Changelog

Alerts for parameterized endpoints now use consistent fingerprinting across scans. URLs like /users/123 and /users/456 are recognized as the same endpoint pattern (/users/{id}), enabling accurate alert triage and trend tracking even when path parameter values change between scans.

User-provided global parameters now correctly override crawl plan default values. Previously, faker expressions or context templates in the crawl plan could take precedence over explicitly configured global parameters.

Reduced false positives in boolean-based blind SQL injection detection. The scanner now correctly identifies when both true and false condition payloads return identical error pages, skipping alerts in these cases. Alert details now include both request/response pairs for easier validation.

Fixed an issue where URLs could be lost from the scan when using crawl plans with Data Driven Nodes (DDNs). The scanner now safely handles DDN conversion failures and preserves all discovered endpoints.

New active scan rule (40058) detects React2Shell remote code execution vulnerabilities (CVE-2025-55182, CVE-2025-66478) in Next.js and React Server Components. This critical vulnerability allows unauthenticated attackers to execute arbitrary commands through unsafe deserialization in the React Flight protocol.

Endpoints discovered by smart crawl plan are now properly fuzzed by the active scanner.

Fixed an issue where includePaths and excludePaths configurations were not being applied to smart crawl plan operations. Path filtering now correctly filters operations before crawl plan execution begins.

HawkScan now supports multi-profile scanning for comprehensive business logic testing. Configure multiple authentication profiles to automatically test for:

• BOLA (Broken Object Level Authorization) - cross-user resource access
• BFLA (Broken Function Level Authorization) - privilege escalation

Read the docs to configure multi-profile testing.

When an OpenAPI specification is configured, HawkScan automatically generates a smart crawl plan that understands your API's structure and data relationships, enabling more effective security testing.

BOLA and BFLA alerts now include evidence chains showing the cross-profile access attempts and responses.

Multi-profile scans now verify authentication for all profiles before starting the scan, failing fast if credentials are invalid.

HawkScan can now merge multiple OpenAPI specification files into a unified API definition.

Added object notation and path filtering for custom variables in gRPC configurations.

HawkScan can now uses the native system trust store for multiple operating systems.

New passive scan plugins detect sensitive data exposure in HTTP responses:

• Credit Card Numbers (100008)
• Email Addresses (100009)
• HTML Comments (100011)
• IBAN Numbers (100012)

External command authentication parameters are now properly redacted in logs and output.

Reduced false positives in the SQL Injection scan rule for applications with input validation:

• Improved response comparison by stripping all query/form parameter values (not just the tested parameter) to handle validation error messages with non-deterministic ordering
• Added 4xx status code detection to skip alerts when both original and attack responses return the same 4xx status, indicating input validation rejection rather than SQL injection behavior

StackHawk now tests for five critical LLM risks from the OWASP LLM Top 10:

• LLM01: Prompt Injection
• LLM02: Improper Output Handling
• LLM04: Unbound Consumption
• LLM06: Sensitive Data Disclosure
• LLM09: System Prompt Leakage

Read the docs to enable test coverage.

The official Semgrep integration is live, allowing joint users to correlate StackHawk DAST findings with Semgrep SAST results. When both tools identify the same vulnerability, findings are automatically linked to eliminate duplicates and provide unified remediation context.

Fixed an issue where final results were not being uploaded to the platform for long running scans.

Beta Scan Rules:

• Active: API Broken Authorization 40050
• Active: API Broken Function Level Authorization 40051
• Active: API Lack of Rate Limiting 40052
• Active: API Broken Authentication 40053
• Active: API Broken Object Property Level Authorization 40054
• Active: API Enhanced Broken Object Level Authorization 40055
• Active: API Active IDOR Validation 40056
• Active: API Unrestricted Resource Consumption 40057
• Active: API Server Side Request Forgery 40048
• Active: LLM Injection 40049
• Active: GraphQL Circular Reference 40099
• Active: GraphQL Deep Recursion Query Attack 40100
• Active: GraphQL Interface Exploit 40101
• Active: GraphQL Batch Query 90052
• Active: GraphQL Resource Intensive Query 90053
• Active: GraphQL Introspection Exploit 90054
• Active: GraphQL Field Suggestion Exploit 90055
• Active: GraphQL Interface Protection Bypass 90056

Updated Rules:

• Update: MongoDB Injection Timing Rules (improved accuracy, better timing analysis)
• Update: MongoDB Injection Regular Rules (improved accuracy, less false positives)

added openapi.usePlatform for directly fetching and using generated OpenAPI specifications from code repositories mapped to the scanned application from the platform.

The scanned application name is now included in the HawkScan terminal output banner.

configured app.redact now applies to external command authentication parameters.

Hosted Scanning enables users to run scans directly from the StackHawk infrastructure.

Embed StackHawk's DAST & API security testing directly in your MCP-enabled AI code assistants like Cursor, Claude Code, and Windsurf. With our MCP server, developers get real-time vulnerability detection and remediation using intuitive, natural language commands.

StackHawk now automatically and continuously generates OpenAPI sSpecifications from your source code using AI. Current support includes Java/Spring and JavaScript/Express.js applications.

• Update Proxy Disclosure Rule (improved accuracy)
• Update MongoDB Injection Rules, timing and Regular (improved accuracy, less false positives)
• Additional GraphQL Tests in Beta:
• Passive: Endpoint Detected 90051
• Active: Batch Query 90052
• Active: Resource Intensive Query 90053(series 1-4)
• Active: Introspection Exploit 90054
• Active: Field Suggestion Exploit 90055
• Active: Interface Protection Bypass 90056
• Passive: Introspection Detected 90050
• Active: Circular Reference 40099
• Active: Deep Recursion Query Attack 40100
• Active: Interface Exploit 40101

Added support for sending a custom header when using waitForAppTarget.

Added deterministic sorting to API-path output for cleaner, predictable diffs.

Added gRPC v1 and v1alpha reflection handling to service handlers.

Fixed authentication validation to not depend on starting perch daemon.

Corrected rolling-appender logic so hawkscan.log entries stay in chronological order.

Support for fetching AI generated OpenAPI specs.

Migrated build base image to Ubuntu 22.04.

Connected repositories can now be scanned for Sensitive Data terms, like PII, PCI and PHI word patterns, that can be detected within repositories and reviewed in the API Discovery view.

Hawkscan pkg install is now fully signed and notarized by Apple to avoid any security warnings when installing

When Hawkscan generated multiple large log files not all files were being uploaded to the platform. This has been fixed and max log file control is now configurable.

The openapi-helper cli tool now has a merge command to facilitate merging OAS files.

Improvements to our Jira Cloud and Azure Devops Integrations now allow administrators to connect multiple workspaces to a single StackHawk organization.

Triaging findings with multiple workspace ticketing integrations connected will give the option to select the preferred ticketing tool.

Fixed an issue where HawkScan was not showing requests and responses for failed authentication.

Fixed issue where scan stats were not showing up for all scans.

Allow user to add jvm args/opts to HawkScan via command line --hawk-jvm-opts.

Automatically enable passive/active script scanning without it being expressly set in scan policy.

Install correct version of Java when installing from Homebrew.

Throw exception and stop the scan if no compatible version of Java is found.

Updated outdated dependencies.

Introduced a separate timing based attack used for unauthorized execution of operating system commands.

Explore all the features we've recently released in our new product update.

When using a wsdl filePath, the SOAP parser will use the directory of the specified file as the base directory for resolving linked files.

Updated display of HTTP Request to display accurately what was sent over the network.

Fixed issue where HawkScan was not resolving the hawk.outboundProxy configuration before trying to authenticate to the platform.

Fixed null pointer exceptions when running hawk register plugin and hawk list plugin.

Reduced noisy debug logs by moving them to the trace level.

Enhanced sensitive data protection by redacting specified headers from logs when using --log-http

Added a timeout for externalCommand authentication to exit problematic scripts sooner.

Fixed an issue where HawkScan would sometimes hang while scanning.

Added gRPC auto input vectors to speed up scanning.

The scanner will now skip paths that are not implemented on the gRPC server.

Allow for OpenAPI specs where the only route is the testPath.

HawkScan can now run with a configuration hosted on https://app.stackhawk.com/ by running hawk scan hawk://policy-name

Added a page in the organization settings for management of Organization Scan Policies and to review readonly StackHawk Scan Policies. Organization Scan Policies allow teams to choose which vulnerability checks are applicable to their StackHawk scans, improving scan performance and accuracy.

Added support for scan policies defined at the organization level.

Added check to test for polyfill.io cdn vulnerability.

Fixed an issue where the progress bar was displayed multiple times in the terminal output.

Fixed an issue where HawkScan was not available on the command line after upgrading.

Fixed issues where HawkScan could not parse some OpenAPI 3.1 specs.

Fixed an issue where the GraphQL configuration file was not shown in the console output.

Added scan policy for HawkScan run in the console output.

Updated details with more information in the SARIF output.

Improved OpenAPI parsing for the HawkScan OpenAPI helper tool.

Switched the scanner to HSTE which is a renamed fork of ZAP the StackHawk team has been maintaining. To learn more about this change see the link to the blog post below. Please note if you are using custom scripts all references to org.zaproxy.zap should be renamed to com.stackhawk.hste.

The app.openApiConf and app.grpcConf now support .filePaths allowing for multiple specification files to be used in a single scan configuration. This is especially useful when an API is comprised of multiple lambdas.

Passive scripts can now raise alerts in StackHawk by registering a custom plugin id, like active scripts. This is useful to create alerts for PII data, missing HTTP headers, and more.

Added links and more details about the alert to the SARIF output format's new markdown fields.

The default throttle settings have been tuned to facilitate faster scanning. Users with scanner resource constraints may need to adjust these settings back to their lower values to avoid crashes due to resource consumption.

Custom data variables in the StackHawk configuration will override example variables that are in the Openapi spec at runtime.

The stackhawk/hawkscan docker image default non-privileged user is now named steve instead of zap. The home and default working directory have also been updated to reflect this change and are /home/steve and /steve respectively. For reference the StackHawk mascots name is Steven S. Hawk ;).

The scan policy name is displayed in the scan details pane indicating which policy was chosen for the scan run.

Connect multiple GitHub Accounts or Organizations to a single StackHawk Organization.

Fixed an issue where a validation error was thrown when the GraphQL configuration specified both file and filePath.

Updated StackHawk JSON schema to the latest version.

Updated the HawkScan Launcher items for .msi and .pkg installs.

Fixed a bug where the waitForAppTarget feature would exit after 64 attempts.

Capture more http logs from earlier in the scan.

Allow configuration of the recursion depth of gRPC data generation in the StackHawk.yml.

Added a feature that will prompt and create an API key when HawkScan detects no API key is installed.

Simplified sign up form for new users.

This update introduces new video resources to help new users run their first scan successfully and get started with StackHawk quickly.