gitlab-org/security-products/dast v3.0.26 on GitLab

Changes

Upgrade browserker to version 0.0.103 (!648)
- Add JSON value injection location for active attacks browserker!768
- Upgrade vulnerability checks to version 1.0.45 browserker!784
  - Add 22.1 Improper limitation of a pathname to a restricted directory (Path traversal) dast-cwe-checks!175
- Match response attacks severity depends on which matcher matched the attack response browserker!779
- Add support for response_status matcher in vulnerability checks browserker!785
- Bump go-csp-evaluator to version 1.0.2 browserker!790
- Active timing check finding summaries include time waiting for response browserker!787
- Active timing checks define the finding severity browserker!792
- Active timing checks process injection templates in groups to find vulnerabilities browserker!791
- Active check injections are generated in the same order as they are defined browserker!791
- Log active check requests with the WEBGW log module browserker!789
- Active check requests have a default timeout of 30 seconds browserker!800
Upgrade browserker to version 0.0.104 (!648)
- Add support for Array values to JSON value injection location for active attacks browserker!805
- Upgrade vulnerability checks to version 1.0.47 browserker!813
  - Update 287.1 to match on Authorization header dast-cwe-checks!182
- Upgrade vulnerability checks to version 1.0.46 browserker!813
  - Add 94.1 Server-side code injection (PHP) dast-cwe-checks!158
  - Add 94.2 Server-side code injection (Ruby) dast-cwe-checks!158
  - Add 94.3 Server-side code injection (Python) dast-cwe-checks!158
  - Add 94.4 Server-side code injection (NodeJS) dast-cwe-checks!158
  - Update the 16.8 description for clarity dast-cwe-checks!181
  - Add 384.1 Session fixation dast-cwe-checks!151
  - Add 79.1 Cross Site Scripting dast-cwe-checks!138
  - Add 79.2 Persistent Cross Site Scripting dast-cwe-checks!138
  - Add 89.1 SQL Injection dast-cwe-checks!122
  - Add 74.1 XSLT Injection dast-cwe-checks!149
  - Add 113.1 Improper Neutralization of CRLF Sequences in HTTP Headers dast-cwe-checks!140
  - Add 552.1 SQL database dump file is publicly accessible dast-cwe-checks!156
  - Add 552.2 SQL database dump file is publicly accessible dast-cwe-checks!156
  - Add 552.3 Backup archive file is publicly accessible dast-cwe-checks!156
  - Add 552.4 Lazy File Manager is publicly accessible dast-cwe-checks!156
  - Add 552.5 IntelliJ IDEA deployment configuration file is publicly accessible dast-cwe-checks!156
  - Add 552.6 Symfony database configuration file is publicly accessible dast-cwe-checks!156
  - Add 552.7 Ruby On Rails database configuration file is publicly accessible dast-cwe-checks!156
  - Add 552.8 Git metadata directory is publicly accessible dast-cwe-checks!156
  - Add 552.9 SVN metadata directory is publicly accessible dast-cwe-checks!156
  - Add 552.10 Apache status page is publicly accessible dast-cwe-checks!156
  - Add 552.11 Core dump file is publicly accessible dast-cwe-checks!156
  - Add 552.12 Sublime Text SFTP configuration file is publicly accessible dast-cwe-checks!156
  - Add 552.13 WS_FTP client configuration file is publicly accessible dast-cwe-checks!156
  - Add 552.14 FileZilla client configuration file is publicly accessible dast-cwe-checks!156
  - Add 552.15 WinSCP client configuration file is publicly accessible dast-cwe-checks!156
  - Add 552.16 MacOS DS_Store file is publicly accessible dast-cwe-checks!156
  - Add 552.17 PHP Coding Standards Fixer cache is publicly accessible dast-cwe-checks!156
  - Add 552.18 JOE Editor crash file is publicly accessible dast-cwe-checks!156
  - Add 552.19 Drupal Backup Migrate directory is publicly accessible dast-cwe-checks!156
  - Add 552.20 Magento configuration file is publicly accessible dast-cwe-checks!156
  - Add 552.21 Cryptographic private key is publicly accessible dast-cwe-checks!156
  - Add 552.22 vBulletin test script is publicly accessible dast-cwe-checks!156
  - Add 552.23 Drupal database file is publicly accessible dast-cwe-checks!156
  - Add 552.24 Composer manifest file is publicly accessible dast-cwe-checks!156
  - Add 552.25 JetBrains Vim plugin configuration file is publicly accessible dast-cwe-checks!156
  - Add 552.26 PHP Info page is publicly accessible dast-cwe-checks!156
  - Add 552.27 Apache Server Information page is publicly accessible dast-cwe-checks!156
Upgrade browserker to version 0.0.105 (!648)
- Timing attacks are run multiple times to be more resilient to false-positives browserker!805

Docker Images

registry.gitlab.com/security-products/dast:3.0.26