Tenable Web App Scanning Scanner 1.7.x Release Notes

The Tenable Web App Scanning Scanner automatically updates to new releases:

Tenable Web App Scanning Cloud Scanner – Updated automatically by Tenable.
Tenable Core + Tenable Web App Scanning Linked Scanner – Updated automatically by Tenable Core.

For information about the new features, improvements, and bug fixes included in each 1.7.x release, see:

Tenable Web App Scanning Scanner 1.7.1 (2020-10-27)

Bug Fixes

Tenable Web App Scanning Scanner version 1.7.1 includes the following bug fixes.

Bug Fixes	Defect ID
Selenium authentication fails when element to detect is not displayed	01106323

Tenable Web App Scanning Scanner 1.7.0 (2020-10-16)

New Features and Improvements

Tenable Web App Scanning Scanner version 1.7.0 includes the following new features and improvements.

Server-Side Request Forgery Vulnerability Detection
Plugin 112439 (Server-Side Request Forgery) is now available to report whenever this vulnerability is identified on a target.
Path Parameter Element Assessment
Tenable Web App Scanning scanner now supports the assessment of path parameters, commonly used by RESTful APIs. Path parameters are used in URL rewrite to identify the object of the action within the URL. For example, scanId is a path parameter for the below URL, used to identify the scan to display results:

http://example.com/scan/scanId/results
New Swagger UI Fingerprinter
Tenable Web App Scanning scanner is now able to detect Swagger UI components installed on a target and report it under plugin 98059 (Technologies Detected).
XHR Detection Plugin Enhancements
Plugin 98772, renamed XHR Detected, now includes the number of XHR requests that do not include any Content-Type header.
Fingerprinter Timeout Logic
New timeout logic helps the main fingerprinter component abort any fingerprinting tasks that are taking more than 10 minutes. This prevents scans from being stuck when any unexpected errors occur on an individual fingerprint.
New Plugins
- 98780 - Java Object Deserialization
- 112439 - Server-Side Request Forgery
- 112563 - SSL/TLS Certificate Lifetime Greater Than 398 Days
- 112569 - OpenAPI Import Success
- 112570 - OpenAPI Import Failed
- 112594:112597 - Drupal 7.73 / 8.8.10 / 8.9.6 / 9.0.6
- 112598:112599 - SSL/TLS Server Suite Preference
- 112600 - Email Subscribers & Newsletters Plugin for WordPress < 4.5.6 Email Forgery/Spoofing Vulnerability
- 112601 - nginx < 1.17.7 Information Disclosure
- 112602:112612 - PHP 7.2.34 / 7.3.23 / 7.4.11

Other Improvements
- Tenable Web App Scanning scanner now supports any non-alphanumerical character when setting up a proxy with the Tenable Core + Tenable Web App Scanning appliance.

Bug Fixes

Tenable Web App Scanning Scanner version 1.6.0 includes the following bug fixes.

Bug Fixes	Defect ID
Plugin 98220 Detection Inconsistencies	01099930, 01104770
Authentication Failed plugin not included in scan results	01102514
Tenable Core + Tenable Web App Scanning Proxy does not support '#' characters in credentials	01038393