WAS Scanner 1.7.x Release Notes
The Tenable.io Web Application Scanning (WAS) Scanner automatically updates to new releases:
- Tenable.io Web Application Scanning Cloud Scanner – Updated automatically by Tenable.
- Tenable Core + Tenable.io Web Application Scanning Linked Scanner – Updated automatically by Tenable Core.
For information about the new features, improvements, and bug fixes included in each 1.7.x release, see:
Web Application Scanning (WAS) Scanner version 1.7.1 includes the following bug fixes.
|Bug Fixes||Defect ID|
|Selenium authentication fails when element to detect is not displayed||01106323|
New Features and Improvements
Web Application Scanning (WAS) Scanner version 1.7.0 includes the following new features and improvements.
- Server-Side Request Forgery Vulnerability Detection
Plugin 112439 (Server-Side Request Forgery) is now available to report whenever this vulnerability is identified on a target.
- Path Parameter Element Assessment
WAS scanner now supports the assessment of path parameters, commonly used by RESTful APIs. Path parameters are used in URL rewrite to identify the object of the action within the URL. For example, scanId is a path parameter for the below URL, used to identify the scan to display results:
- New Swagger UI Fingerprinter
WAS scanner is now able to detect Swagger UI components installed on a target and report it under plugin 98059 (Technologies Detected).
- XHR Detection Plugin Enhancements
Plugin 98772, renamed XHR Detected, now includes the number of XHR requests that do not include any Content-Type header.
- Fingerprinter Timeout Logic
New timeout logic helps the main fingerprinter component abort any fingerprinting tasks that are taking more than 10 minutes. This prevents scans from being stuck when any unexpected errors occur on an individual fingerprint.
- New Plugins
98780 - Java Object Deserialization
112439 - Server-Side Request Forgery
112563 - SSL/TLS Certificate Lifetime Greater Than 398 Days
112569 - OpenAPI Import Success
112570 - OpenAPI Import Failed
112600 - Email Subscribers & Newsletters Plugin for WordPress < 4.5.6 Email Forgery/Spoofing Vulnerability
112601 - nginx < 1.17.7 Information Disclosure
- Other Improvements
WAS scanner now supports any non-alphanumerical character when setting up a proxy with the Tenable Core WAS appliance.
Web Application Scanning (WAS) Scanner version 1.6.0 includes the following bug fixes.
|Bug Fixes||Defect ID|
|Plugin 98220 Detection Inconsistencies||01099930, 01104770|
|Authentication Failed plugin not included in scan results||01102514|
|Tenable Core WAS Proxy does not support '#' characters in credentials||01038393|