What's new

This section describes new product features and enhancements in this release, as well as deprecations and anticipated changes, where relevant.

A new AppScan experience is on the way!

We’ve prepared a Technology Preview Code version of the new AppScan Standard with greatly improved user experience and the same powerful DAST engine. This still-evolving version will be replacing the current UI in a future release.

You can take it for a trial run right now! Simply close this version, go to your AppScan installation folder (default path is C:\Program Files (x86)\HCL\AppScan Standard), and click on AppScanGui.exe.

Learn more...

New in HCL AppScan Standard version 10.0.6

  • Reports (XML, PDF, HTML and Word) now include the same general content and structure as the user interface.
  • Regulatory Compliance Reports now include a Summary section.
  • Security updates:
    • Detection of Request smuggling vulnerabilities
    • SSTI (Server-side Template Injection)
    • SSRF (Server-side Request Forgery)
    • JWT: Weak signature in JSON web tokens
    • OAuth: Cross-site Request Forgery
    • OAuth: Implicit grant type
    • CVE-2017-1000486: PrimeFaces RCE
    • CVE-2020-25213: WordPress RCE
    • CVE-2021-2109: Oracle WebLogic RCE
Added in fix
  • Fixed the Log4j vulnerability in AppScan - CVE-2021-44228 & CVE-2021-45046
  • Added a security update to test for Log4j vulnerability CVE-2021-44228

Fixes and security updates

  • Fixes and security updates are listed here.
    Note: After the original release on 15th November 2021, the Log4j vulnerability was announced. A fixed version of AppScan Standard 10.0.6 was therefore released on 17th December 2021. The fixed version, AppScan Standard - which is now the only version of 10.0.6 available for download in FNO - resolves the Log4j vulnerability in AppScan Standard, and also tests for it.

Upcoming changes

  • The following will be removed in a future release:
    • Scan Expert
    • The Web Services, The Vital Few, and Developer Essentials test policies will be removed, as similar results can now be achieved using other policies (see FAQ)