TotalAppSec Release 2.5 | Web Application Scanning Release 1.25
January 05, 2026
TotalAppSec
Enhanced Security for OAuth2 Client Secret
We have enhanced OAuth2 authentication records to better protect sensitive credentials.
The Client Secret field is now masked when creating or editing an OAuth2 Authentication Record, ensuring the secure handling of confidential information.
This feature applies to both newly created records and updates to existing records.
Expanded API Discovery with RAML Support
The MuleSoft API connector now supports RESTful API Modeling Language (RAML) file formats, in addition to OpenAPI (OAS). This enhancement enables the discovery of APIs defined using RAML, expanding coverage for customers using MuleSoft-standard API specifications.
TotalAppSec and Web Application Scanning
Improved Header Injection Guidance
We have updated the text guidance for the Header Injection field in the Additional Configurations section during web application creation.
The updated guidance provides the correct header format and advises not to include sensitive headers. Headers that require masking in scan reports should be configured under Authentication Record > Headers.
Issues Addressed
| Application | Category/Component | Description |
|---|---|---|
| TAS and WAS | Scan Schedules | We fixed an issue where the search query scan.schedule.nextDate returned incorrect results and displayed inaccurate syntax help. |
|
TAS and WAS |
Web Application | We fixed an issue where users could not delete a web application, although the required permissions were assigned. |
| TAS and WAS | Web Applications | We fixed an issue where web applications were not sorted correctly when sorted alphabetically by name. |
| TAS and WAS | Scan schedules with tags | We fixed an issue where schedule scans created with tags in the Web Applications and APIs tabs were not displayed in the Application Details > Schedules section. |
| TAS and WAS | Web Application Sitemap | We fixed an issue where the URL status was displayed as NONE in the Web Application Sitemap. |
| TAS and WAS | Detections | An issue was observed when the user tried to download an additional information link from the Results section in the Detection Details page. The issue is fixed. |
| TAS and WAS | Scan Schedule | We fixed an issue where users were unable to select dates in the year 2026 while configuring scan schedules. |
| WAS | WAS Widget | We fixed an issue where WebApp widgets using a ratio combined with a static value failed to calculate and display the correct percentage or number. |
| TAS and WAS | Scan Schedule | We fixed an issue where scheduled scans failed to launch at their configured date and time. |
| TAS and WAS | Detection Details | We fixed an issue where the CWE information for certain QIDs did not appear in Detection Details, even though the data was displayed correctly in the Knowledge Base. |
| TAS and WAS | Detection Details | We fixed an issue where the Last Time Detected value did not display correctly in detections. The field now shows accurate detection timestamps. |
| TAS and WAS | ETM Module | We fixed an issue where third-party customers received an Unauthorized Access error in the ETM module when attempting to open any third-party asset. |
| TAS and WAS | Mandatory Distribution List | When creating a new scan schedule or report schedule, the user was required to create a distribution group, or an additional recipient was needed. You can now use either the Distribution List or the Additional Recipients field to enable notifications. |
| TAS and WAS | Edit API | When the user attempted to edit an API, the Basic Information, Scan Settings, Additional Configurations, and Review & Confirm pages appeared blank. This issue is fixed, and the user can now edit and update the API. |