Web App Security Scanner- Vex Scanner

Web application security tool is important in safeguarding websites and applications from cyber security threats and vulnerabilities. Vex is constantly updated in order to ensure reliability and functionality as a web application security tool. This Vex Latest Release and Updates page covers the improvements made by UBsecure on Vex including new features, enhancements, and other additional updates.

The details of the Vex latest release and updates are presented in the manner where the latest release is shown at the top of the post and then followed with the previous releases.

1. Vex/VexCloud Integration

The Vex/VexCloud Integration feature has been brushed up after the closed beta period and is now officially released. This feature enables integrated management of vulnerability scanning results from multiple projects by continuously storing Vex scanning results in VexCloud.

This feature is especially addresses problems in managing scanning target sites including

With this official release, Vex will not only find vulnerabilities, but also support overall activities to improve web application security as a tool that can manage post-scanning responses and scanning results.2

2. Multiple updates to improve efficiency, accuracy, and ease of use

Updated Scenario map and session ID functionality improves efficiency, accuracy, and ease of use.

– Enhanced the feature in Scenario map to make it less necessary to manually set up parameter handovers

Scenario map is one of the functions used to reproduce the normal behavior of a web application; Vex registers the normal behavior of a web application and compares it with the behavior of a request sent for scanning to find vulnerabilities.

In this version, the number of configuration items has been reduced by automating the process of recording normal behavior; the transitions can be reproduced simply by sequencing the responses of the web application on the Vex UI. This feature enables users to easily reproduce the behavior without requiring in-depth knowledge, instead relies on Vex’s Scenario map function for parameter passing settings and searching for the parameters.

– More accurate and efficient scanning for session IDs
Sessions are an important part of a web application’s operation. Therefore, there are many vulnerabilities caused by session IDs and their management.

In this version, cookie names to be scanned as session IDs can now be specified by users, allowing for accurate detection of vulnerabilities caused by session IDs and their management.

3. Other fixes include the search function for scanning results has been improved to enhance scanning efficiency.

Vex 11.0.0.0 (Release 2024-Feb-15)

This release brings the new version of Vex, Vex 11.0.0.0 which introduces Vex more than just scanning for vulnerabilities but as manages them. The key improvements in Vex 11.0.o.o include:

1. Vulnerabilities management

Vex vulnerability tests can find vulnerabilities with high accuracy, but there have been issues in subsequent response and management.

By continuously storing highly accurate Vex scanning results in VexCloud, both scanning accuracy and ease of management can be achieved.

VexCloud is provided as SaaS, allowing multiple users, such as administrators, diagnosticians, and developers, to share inspection results and manage correction status.

As a results, this feature enables users to generate a file for Vex scanning result data to be integrated with VexCloud addresses various vulnerabilities management issues such as:

UBsecure’s team had worked hard in improving Vex through consideration and reexamining the required tools and also supports overall activities to enhance web application security by offering specialized functions for management of inspection results, such as aggregation and analysis of inspection results over time.

2. Integration of “Vex scanning result data” to VexCloud

This version introduces Vex collaboration approach which is a concept and function that realizes integrated management of vulnerability inspection results of multiple projects by continuously accumulating Vex inspection results in VexCloud.

Steps to use the Inspection Result Linkage File are as follows:

(1) From the Project list page, output VexCloud Integration Files from the pull-down shown in the figure below for each project.

(2) Upload the output file to VexCloud.

(3) Check the vulnerability of the application on the VexCloud dashboard. *The image is from the development stage.

3. Other updates include adding a signature to detect Cross-Site Scripting using a Document Object Model.

Vex 10.6.0.0 (Release 2023-Nov-20)

Vex 10.6.0.0 Version introduces “message labels” as key update that gives flexibility to users in managing scanning progress.

1. Proxy logs classification with three-color message labels.

The labels displayed are as follows:

The “message labels” come in three colors: “transparent,” “orange,” and “blue. For instance,

This function enables customers who used to manage the scanning progress by recording it in Excel or other file to color-code and manage the status on Vex.

Moreover, logs classified by “message labels” can be filtered and displayed.

For example, filtering by the “orange” label on the Web plan page enables scanning scope logs narrowing down “Ready for scanning,” thereby improving overall scanning operations efficiency.

2. Other updates
— A signature has been added to detect that the GraphQL GUI client is externally accessible on the Web.
— Fixed an issue in the Crawling setting page for the auto crawler, where existing log-in settings could not be changed.

Vex 10.5.0.0 (Release 2023-Aug-24)

Vex 10.5.0.0 Version enhances the Vex as Web applications inspection tool through multiple updates which include

1. Ability to scan GraphQL applications

Vex 10.5.0.0 supports enhanced parsing capabilities for GraphQL requests and adds new signatures dedicated to GraphQL.

GraphQL comes in a variety of formats depending on the application. In this release, Vex supported GraphQL not only in JSON format, but as well other formats.

Enhancements to the request decomposition function in this version have expanded the scope of recognition of parameters in the GraphQL format.

In addition, a dedicated signature has been added to detect GraphQL-specific vulnerabilities that cannot be inspected with the existing regular signatures.

These updates expands the range of supported scanning and improves the accuracy of the scanning.

2. Other updates

Vex 10.5.0.0 improves automatic skipping of scanning parameters to support more efficient scanning time.
Additionally, the “Signature information list” is now added with file columns for guidelines that can be downloaded from the Check Server Settings scanning execution content page.

Vex 10.4.0.0 (Release 2023-Jun-8)

Vex 10.4.0.0 Version adds the ability to automatically filter similar messages when creating test scenarios, the ability to import and export custom signatures as well as changes in the signature groups additions or updates and many more.

1. Automatically hide duplicate recorded by proxies feature

Vex 10.4.0.0 version is now added with the function to automatically hide similar messages when creating test scenarios.

At sites where many similar messages are communicated, such as SPA (Single Page Application), there was a time consuming problem in selecting messages to be inspected. This feature enables efficient selection of messages to be inspected, significantly reducing the man-hours required.

Additionally Messages that are auto-filtered can also be displayed or hidden manually.

2. Import and Export functionality of Custom signatures

This latest version of Vex (Vex 10.4.0.0 Version) allows custom signatures to be exported and imported, reducing the man-hours required to migrate custom signatures to a different Vex servers.

3. Signature group additions/updates

In this latest Vex 10.4.0.0 Version release, the “Simple signature group” has been added and the composition of signatures included in the “Recommended signature group” has been changed.

The “Simple signature group” is a group of signatures for typical vulnerability categories with only the signatures of common scanning patterns selected. This group can be used when you want to reduce the scanning time.

In the “Simple signature group”, signatures for the following vulnerability categories have been added:

4. Other updates

Vex 10.4.0.0 Version also include improvement on the accuracy of cross-site request forgery scanning.

Vex 10.3.0.0 (Release 2023-Mar-13)

Vex 10.3.0.0 Version involved various updates including enhanced the custom signature and Scenario map, added a function of filtering the list of headers and parameters on the Log detail screen, and added a function to customize the display items of the Scanning results summary sheet report.

1. Enhanced custom signatures

Custom signatures that do not insert a payload into the request are now available.
This kind of signature is useful for detecting that a page contains a specific IP address or error statement in the response.

2. Enhanced Scenario map parameter handovers function

“Search and specify” feature is now available on the Pre processor settings screen for Scenario map Handlers to specify source values for parameter handovers.

In the “Search and specify” screen, you can obtain regular expression patterns that can capture matches with the specified string contained in messages within a transition.

When you want to find a source value parameter associated with a destination parameter, simply select the “Search and specify” option in the source value input field and select the regular expression pattern from the list to apply to the source value condition.

This features eliminates the need to search for a source value parameter and create regular expressions, which had been done manually in the past, reducing the setup load on scanning and improving operational efficiency when scanning complex applications.

3. Improved operational efficiency of the Log detail screen

This release allow you to filter the list of headers and parameters on the Log detail screen.
When you want to exclude parameters with a specific condition from the scan, the only need step involved is by clicking the checkbox in the skip settings column header of the filtered parameter list. In addition, items can now be sorted in lexicographic order by clicking on the column name.

4. Added display items to “Individual summary sheet”

The following items have been added to the Individual summary sheet of the Scanning results summary sheet report.

You can also now specify whether or not to include the contents of the scanning result note in the Notes column.
The above items can be included or excluded from the report on:

Report output settings > Individual settings > Scanning results summary sheet

Other improvements:

Vex 10.2.0.0 (Release 2022-Dec-15)

Vex 10.2.0.0 release is included with added a checklist output function based on the latest version (4.0) of “ASVS (Application Security Verification Standard)”, renewed Scheduled task settings (formerly Execute task setting) feature, and expanded scannable range due to improved analysis of the JSON parameters .

1. Checklist output function based on the latest version (4.0) of “ASVS (Application Security Verification Standard)”

This added checklist out function enable users to generate checklist based on the latest ASVS (Application Security Verification Standard) v4.0 provided by OWASP just putting one-click after scanning.

2. Renewed Scheduled task settings (formerly Execute task setting)

With this feature, users can schedule:

3. Expanded scannable range due to improved analysis of the JSON parameters

When a request parameter value is considered to be a JSON object or array, the parameter values are now split into JSON parameters and displayed on the Log detail page and the Scanning result page.

Payloads are now sent for parameters split from a parameter value in web scans. Following this change, new vulnerability can be detected on the website that has already been scanned previously.

Skip settings are also available for parameters split from a parameter on the Log detail page.

This feature applies to the followings;
— Parameter values contained in a query string in `key=value` format
— Parameter values contained in a request body in `key=value` format
— Form data in a multipart request

===== Example request =====
POST / HTTP/1.0

json={“k1″:”v1″,”k2″:”v2”}
===========================

For the above request message, in addition to the conventional inspection in (A),
inspections are also performed on the split parameter values as in (B) and ©.
(A) json={“k1″:”v1″,”k2″:”v2”}[Payload] (B) json={“k1″:”v1[Payload]”,”k2″:”v2″}
© json={“k1″:”v1″,”k2″:”v2[Payload]”}

Vex 10.1.0.0 (Release 2022-Sep-15)

Vex 10.1.0.0 release highlights these improvements; the ability of users to set scanning target for Session Fixation and Cross-Site Request Forgery.

Improved algorithm to determine recorded characteristics of messages when acquiring proxy logs

This release include improved algorithm to determine the following characteristics of messages that are recorded when acquiring proxy logs, the label classification function of Web scanning results, the “Report” update, and “Scenario Map” added from version 9.0.0.0.

Since the “characteristics” automatically set on the Vex side can now be checked from the Log detail page for each request, users can now check whether Vex’s automatic settings are correct. Checking when the log was acquired (before the scanning) increase the scanning accuracy using the automatic analysis.

Addition of label classification function for Web scanning results

This feature allows users to set 3-color labels for each Web scanning results. By setting the confirmation status of Web scanning results so that they can be seen at a glance, Web scanning results can be checked smoothly when checking projects. In addition, the classified results can be narrowed down by specifying the filter conditions, so user can check the results efficiently by checking the Web scanning results all at once.

Report update

Added a table describing the number of detected risks by category to the “Scanning Results Outline” chapter of the Scanning report (Web Application Vulnerability Scanning Report)It is now possible to easily check the number of detected vulnerabilities by vulnerability category and risk level. In addition, the display of the Report output setting has been renewed, and “Common settings” and “Individual settings” are now possible, making it possible to make settings more flexible than conventional report settings.

Improved Scenario Map

When a new messages are added on the “Scenario Map”,the added message is now in focus and surrounded by a thick orange line now so that thay are noticeable.
Since newly added messages can be checked immediately, work efficiency can be improved.
In addition, “Information panel” can now be moved by dragging with the mouse., improving operability.

Ability to create a report that exclude results with specified risk levels, except for the following formats:

The number of signatures displayed and selected is now indicated on the Create web scanning plan screen.

Added Server scanning signatures for the Apache HTTP Server Default files (s000270, s000271)

Vex 10.0.0.0 (Release 2022-Jun-23)

Vex 10.1.0.0 release involves improvement on usability. “Web plan page” has been renewed and “Scenario Map” that is added since version 9.0.0.0 has been further enhanced.

The new “Web plan page” include renewed “Applied signatures” pane on “Create web scanning plan” screen

The version at which the signature was introduced is now displayed for the signatures available from version 9.0 or later.

Also a filter to narrow down the displayed signatures by risk level, signature ID, etc. is now available, making it
easier for users to search for the desired signature or customize the signature.

Improvements in “Scenario Map” include a function that automatically resets the preprocessor’s handover parameters when a message is moved on the Scenario Map, and a function that display caution icon if there is an error in the handover settings.

New functions enable not only for beginners but expert to make scanning scenarios easily.

In addition, the parameter handover function for the extend processor and post processor has been strengthened, and parameters included in all screens that pass through can be disassembled individually, and individual settings can be made for each parameter.

Since more detailed scanning settings are possible than ever before, the range of applications that can be handled is expanded. Also, we have made minor UI changes and improved functions, so it will be possible to significantly reduce the man-hours required to prepare for scanning using Scenario Map.

Added Google Chrome to the supported browsers that can be used when accessing Vex.

The corresponding version of OWASP TOP 10 report has been changed from 2017 to 2021. Along with the change, the OWASP TOP 10 categories linked to Web scanning signatures and Server scanning signatures have also been changed.

Improved SQL injection signature to support SQLite and IBM DB2.

With this release, users can now change the sort number on the information panel of the scenario map.

Changed so that export files created with a newer version than the Vex users are using now cannot be imported.