Tenable Web App Scanning Scanner 1.8.x Release Notes

New Features and Improvements

Tenable Web App ScanningScanner version 1.8.3 includes the following new features and improvements.

• New Plugins

  • 112615 - Swagger File Detected

  • 112630 - Flash File Detected

Bug Fixes

Tenable Web App Scanning Scanner version 1.8.3 includes the following bug fixes.

Bug Fixes

Tenable Web App Scanning Scanner version 1.8.2 includes the following bug fixes.

Bug Fixes

Tenable Web App Scanning Scanner version 1.8.1 includes the following bug fixes.

New Features and Improvements

Tenable Web App Scanning Scanner version 1.8.0 includes the following new features and improvements.

• Server Side Template Injection Vulnerability Detection

  Plugin 112614 (Server-Side Template Injection) is now available to report whenever this vulnerability is identified on a target.

• New REST API Detection Plugins

  Plugins 112615 (Swagger File Detected) and 112616 (API Detected) are now available for REST API detection.
  These plugins allow users to be notified when REST APIs are used by their web applications, and allow users to assess these APIs using the new Tenable Web App Scanning API scan template.

• Expand Usage of Aborted Scan Status

  For all scans launched from the new UI, all scans stopped by the scanner due authentication failures are now marked as Aborted instead of Completed to distinguish which scans have been successfully completed. This allows customers to quickly identify scans that need to be reviewed and updated so the scan can be conducted successfully.

• New Login Form Authentication Logic

  New and enhanced logic for conducting Login Form authentication has been implemented, addressing potential failure cases where the submit() Javascript function does not actually trigger the form submission. The scanner now identifies any potential element (anchor, button, input, etc.) that could be used to submit the login form and interact with these elements before trying to directly submit the form. Plugin 98034 (Login Form Authentication Failed) now also includes additional information in debug mode to clarify the actions taken by the scanner during the form authentication.

• Improved Element Detection During Selenium Authentication

  The Selenium authentication process now tests all possible locators specified in the Selenium script to identify the element to interact with. Previously, only the main locator was being used by the Tenable Web App Scanning scanner, which could lead to some authentication failures when the main locator fails to find the element.

• New Fonts Support

  Added support for several new Asian fonts, ensuring the scanner is able to properly render web application pages and interact with elements.

• Chrome 85 Upgrade

  The Chrome browser used by Tenable Web App Scanning scanner has been upgraded to version 85, to keep the scanner up-to-date and benefit from all changes introduced by this version. This also prevents potential issues with targets preventing access from outdated browser versions. Note that with this upgrade the default User-Agent header used by the WAS scanner has been updated to match the browser version:

  Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4158.0 Safari/537.36

• New Plugins

  • 112617 - Loginizer Plugin for WordPress < 1.6.4 SQL Injection

  • 112619 - W3 Total Cache Plugin for WordPress < 0.9.5 Server-Side Request Forgery

  • 112620:112626 - Atlassian JIRA JRASERVER-69238 / JRASERVER-71536 / JRASERVER-67289 / JRASERVER-67290

  • 112618 - File Manager Plugin for WordPress < 6.5

  • 112627:112629 - Apache Tomcat 8.5.58 / 9.0.38 / 10.0.0-M8

  • 112616 - REST API Detected

  • 112615 - Swagger File Detected

  • 112614 - Server Side Template Injection

Bug Fixes

Tenable Web App ScanningScanner version 1.8.0 includes the following bug fixes.