Back to blog
Release
6 minutes read

Purplemet Cloud 1.24.0 New Features

Purplemet Product

December 11, 2024

Updates and new features

Purplemet Cloud 1.24.0 is now available! This new version features several updates and enhancements compared to the previous version, as described hereafter.

HTTP basic authentication

It is now possible to provide credentials for web applications accessed via an HTTP Basic authentication scheme. These web applications are easily identified by an HTTP 401 response returned during analysis. Once authentication is set up at the web application level, all analysis will use this configuration to authenticate to the application and discover associated technologies and issues.

Purplemet Cloud HTTP Basic Authentication

A new Authentication column has been added to the list of web applications and their analyses to show which web applications and analyses have HTTP basic authentication configured.

Purplemet Cloud HTTP Basic Authentication Column

When a web application returns an HTTP 401 code, the platform now displays the realm provided by the web application in the Latest Status widget.

Purplemet Cloud HTTP Basic Authentication Realm

ExploitDB & Metasploit integration

Exploit-DB is one of the largest public databases of exploits and proof of concept scripts used to confirm the presence of a vulnerability. It also includes all the modules of the Metasploit pentest tool, another major source of exploits and vulnerability verification modules.

As part of Purplemet's vision to provide its customers with the most relevant information to qualify their risks, Purplemet now integrates this database and indicates for each reported issue whether an exploit exists in the Exploit-DB database, whether it is a Metasploit module, and points directly to the script code so that it can be run or integrated into the Metasploit tool if the customer uses this tool internally.

Purplemet Cloud ExploitDB Integration

Exploit maturity

Purplemet provides a new information called Exploit Maturity which consolidates information from CISA KEV, Nuclei and Exploit DB to provide the level of exploit maturity of an issue. This property has 3 different values:

  • Attacked: This issue is confirmed by CISA KEV to be exploited on the Internet.
  • Proof-of-Concept: No attack has been reported yet, but scripts are available to validate the existence of the vulnerability, either on Exploit-DB, Nuclei or Metasploit.
  • Unreported: No attacks have been reported yet and no scripts to validate the presence of the vulnerability are known.
This information means that the user does not have to cross-reference the different information available for a given issue, and makes it easier to prioritise risks.

Purplemet Cloud Exploit Maturity

A new Exploit Maturity column is proposed in the list of issues. This makes it easy to check the level of exploit maturity of the reported issues for each web application.

Purplemet Cloud Exploit Maturity Column

OpenSSF Scorecard integration

In November 2020, the Open Source Security Foundation (OSSF) launched the OpenSSF Scorecard project, which analyses all open source projects and assigns a score based on various criteria to determine the maturity of their project management in terms of security. The goal of this initiative is to help developers choose which technologies to include in their own projects to ensure that their applications are based on libraries that are maintained and follow good security practices.

Purplemet now provides a score for each technology analysed by OpenSSF as part of this initiative. A new OpenSSF column is now available in the list of technologies, allowing you to quickly check the score associated with each technology in the list displayed.

Purplemet Cloud OpenSSF

The technology details page also provides a condensed view of the report, giving users direct access to the public scorecard.

Purplemet Cloud OpenSSF Scorecard

Security rating by tag

Each tag is now assigned a security rating based on the average ratings of the web applications associated with the tag. Only web applications that have been analysed at least once are taken into account. A new Rating column is available in the tag list, allowing you to quickly check the level of each tag.

Purplemet Cloud Rating by Tag

The tag details page displays the associated rating, if any, in the tag name, and a new Web Application Ratings widget provides a quick overview of the distribution of ratings for web applications associated with the tag and leading to the tag's rating. Clicking on a section of the graph takes the user directly to the list of associated web applications.

Purplemet Cloud Rating by Tag Details

User experience improvements

Purplemet's user interface has been redesigned to make it clearer and more practical. Dashboard tabs are easier to identify.

Purplemet Cloud UX Improvements

The following changes have been made to improve the user experience when viewing data lists: tabs are more easily identifiable, the horizontal and vertical scrollbars are always visible, the navigation buttons have been repositioned and made more accessible, and the buttons for configuring, exporting, and performing actions on the data in the list are more visible.

Purplemet Cloud UX Improvements

Thanks to the new Datalist Settings section available in their profile, each user can now decide how many results to display for all datalists. It is always possible to change the number of results displayed for a data list by configuring the list and forcing the value to be used. If you wish to reset all data lists to the default value, simply click the Reset Data List Settings button in the Data List Settings section.

Purplemet Cloud UX Improvements

Report improvements

The reports generated by the platform have been enhanced to include more information about the web applications, technologies and issues.

  • The web application's IP address and certificate have been added to the summary section.
  • The version detected for each technology has been added, as well as the latest version for the branch that follows the component. Colour codes indicating whether the technology version is up to date are also now supported within the reports.
  • The summary section now shows the distribution of findings by severity and by type of finding.
  • A new Exploited Issues section shows the list of issues that should be treated as a priority because they are known to be exploited on the Internet (i.e. their exploit maturity is set to Attacked).
  • The Issues section now includes a new Exploit Maturity column so that you can find out the Exploit Maturity value for each returned issue.
  • A new appendix is available to provide information on the CWEs associated with the issues included in the report.

Purplemet Cloud Report Improvements

Rejected issue

During the lifecycle of an issue, it is possible for the official source to reject the entry, for example, in the case of duplicate entries or replacement by another more relevant or global entry.

In this case, the next time a web application is analysed, Purplemet will close the issue as Rejected and it will no longer be taken into account when calculating the rating of the web application. Information on whether an issue has been rejected can be found on the Issue Details page.

Purplemet Cloud Rejected Issue

API updates

  • Domains - New POST /domain/:domainId/analysis API method to launch an on-demand analysis on all web applications of the domain accessible to the user
  • Site - New redirection and redirectionInScope properties for redirection information
  • Issues - New exploitMaturity property added to issue schema, to indicate if an exploit exists for an issue and if it is actively used on the Internet to exploit this issue.
  • Issues - New exploitDbModules property added to issue schema, to provide the list of Exploit DB modules known for the issue, if any.
  • Issues - New nucleiTemplate property added to issue schema, to provide the Nuclei template known for the issue, if any.
  • Issues - Add CVSS v4 information to issue details
  • Technologies - New ossfScorecard property added to technology schema, to provide OpenSSF Scorecard data, when available
  • Technologies - New repository property added to technology schema, to provide the URL of the corresponding project repository
  • Subscription - New GET /subscription API method to retrieve subscription details, license and usage
  • Subscription - New GET /subscription/analysis API method to retrieve list of analyses triggered on the subscription
  • Subscription - New GET /subscription/discovery API method to retrieve list of domain discoveries triggered on the subscription

Additional updates

  • Modify the logic to account for web applications that cannot be fully analysed.
  • New action to analyse all web applications in a domain.
  • The Launch Analysis action has been promoted as a main action in the web application details page.
  • Review currently licensed assets from the Subscription page.
  • The list of IP addresses of Purplemet probes can now be downloaded from the Help menu.
  • CVSS scores are now available for Unsafe Component issues
  • Added references for Web Security & Unsafe issues

Up Next