Introducing Dynamic API Scanning
Application environments are more complex than ever, with APIs forming the critical connective tissue. But this proliferation has created a vast, often invisible, attack surface. …
State of your attack surface, improved user permissions, and many new tests
Victor Arellano
TL/DR: We’ve launched a new filter to simplify how you assess the state of your attack surface and made a few other updates to our products.
Easily assess the state of your attack surface
The attack surface is inevitably going to grow. That’s why we believe it’s crucial for customers to not only know what assets they are exposing online, but knowing to what extent assets are exposed on their attack surface.
Previously, it wasn’t possible to filter the attack surface view by state (you can read more about state here). This limitation made it difficult to assess some Internet-facing assets, such as those that were resolving DNS records with no reachable IPs. Now Surface Monitoring users can filter their attack surface by surface state.
Improvements to Surface Monitoring and Application Scanning:
- Permission settings for Application Scanning users. Previously, admins could do all, and editors could start/stop scans but not schedule, edit, delete, create scans. Now admins and editors can do all these things.
- Tweaking filters on the vulnerabilities view. Users are now presented with the “severity” and “root asset” filters upon visiting the vulnerabilities view. All other filters will be accessible by selecting the “Show more filters” icon.
Recently added crowdsourced vulnerabilities
Here is a list of all new medium, high, and critical severity modules added in the recent days from our community of ethical hackers. You can find a complete list of new vulnerabilities added to Surface Monitoring and Application Scanning by viewing the “What’s New?” section in-tool.
- CVE-2021-23394: elFinder Potential RCE
- CVE-2021-2400: Oracle EBS XXE
- CVE-2021-31805: Apache Struts2 RCE
- CVE-2021-40822: Geoserver SSRF
- CVE-2022-24288: Apache Airflow RCE
- CVE-2022-25568: MotionEye Configuration File Leakage
- CVE-2022-26134: Atlassian Confluence RCE via OGNL Template Injection
- CVE-2022-26960: elFinder Path Traversal
- Guacamole Default Credential
Login to get an overview of what is exposed on your attack surface.
Join our team
We’re hiring engineers, product managers, sales, & more! Learn more.
Check out more content
Redefining AppSec Testing with Intelligent Scan Recommendations and Asset Classification
The average organization is missing testing 9 out of 10 of their complex web apps that are attacker-attractive targets. To address this, we’re launching new …
