Skip to main content

April

· 5 min read

NG Production Release Update (April 02, 2025)

We’re excited to announce the latest updates in this release!

Authetication

  • Building on the Test Authentication feature to validate credentials before running a scan, we are now adding two key improvements:

  • Enhanced Debugging with Request Headers and Body

    • We have now added this crucial information to help troubleshoot authentication issues more effectively.

  • Customizable Authentication Endpoint Selection

    • Users can now replace the default system-selected endpoint with a preferred one, ensuring more accurate token validation.

Manually add endpoints to an existing application, allowing users to:

  • Test endpoints on the fly, even when API definitions are not yet ready to test.
  • The platform generates an OAS specification dynamically by adding endpoint details and reloading the spec.
  • Reload Spec parses the information, detects the sensitivity of endpoints and parameters, and generates variables, payloads, and parameters.

Enhanced UX

  • Enhanced the platform experience by integrating inline videos for better guidance and usability. Additionally, we have enriched our documentation, including comprehensive release notes, to ensure clarity and ease of access to important updates.
  • We have added in-context learning videos. This will help users have a quick view of what a use case is about before they try it out.
  • We are launching the documentation portal for our platform. From the left navigation, users can now access the self-help portal to read product documentation, release notes, FAQs, and other important information for product use.

NG Production Release Update (April 15, 2025)

We're excited to announce that several key enhancements have moved from Building to Done!

Certificate Support

  • We've introduced support for certificate-based authentication during API testing. Customers can now securely upload client certificates to their Hosted Agent or its EFS-mounted volume within their environment. During scans, the Hosted Agent will automatically select and use the appropriate certificate based on the instance hostname, seamlessly working alongside token-based authentication configured in the APIsec platform.

Hosted Agents on the Windows platform

  • We now support Hosted Agents on the Windows platform using Docker Desktop for Windows. This enables teams operating in Windows environments to deploy and run scans on private instances using the APIsec Hosted Agent for Docker on Windows.

Optimized Detections Data Skimming

The detections endpoint now excludes unnecessary data when listing vulnerabilities, significantly reducing payload size. This enhancement improves load times and prevents the browser from becoming unresponsive, particularly for APIs with many endpoints or a long vulnerability history.

OpenAPI Specification 3.1.0 Support

  • We're excited to announce that the APIsec platform supports OAS 3.1.0 and gracefully handles any inconsistencies in parameter data types and examples within the spec files.

Several key improvements and bug fixes to enhance the accuracy and reliability of parameter and payload handling within the platform

  • Custom header values defined in Global and Endpoint-based Variables are now correctly substituted during dry-run and scan execution.
  • We can delete a header or query parameters without encountering validation errors, even if their value is null.
  • Boolean values are now displayed correctly in the parameters configuration view.
  • The system now allows payloads to be added to endpoints without predefined request bodies.
  • The generation of faker data has been disabled and replaced with default and example parameter values to increase the likelihood of receiving successful responses from endpoints.

We've made several key enhancements to the Reload Spec feature for better accuracy and user experience

  • Postman Collection Handling: Previously, attempting to reload a spec using a Postman Collection would silently fail but still return a success message. We've now added appropriate error handling and clear messaging to inform users that Postman Collections are not supported for the Reload Spec operation.

  • YAML Support: Reload Spec now supports API specifications with the YAML extension via file upload and URL input.

  • Rollback on Failure: We've addressed an issue where failed reloads could result in missing endpoints and parameters due to partial updates. The system now reverts to the previous stable state in the event of a failure to prevent any data loss or inconsistencies.

Several key improvements across security categories like CORS and Injection have been made to increase the accuracy and clarity of detections

  • CORS Detection Enhancements: CORS issues are now reported as informational by default, and will only be escalated to a security detection if all of the following conditions are met:

    • The origin is explicitly allowed
    • Access-Control-Allow-Credentials is set to true
    • Authentication methods like cookies, Basic Auth, or Digest Auth are in use
    • The request method is GET or POST

  • Injection Testing Fixes:

    • Fixed an issue where multiple test iterations reused the exact injection string, limiting test coverage. Unique payloads are now used adequately across iterations.
    • Resolved a bug in SQL Injection testing where only a single character of the injection string was sent, due to incorrect attribute mapping. Full payloads are now correctly passed and evaluated.

    Several UI enhancements have been implemented to improve clarity and user experience

    • Endpoint Risk Calculation: The risk is calculated only for High and Critical vulnerabilities, for a meaningful risk score.
    • Accurate Last Scan Date: The Last Scan Date displayed on the application’s instance tile now accurately reflects the most recent scan.
    • Tooltip Revamp: Tooltips across the platform have been revamped, making it easier to understand key elements at a glance.

Error Response Hardening:

  • Improved security by ensuring error responses do not expose excessive information (such as internal messages, stack traces, or system details), aligning with best practices for minimizing information disclosure.