2.23.4 released February 15, 2019
- Bumped version to avoid warnings about an engine not being updated in Radar Security Center (RADAR-12581)
Version 2.23.3 released January 16, 2019
Fixed issues:
- Fixed stopping the scan when the global timeout is reached (RADAR-12425)
Version 2.23.2 released January 14, 2019
Fixed issues:
- XML report sent is now UTF-8 encoded (RADAR-12246)
Version 2.23.1 released January 7, 2019
Fixed issues:
- Response encoding is set to UTF-8 when it cannot be deduced from the Content-Type header (RADAR-12246)
Version 2.23.0 released January 2, 2019
New features and improvements:
- Better progress reporting
- Centralized and unified logging of the internal state of various components (at DEBUG level)
- Many technical changes to make the solution ready for a headless crawler component (RADAR-12146, RADAR-11617)
Version 2.22.2 released December 11, 2018
Fixed issues:
- Handling improper values of the Content-Type header (RADAR-12120)
Version 2.22.1 released December 7, 2018
New features and improvements:
- Disk storage optimizations (RADAR-12133, RADAR-11793)
Version 2.21.1 released November 19, 2018
Fixed issues:
- Fixed issue with the wrong extraction of windows.location-type links inside HTML attributes (RADAR-11939)
Version 2.21.0 released October 30, 2018
New features and improvements:
- Reduced the number of generated requests (RADAR-11626, RADAR-11627, RADAR-11742, RADAR-11625)
- The fields in submitted forms are filled in with reasonable values if they are empty (RADAR-11688)
- Crawler looks for links inside ‘data-href’ attributes (RADAR-11740)
Version 2.20.0 released October 16, 2018
New features and improvements:
- Removed transformation of POST request into GET request (RADAR-11624)
- “Duplicate” requests (the same query parameters but different values) found by the crawler are filtered out from attacks (RADAR-11638)
- Many technical changes to improve the maintainability of the scanning engine (RADAR-11462, RADAR-11610)
Version 2.19.0 released September 26, 2018
New features and improvements:
- Technical changes that move the web scan functionality towards Linux compatibility (RADAR-6979)
Version 2.18.1 released September 11, 2018
Fixed issues:
- Fixed issue with proper scans finishing when the global timeout was reached (RADAR-11311)
- The 99% scan progress indication is presented during the recheck phase
Version 2.18.0 released September 3, 2018
New features and improvements:
- Additional scan phase for rechecking time-based findings (RADAR-11134)
- All findings of plugins 4, 7, 19, 29, and 32 are rechecked sequentially without any other traffic
- Findings rechecked negatively are removed
- Scan log contains information about what findings were rechecked and the result of the recheck
Version 2.17.4 released August 25, 2018
Fixed issues:
- Fixed handling of forms that have empty method attributes (RADAR-11184)
Version 2.17.3 released August 22, 2018
New features and improvements:
- The IP of the scanned host is now clearly visible at the start of the scan log – keyword: “TargetIp” (RADAR-11183)
Version 2.17.2 released August 16, 2018
New features and improvements:
- Requests other than GET or POST in recording are filtered out instead of the exception being thrown (RADAR-10868)
Version 2.17.1 released August 14, 2018
Fixed issues:
- Blocked attacks against URLs returning 30x when some fingerprint is then searched (RADAR-11114)
- Fixed “This operation is not supported” issue on gzip-compressed responses
Version 2.17.0 released August 14, 2018
New features and improvements:
- Connections management (RADAR-10978)
- Engine switched to sending HTTP/1.1 requests by default
- Support for the Connection: Keep-Alive http header
- Dropping connections that cannot be reused for some reason
- Detection of blocked symbols in query parameter values in URLs (turned off by default for now) (RADAR-11116)
- Request rerun provides info about the rerun reason in the log file
Version 2.16.2 released August 6, 2018
New features and improvements:
- Handling the domain cookie’s attribute (RADAR-11053)
Version 2.16.1, released July 27, 2018
New features and improvements:
- Improved load balancing and health check mechanisms (RADAR-10869)
- Added information to logs about header/cookie injections
- Limited the number of requests generated from http forms with radio button/checkbox input (RADAR-10976)
- Plugin 41 (Cacheable HTTPS response) does not report findings for permanent redirections (RADAR-10990)
- XSS in-attribute-name onerror-payload is injected only for pertinent html elements (RADAR-7131)
- Refactored the request object representation to enable various kind of payloads (JSON, XML) (RADAR-10741)
Fixed issues:
- Form extractor properly parses inappropriately encoded form values (RADAR-10975)
- Referrer header is handled properly within the authentication flow for redirect requests (related to RADAR-10868)
- Fixed login authentication flow to better support cases where the active session cookie is added to the scan configuration
Version 2.15.0, released July 13, 2018
New features and improvements:
- Scan log file is UTF-8 encoded now (RADAR-10885)
- XSS checker detects XSS reflected as html attribute name (RADAR-7131)
- Crawling engine looks for links inside “windows.href=…” and “windows.open(…)” patterns
- Some code refactoring to clean up the code base (restriction checking, recording handling) (RADAR-6976, RADAR-10943)
Fixed issues:
- Engine components are disposed properly (RADAR-9384)
- Removed noisy warning/error messages at the end of the scan log file
- Authentication flow skips all-hidden-fields forms when it looks for a login form
Version 2.14.0, released June 26, 2018
New features and improvements:
- New -i option for WSNG.exe that displays plugin information and vulnerability check statistics (RADAR-10662)
- Memory usage optimizations (RADAR-10816)
Version 2.13.1, released June 21, 2018
Fixed issues:
- Scan terminates properly if the auth configuration is inconsistent (RADAR-10690)
Version 2.13.0, released June 19, 2018
New features and improvements:
- Authentication mechanism rewritten to handle non-trivial cases (RADAR-10689)
Fixed issues:
- Extracting forms mechanism ignores form tags inside HTML comments
- Extracted form fields have properly encoded names
Version 2.12.0, released June 8, 2018
New features and improvements:
- Finding’s execution paths In Finding field were changed to more meaningful (RADAR-10591)
- Changed the logic detection of the PrivateIpAddressDisclosure plugin (20) to minimize false positives (RADAR-10503)
- Log events (messages, log levels) were rewieved and unified (RADAR-10382)
- Added a second, JSON-structured log file for data processing and analysis (RADAR-10383)
- Optimized the distribution of jobs related to processing requests and decreased the number of parallel processing threads (RADAR-10467)
Fixed issues:
- All timed out and response code 500 requests are rerun by the engine (some such requests were lost when the target site had some problems with processing requests) (RADAR-10668)
Version 2.11.5, released June 5, 2018
Fixed issues:
- Pages that are problematic for the page clusterer are treated as unique (non-clustered) (RADAR-10206)
Version 2.11.4, released June 1, 2018
New features and improvements:
- All hidden fields within authorization requests inside recordings are replaced by values from a fresh request (there is no need to remove them from the recording file)
Fixed issues:
- Checking request restrictions during authentication has been turned off (solves the issue when logout and login URLs are the same)
- The Solution field in PostFileInclusion plugin has been supplemented
Version 2.11.3, released May 29, 2018
Fixed issues:
- Fixed the “Index and length must refer to a location within the string” issue in XSS checks
Version 2.11.2, released May 16, 2018
Fixed issues:
- Fixed the “Invalid URI: The Uri string is too long” issue
Version 2.11.1, released May 14, 2018
New features and improvements:
- Changed the scan progress calculation to better reflect the scan state
- Some optimizations in healthcheck mechanism
Fixed issues:
- Fixed issue with hanging scans
- Added additional logging info in case of problems with parsing html forms
Version 2.11.0, released May 8, 2018
New features and improvements:
- As a part of the vulnerability report data, Web Scan engine saves the HTML body of the page on which the vulnerability was found. The whole page has been recorded. After applying a change, only the surroundings of the found fingerprint is recorded and sent back to Radar Security Center. This limits the report size and optimizes data processing.
Fixed issues:
- Fixed “System. ArgumentOutOfRangeException” issue related to plugin 44 (v2.10.2 does not cover all cases)
- Removed duplication of payloads of the plugin 17
Version 2.10.3, released April 27, 2018
Fixed issues:
- Fixed “System. ArgumentOutOfRangeException” issue related to plugin 44 (v2.10.2 does not cover all cases)
Version 2.10.2, released April 26, 2018
Fixed issues:
- Fixed “System. ArgumentOutOfRangeException” issue related to plugin 44
Version 2.10.1, released April 25, 2018
Fixed issues:
- Findings per plugin limit decreased from 200 to 100
Version 2.10.0, released April 24, 2018
New features and improvements:
- XSS detections rewritten from the scratch with assumptions:
- final stage of the attack should inject an “executable” payload
- injected payload should contain some random part to be distinguishable from old, stored attacks
- all WAVSEP’s RXSS basic tests (except exploiting the unsupported VBScript) should pass
- New StaticAnalyzer plugin – Unsafe characters in Location: header
- Some string-ignore-case comparison optimizations
Fixed issues:
- Corrected verification step of time-based sql injection attacks
- Fixed issue with generating too many parameters in requests originating from GET forms
- Fixed “Out of sessions” ESENT issue
Version 2.9.0, released March 07, 2018
New features and improvements:
- Forceful browsing feature implemented:
-
- Four plugins (that can report findings) responsible for various variants:
- Common directories – looks for common directory names (only inside the root of the site)
- Common files – looks for common file names (only inside the root of the site)
- Backup directories – looks for some backups of directories, where directory names are generated dynamically from current crawling context (current resource)
- Backup files – looks for some backups of files, where file names are generated dynamically from current crawling context (current resource)
- The final report includes at most 20 findings from each forceful browser, but all findings are listed in the log file
- Crawlable findings (that can be hit by crawling) of forceful browsing are not reported
- Only confirmed findings are taken into account for further processing
- Four plugins (that can report findings) responsible for various variants:
Some other forceful browsing behavior was extracted from code and modeled explicitly as plugins (these cannot report findings, only generate new requests):
- IntermediatePaths – generates requests for intermediate paths of the current request
- GetWithoutParamsFromPost – generates a GET request without any parameters (neither post parameters nor query string parameters)
- GetWithParamsFromPost – generates GET requests with query string parameters instead of post parameters
- Every forceful browser plugin can be switched on and off independently (as every plugin)
-
- All attacking plugins report the execution path inside the Finding field
- Execution path items are cut carefully (if needed) to avoid discarding important information (e.g. the parameter that is just attacked)
- Improved the handling of query string parameters:
- Duplicate parameters are handled (injected) correctly
- More reliable and natural API to ease the creation of new plugins
- Some hardcoded parameters were moved into configuration (not visible in the Radar GUI for now)
- FormParamsExcludedFromAttacks – form (post) parameters that should not be attacked
- CookiesExcludedFromAttacks – cookies that should not be attacked
- HeadersAttacked – headers that should be attacked
- Refactoring that aims to clean up the scanner model and make further development easier
Fixed issues:
- Fixed generation of separate requests from every form select/radio value
- Vulnerability checks are done with respect to response body only (without headers)
- If auth validation request is not present in recordings, then it is not set to the login request
Version 2.8.4, released January 26, 2018
Fixed issues:
- Fixed issue with invalid string in ‘injection/value’ field in report.xml.
Version 2.8.3, released January 24, 2018
Fixed issues:
- Fixed issue with overriding “Host” header by a parameter from configuration.
Version 2.8.2, released January 23, 2018
Fixed issues:
- Fixed issue with too long string in ‘issuedetails’ field in raport.xml which precluded the RSC from loading it.
Version 2.8.1, released January 15, 2018
Fixed issues:
- Technical change within the build process.
Version 2.8.0, released January 12, 2018
New features and improvements:
- Some plugins report the execution path in the ‘Finding’ field.
- Detection of vulnerabilities for GetXss and PostXss plugins improved.
Fixed issues:
- Fixed ESENT storage issue.
Version 2.7.1, released January 11, 2018
Fixed issues:
- Fixed NullReference issue in PostXss plugin.
- Invalid URLs in parsed HTML do not stop the scan.
Version 2.7.0, released January 10, 2018
New features and improvements:
- GetXss plugin was rewritten, some new XSS cases can be found.
- Some plugins report the execution path in the ‘Finding’ field.
- POST request in execution path contains body.
- Form extraction was optimized.
Fixed issues:
- Fixed problem with stopping scan progress.
- Invalid URLs in parsed HTML do not blow up the scan.
- OpenRedirect plugin fixed.