Release notes

Release notes 2022-10-03

New unified schedules overview

The new Schedules page gathers schedules from all our asset types in one unified overview. This allows you to manage and maintain all your schedules in a single place. We have completely revamped the page with our new web framework and a new user experience, aligning it with our new design and a set of new features. 

We have added the ability to use tab views across all your schedules, enabling you to create different views using the enhanced filtering. This will help you categorize your schedules using different properties such as the status of a schedule, last run time or the ownership of the schedule.

How to overview scan schedules

Major new detection capabilities for web app vulnerabilities

We continue strengthening our web application scan engine with several improvements and additional coverage for new vulnerabilities. Our Security Research team has worked hard together with our Engineering team to make sure the quality, accuracy, and coverage increase with every release. 

The following new security misconfiguration vulnerabilities are now automatically identified in all standard scan profiles when scanning web applications for vulnerabilities:

Insecure Usage of CSS Imports (Relative Path CSS Resources)

  • Severity: Info
  • Impact: Inject arbitrary CSS into the victim's browser

Active Mixed Content over HTTPS

  • Severity: Medium
  • Impact: A man-in-the-middle attacker can intercept the request for the HTTP content and rewrite the response to include malicious codes. Malicious active content can steal the user's credentials, acquire sensitive data about the user, or attempt to install malware on the user's system (by leveraging vulnerabilities in the browser or its plugins, for example), and therefore the connection is not safeguarded anymore.

Passive Mixed Content over HTTPS

  • Severity: Low
  • Impact: An attacker can replace a picture sent via HTTP with obscene content or a message to the user.

Cross-Domain Referrer Policy

  • Severity: Info
  • Impact: Information Disclosure via referrer header, leaking query strings in cross-domain requests

Subresource Integrity check

  • Severity: Info
  • Impact: If an attacker gains control of a CDN or Cross-Domain, the attacker can inject arbitrary malicious content into files on the CDN (or replace the files completely) and thus can also potentially attack all sites that fetch files from that CDN.

Password Auto-Complete

  • Severity: Info
  • Impact: It can be chained with other client-side attacks like XSS, and CSRF to impersonate or steal client data.

Missing Expect-CT Header

  • Severity: Info
  • Impact: The Expect-CT header allows sites to opt-in to report and/or enforce Certificate Transparency requirements, which prevents the use of mix-issued certificates for that site from going unnoticed. This URL is flagged as a specific example.

Advanced path traversal XSS

There is also a new scan profile option available, Advanced path traversal XSS, which makes use of several additional methods to further detect XSS vulnerabilities using path traversal methods.

Read more about path traversal vulnerability

Additional phishing simulation templates

Several new phishing templates are now available in English, to be used for phishing simulation:

  • Instagram – Password change
  • Netflix – Account suspension
  • Facebook - Login request
  • DHL - Track your package

Where do I find phishing templates?

General enhancements

  • Asset Applications view has received performance improvements to reduce response times.
  • Editing Phishing & Awareness Training templates have received enhancements such as syntax highlights, wider editing area and the possibility of using a full-screen mode.
  • The Recipients page in Phishing & Awareness Training now allows being filtered using the severity.
  • Phishing & Awareness Training web training templates can now have a custom title.