Changelogs

Invicti Enterprise On-Premises

RSS Feed

31 Jan 2018

NEW FEATURES Added agent grouping support which allows to launch scans in specified agent group. This feature is only available for on-premises standard agents. New API endpoints for getting website and website group details. IMPROVEMENTS Changed Netpsparker Enterprise application’s loading icon. Added an icon to indicate external links. BUG FIXES Fixed an issue where scans are …

NEW FEATURES

  • Added agent grouping support which allows to launch scans in specified agent group. This feature is only available for on-premises standard agents.
  • New API endpoints for getting website and website group details.

IMPROVEMENTS

  • Changed Netpsparker Enterprise application’s loading icon.
  • Added an icon to indicate external links.

BUG FIXES

  • Fixed an issue where scans are not launched on on-premises AWS scanner agents.
  • Fixed an issue where realtime scan results are not displayed correctly in IE11.
  • Fixed an issue where proofs are not displayed correctly on vulnerability details section.

14 Dec 2017

NEW FEATURES Realtime scan results Added out of the box integration support for: FogBugz, Github and TFS issue tracking systems. Grouping of notifications so a single email or SMS alert is sent with a list of all alerts rather than multiple individual alerts. New API endpoint for launching group scans. Scheduling for incremental scans both …

NEW FEATURES

  • Realtime scan results
  • Added out of the box integration support for: FogBugz, Github and TFS issue tracking systems.
  • Grouping of notifications so a single email or SMS alert is sent with a list of all alerts rather than multiple individual alerts.
  • New API endpoint for launching group scans.
  • Scheduling for incremental scans both from the web UI and API.
  • New API endpoint for generating custom scan reports.
  • New scan policy setting to define Web (Session and Local) Storage.
  • New Header Authentication settings to manually add request headers with authentication information.
  • Added support to import links from CSV files.
  • Added support for parsing of gzipped sitemaps.

NEW SECURITY CHECKS

  • Check for reflected Code Evaluation in Apache Struts 2 (CVE-2017-12611).
  • Check for Remote Code Execution in Apache Struts (CVE-2017-5638).

IMPROVEMENTS

  • Scan Time Window setting is now available to new group scans page.
  • Improved scan stability and performance.
  • Improved default Form Values settings.
  • Updated external references for several vulnerabilities.
  • Updated default User-Agent HTTP request header string.
  • Changed API endpoints to return 201-Created response status code for new resources.
  • Added several UI improvements for WCAG guidelines compliance.
  • Improved the email template that reports issues.
  • Added “Attack Parameters” information to Scanned URLs report.
  • Renamed the “Important” vulnerability severity to “High”.
  • Added Form Authentication performance data to Scan Performance knowledge base node.
  • Improved Active Mixed Content vulnerability description.
  • Improved DOM simulation for events attached to document object.
  • Added parsing of “Alternates”, “Content-Location” and “Refresh” response headers.
  • Improved CSP engine performance by checking CSP Nonce value per directory.
  • Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
  • Added –batch argument to sqlmap payloads.
  • Removed Markdown Injection XSS attack payloads.
  • Added ALL parameter type option to the Ignored Parameters settings.
  • Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
  • Updated the Accept HTTP header value for default scan policy.
  • Added CSS exclusion selector supports frames and iframes.
  • Added embedded space parsing for JavaScript code in HTML attribute values.
  • Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
  • Email disclosure will not be reported for email addresses used in form authentication credentials.
  • Added focus and blur event simulation for form authentication set value API calls.
  • Added more information about HTML forms and input for vulnerabilities found in HTML forms.
  • Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
  • Added Parameter Value column to the Vulnerabilities List report in CSV format.
  • Added match by HTML element id for form values.
  • Added “Ignore document events” to JavaScript settings to ignore triggering events attached to document object.
  • Improved Windows Short Filename vulnerability details Remedy section.
  • URL Rewrite parameters are now represented as asterisks in sqlmap payloads.

BUG FIXES

  • Fixed an issue where AutoSave filename is missing during resuming a scan.
  • Fixed an issue where “Test” button of authentication settings does not work as expected.
  • Fixed an issue where model binding does not work as expected for scan profile API endpoints.
  • Fixed CSRF vulnerability reporting on change password forms.
  • Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
  • Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
  • Fixed various source code disclosure issues.
  • Fixed an escaping issue with CSS exclusion selectors.
  • Fixed the issue where the basic authentication credentials were not being sent on logout detection phase.
  • Fixed a random DOM simulation exception occurs when site creates popup windows.
  • Fixed a RemotingException occurs on Form Authentication Verifier.
  • Fixed a possible NullReferenceException on Form Authentication.
  • Fixed the broken form authentication custom script when the last line of the script is a single line comment.
  • Fixed huge parameter value deserialization memory usage.
  • Fixed the wrong URLs added with only extension values.
  • Fixed a NullReferenceException which may be thrown while importing a swagger file.
  • Fixed form authentication not triggered on retest.
  • Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
  • Fixed a swagger file parsing issue where target URL should be used when host field is missing.
  • Fixed swagger importer by ignoring any metadata properties.
  • Fixed a NullReferenceException occurs during DOM simulation.
  • Fixed the incorrect URLs parsed on attack responses.
  • Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
  • Fixed ignore parameter issue for parameters containing special characters.
  • Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
  • Fixed missing vulnerabilities requiring late confirmation for incremental scans.
  • Fixed a NullReferenceException may occur on iframe security checks.

26 Sep 2017

NEW SECURITY CHECK Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-9805).

NEW SECURITY CHECK

  • Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-9805).

19 Sep 2017

NEW FEATURES Added scan policy settings for CSRF security checks. Added ability to use custom HTTP headers during scan. Added attacking optimization option for recurring parameters on different pages. Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries …

NEW FEATURES

  • Added scan policy settings for CSRF security checks.
  • Added ability to use custom HTTP headers during scan.
  • Added attacking optimization option for recurring parameters on different pages.
  • Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.
  • Redesigned the Basic, NTLM, Digest and Kerberos authentication settings which now supports multiple credentials for different URL paths.

NEW SECURITY CHECKS

  • Added Referrer Policy security checks.
  • Added markdown injection XSS patterns.
  • Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
  • Added Database Name Disclosure security checks for MS SQL and MySQL.
  • Added Out of Date security checks for several JavaScript libraries.
  • Added Remote Code Evaluation (Node.js) security checks.
  • Added SSRF detection with server-status.
  • Added user controllable cookie detection.
  • Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.
  • Added Default Page checks for IIS 7.0, 7.5, 8.5 and 10.0.
  • Added IIS 10.0 Version Disclosure checks.
  • Added WordPress Setup Configuration File checks.

IMPROVEMENTS

  • Improved design of the group scan email template.
  • Improved accessibility of several pages to follow WCAG guidelines.
  • Optimized compression time while archiving the raw scan files.
  • Added support for allowing users to launch scheduled scans manually.
  • Disabled scheduled scans if the license is expired.
  • Updated the links to several external references.
  • Improved JavaScript and CSS resource parsing.
  • Added DOM simulation options to scan policy optimizer wizard.
  • Improved Mixed Content vulnerability reporting by separating them according to resource types.
  • Improved boolean SQL injection detection for redirect responses.
  • Improved WSDL parsing for files that contain optional extensions.
  • Improved .sql file detection signature.
  • Added extra confirmation for weak credentials detection.
  • Added scan policy option to allow XHR requests during DOM simulation.
  • Added form value for password input types to default scan policy.
  • Increased the maximum response size limit for JavaScript resources.
  • Improved the send to JIRA error message.
  • Added maximum number of option elements per select element to simulate scan policy setting.
  • Added filter ‘colon’ events scan policy option to filter events that contain colon character in its name during DOM simulation.
  • Improved error based SQLi exploitation by generating prefix/suffix dynamically.
  • Improved command injection vulnerability detection by prepending original parameter value to attack payload.
  • Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.
  • Improved LFI attack patterns.
  • Improved DOM XSS attack patterns.
  • Improved DOM/JavaScript simulation.
  • Improved the performance of email address disclosure detection.
  • Improved the performance of database connection string disclosure detection.
  • Improved the performance of JavaScript library detection.
  • Improved the performance of RoR database configuration detection.
  • Improved Blind Command Injection detection on Linux systems.
  • Improved resource finder to find more hidden resources.
  • Improved support for simulating customized select elements.
  • Improved NTLM, Digest and Kerberos authentication support.
  • Improved DOM simulation stability and performance.
  • Improved the default parameter name list for Parameter Based Navigation.
  • Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
  • Improved boolean and blind SQL injection checks for MySQL databases.
  • Improved blind SQL injection checks for PostgreSQL databases.
  • Improved reflected and stored XSS detection.
  • HSTS checks now reports missing preload directives.
  • Updated Korean translation.
  • Improved JSON response parsing.
  • Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
  • Improved email disclosure checks by checking host names against to public suffix list.

BUG FIXES

  • Fixed a NullReferenceException which may have been thrown while editing settings of an user.
  • Fixed an issue where email notifications are not sent for unconfirmed phone numbers.
  • Fixed an issue which may have been thrown while deleting an account.
  • Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
  • Fixed the duplicate import link issue.
  • Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
  • Fixed crawling of URLs on pages where base element points to some other URL.
  • Fixes an issue where blacklisted Invicti attacks prevent further source code disclosures in HTML response.
  • Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
  • Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
  • Fixed an issue where signature fails to match MS SQL username in error messages.
  • Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.
  • Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
  • Fixed an incorrect “Password Transmitted over HTTP” issue for relative URLs on pages redirected to HTTPS addresses.
  • Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
  • Fixed incorrect “Interesting Header” report for Content-Security-Policy header.
  • Fixed directory listing is not reported issues on some IIS versions.
  • Fixed the issue where comments in CSS files are not parsed.
  • Fixed the incorrect URL found in CSS comments.
  • Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
  • Fixed an IndexOutOfRangeException caused by CSP checks.
  • Fixed the signature pattern which fails to match “Programming Error Message (PHP)” in multiple lines.
  • Fixed markdown XSS attack patterns causing incorrect findings.
  • Fixed incorrect “Interesting Header” reports for some headers.
  • Fixed the incorrect http protocol displayed for SSL vulnerabilities.
  • Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
  • Fixed the maximum crawled URL limit exceeded issue.
  • Fixed duplicate resource finder requests.
  • Fixed the WADL import issue where the operation fails for responses with no status codes.
  • Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
  • Fixed the incorrect missing object-src report on CSP checks.
  • Fixed an issue where default crawled value is double-encoded instead of single.
  • Fixed the missing content for Site Profile section of Knowledge Base report.

21 Jul 2017

NEW FEATURES Added support for integrating Invicti Enterprise with JIRA issue tracking system. (BETA) Added support for scanning internal websites in Invicti Enterprise Added proxy support for on-premises scanner agents. IMPROVEMENTS Decreased scan results’ registration time by optimazing database queries. Added several improvements for running Invicti Enterprise on-premises on AWS. Added more information (such as Total …

NEW FEATURES

IMPROVEMENTS

  • Decreased scan results’ registration time by optimazing database queries.
  • Added several improvements for running Invicti Enterprise on-premises on AWS.
  • Added more information (such as Total Requests and Average Speed) to the detailed scan report.
  • Improved code samples used in API documentation.
  • Improved help text and messages. 
  • Added delete button to website edit page.
  • Improved scanner agent’s startup script to ensure agent is started properly.
  • Improved sign-in/logout flow to make user sessions more secure.
  • Reviewed and fixed duplicate IDs in HTML elements.
  • Improved design of the email templates.
  • Updated AWS SDK to the latest version.
  • Added Korean support to scan report API endpoint. 
  • Added support for setting preferred agent name via API.
  • Added status information to preferred agent section on the new scan page.

FIXES

  • Fixed an issue with the archiving of raw scan files.
  • Fixed the total website count which was incorrect on manage website groups page.
  • Fixed the user’s date format that was not used while selecting dates on account settings page.
  • Fixed the account settings page which was not displayed properly in high-DPI screens.
  • Fixed a bug where issue counts were not displayed correctly on website dashboard page.
  • “JavaScript – Elements To Skip” setting was is now set properly in new scan policy page.
  • Expired license error is now returned properly in API endpoints.
  • Fixed issues with the order of the websites in the  “Websites That Have Shortest Fix Time” widget.
  • Fixed an error which was being thrown when adding a website via API in Invicti Enterprise on-premises.
  • Fixed CVE links in scan report page.
  • Fixed a bug in website verification API endpoint.
  • Fixed a NRE which was being thrown during exporting CSV reports.
  • Fixed a bug where CSV comma separator is not remembered on Export to CSV pages.
  • Fixed an error which was being thrown during deleting a scan profile.
  • Fixed a bug in website verification API endpoint.

07 Apr 2017

New Features A wizard to assist first time users add a new website and setup a web security scan Late confirmation of vulnerabilities (vulnerabilities can be confirmed after the scan has finished with Invicti Hawk) New Security Checks New security check that detects insecure targets in Content Security Policy. Added checks for exposure of trace.axd in …

New Features

  • A wizard to assist first time users add a new website and setup a web security scan
  • Late confirmation of vulnerabilities (vulnerabilities can be confirmed after the scan has finished with Invicti Hawk)

New Security Checks

Improvements

  • Improved Boolean SQL Injection detection.
  • Updated the Local File Inclusion vulnerability classifications.
  • Improved Trace/Track security checks.
  • Improved coverage of XSS engine in redirects.
  • Added policy optimization support for SSRF security checks.
  • Added exploit generation support for “Cross-site Scripting via Remote File Inclusion” vulnerability.
  • Added a specialized parser to parse JavaScript responses better to reduce discovering incorrect links.
  • Improved form authentication logout detection by ignoring the responses of some attacks to prevent incorrect logout detections.
  • Added VDB support to Blind & Boolean SQLi post exploitation.
  • Added support for checking Open Redirection vulnerability on Refresh response header.
  • Added the XPath information of the element that causes the DOM XSS vulnerability.
  • Added “Sub Path Max Dynamic Signatures” setting for Heuristic URL Rewrite detection.
  • Added a JavaScript scan policy option to reduce triggered event count during the simulation.
  • Added a JavaScript scan policy option to exclude HTML elements such as logout buttons from event simulation by CSS selectors.
  • Added checks for vulnerabilities which sink into window.name capability for DOM XSS security checks.
  • Improved the coverage of the Local File Inclusion engine so the vulnerability can be found in a full url attack.
  • Changed severity numbers’ style on scan result pages.
  • Added support for editing scan time window settings for running scans.
  • Highlighted special fields of vulnerability notes on the scan report page.
  • Settings of completed scans are automatically applied to new scans when a user launches a new scan from the recent scans page or scan report page.
  • Improved notifications email templates.
  • Improved help text by adding netsparker.com article links to relevant sections.
  • Improved input validation for request rate limit settings on the scan policy page.
  • Added support for remembering previously entered filters on list pages.
  • Allowing users to select CSV separator while export scan reports.
  • Added support to allow users to re-verify logout settings on the form authentication verification dialog.

Bug Fixes

  • Fixed several issues related to DOM parsing and simulation.
  • Fixed a NullReferenceException thrown by HTTP Methods checks.
  • Fixed a StackOverflowException caused by JSON responses with too many nested elements.
  • Fixed Proof of Concept generation during post exploitation for time based SQLi checks.
  • Fixed a NullReferenceException while confirming a Boolean SQLi vulnerability.
  • Fixed an issue where scan is paused when an additional host is unreachable.
  • Fixed typos in CSP vulnerability templates.
  • Fixed an issue where ignored emails are still reported as knowledge base issue.
  • Fixed an issue where source code disclosure is reported in JS and CSS files.
  • Fixed an SQL exploitation issue where executing a SQL query which expected an integer result is no longer giving failure for PostgreSQL database.
  • Fixed a Text Parser issue where single quote characters were being captured as part of links.
  • Fixed the incorrect path disclosure caused by the Shellshock attack.
  • Fixed missing SSRF proofs under Proofs knowledge base.
  • Fixed incorrect encoded parameter names for multipart/form-data forms.
  • Fixed the performance recrawling for DOM XSS checks on websites with lots of links.
  • Fixed the incorrect CR LF encoding issues on proof URLs.
  • Fixed DOM Parser clearInterval JavaScript function simulation.
  • Fixed an issue where stored XSS vulnerability is reported in an XHR response rather than in the page itself which makes XHR request.
  • Fixed an issue where Boolean SQL Injection vulnerability is missed due to crawled parameter value.
  • Fixed an issue where reflected XSS vulnerability is missed because the reflected payload is HTML encoded in an attribute.
  • Fixed an issue where Text Parser does not handle the same referenced JavaScript in different files.
  • Fixed an issue where timezone is not being set correctly when a validation error occurs on the signup page.
  • Fixed a filtering issue on the Manage Team page.

26 Jan 2017

New Features Authentication & session verification for form based authentication. Credentials test for Basic and NTLM/Kerberos authentication mechanisms. Support for the Invicti Hawk infrastructure, used for detecting SSRF and out-of-band vulnerabilities. Added HTTP request rate limiting options to Scan Policy. Added “Ignored Email Addresses” section in Scan Policy. Added accept and reject options for untrusted …

New Features

  • Authentication & session verification for form based authentication.
  • Credentials test for Basic and NTLM/Kerberos authentication mechanisms.
  • Support for the Invicti Hawk infrastructure, used for detecting SSRF and out-of-band vulnerabilities.
  • Added HTTP request rate limiting options to Scan Policy.
  • Added “Ignored Email Addresses” section in Scan Policy.
  • Added accept and reject options for untrusted SSL certificates.
  • Added an option to disable automatic detection of 404 error pages.
  • Support for importation of Postman files.

New Security Checks

Improvements

  • Improved the performance of several link importers.
  • Added “Bearer Token” support for form authentication.
  • Added confirmation for Frame Injection vulnerabilities.
  • Added http: and https: checks for CSP vulnerability detection.
  • Improved link importers – redundant CONNECT requests are now excluded.
  • Optimized attacker performance for links containing single parameter.
  • Optimized crawling parser by skipping DOM simulation on pages with static content.
  • Improved coverage of CORS security check with extra attacks.
  • Removed GWT attacks from file upload security checks.
  • Improved DOM simulation performance.
  • Improved CSS parsing which now follows CSS import directives.
  • Improved coverage of open redirect security checks by adding/updating attacks patterns.
  • Improved logout detection by skipping JavaScript responses.
  • Added support for “HTTP 410 Gone” and “HTTP 451 Unavailable For Legal Reasons” response status codes.
  • Added CVSS information to more vulnerabilities.
  • Updated vulnerability database.
  • Added URL Rewrite mode to Detailed Scan Report.
  • Added support for configuring websites on manage groups page.
  • Improved the UI & UX of several pages.

Bug Fixes

  • Fixed an issue where a “multiple cookies issue” should not be reported.
  • Fixed a JSON parsing issue with text parser.
  • Fixed an HTTP response issue where the response could not be read because only BOM bytes are sent on first read attempt.
  • Fixed an issue where a false positive file upload vulnerability might be reported.
  • Fixed several DOM simulation issues on pages that have many iframe elements.
  • Fixed a NullReferenceException while performing an internal MD5 encoding operation.
  • Fixed an encoding issue on a proof URL of an XSS vulnerability.
  • Fixed an issue where “Shell Script Identified” vulnerability is not found when retested.
  • Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
  • Fixed a text parsing issue where absolute URLs were converted to invalid relative URLs.
  • Fixed incorrect protocol detection for protocol-relative URLs.
  • Fixed an issue which occurs during importing websites with unix line endings.
  • Fixed a retest issue which occurs if vulnerable URL contains a dash character.
  • Fixed an issue where SSL details were not shown properly on knowledge base report.

29 Nov 2016

New Feature Email and SMS notifications allowing you to be instantly alerted about scan progress, results and identified vulnerabilities. Improvements Description in Scan Status have been improved to give a better overview. Added a new crawling option Find and Follow New Links. Previously it was hidden and always enabled. Improved the names of the exported reports …

New Feature

Improvements

  • Description in Scan Status have been improved to give a better overview.
  • Added a new crawling option Find and Follow New Links. Previously it was hidden and always enabled.
  • Improved the names of the exported reports by adding the report type as prefix in filename.

Bug Fixes

  • Fixed an issue where the target website screenshot was not being captured.
  • Fixed the CSS styles in some knowledge base items in the scan report page.
  • Fixed an issue where the Upload client certificate button was not working.

17 Nov 2016

Fixes Fixed a licensing bug in a third-party library.

Fixes

  • Fixed a licensing bug in a third-party library.

03 Nov 2016

New Technical Check Added “Cookie Header Contains Multiple Cookies” check Improvements Improved the Content Security Policy (CSP) and “Misconfigured Access-Control-Allow-Origin Header” vulnerability templates. Improved CSP vulnerability detection by only reporting vulnerabilities on HTML resources. Improved the coverage of the boolean SQL injection vulnerability engine. Fixes Fixed an issue which was preventing the deletion of multiple websites. Fixed …

New Technical Check

  • Added “Cookie Header Contains Multiple Cookies” check

Improvements

  • Improved the Content Security Policy (CSP) and “Misconfigured Access-Control-Allow-Origin Header” vulnerability templates.
  • Improved CSP vulnerability detection by only reporting vulnerabilities on HTML resources.
  • Improved the coverage of the boolean SQL injection vulnerability engine.

Fixes

  • Fixed an issue which was preventing the deletion of multiple websites.
  • Fixed the External CSS, Script and Frame Knowledge Base items which were not considering the port during checks.
  • Fixed an issue in the Open Redirect detection where incorrect URLs may also be reported.
  • Fixed an issue related to the form authentication which prevents logout detection during attacking phase.
  • Fixed an Local File Inclusion (LFI) vulnerability detection issue when attacked with a FullUrl payload.
  • Fixed an incorrect retest result which occurs when the target website is not reachable.
  • Fixed a CSP vulnerability issue for deprecated CSP header name on meta tags.

17 Oct 2016

New Features Added the ability to configure the scanner to scan websites which are linked from the target website. Added the Common Vulnerability Scoring System (CVSS) in vulnerability reports. Added the OWASP Proactive Guide to classification list. New Web Security Checks Added security checks for Content Security Policy (CSP) web security standard. Added DOM based …

New Features

New Web Security Checks

Improvements

  • Improved the Cross-site Scripting (XSS) vulnerability security checks coverage.
  • Renamed “Permanent XSS” vulnerability to “Stored XSS”.
  • Added type ahead search functionality for Scan Policy > Security Checks.
  • Added HTTP methods to AJAX / XML HTTP Requests knowledge base section.
  • Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
  • Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
  • Improved DOM simulation by simulating “contextmenu” events.
  • Increased the default values for “Maximum Page Visit” and “Max. Number of Parameters to Attack on a Single Page” settings.
  • Improved XML parsing during crawling by parsing empty XML elements as parameters too.
  • Added the ability to attack parameter names.
  • Added a note to vulnerability detail for non-exploitable frame injection.
  • Added .jhtml and .jsp attacks to file upload engine.
  • Improved CORS security checks.
  • Improved Open Redirect engine to detect CNAME injection such as example.com.r87.com.
  • Improved XSS confirmation for vulnerabilities found inside noscript tags.
  • Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.

Bug Fixes

  • Fixed a form authentication issue where the last form authentication sequence requests were prematurely cancelled.
  • Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
  • Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
  • Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
  • Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
  • Fixed a DOM simulation issue occurs when there is a form element with name “action” on target web page.
  • Fixed duplicate “Email Address Disclosure” reporting issue.
  • Fixed a NullReferenceException on occurs during CORS security checks.
  • Fixed a CSRF exploit generation issue where the generated file is empty.
  • Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
  • Fixed a text parsing issue where relative URLs were not supported as base href values.
  • Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
  • Fixed an XSS attacking issue where duplicate attacks are made for same payload.
  • Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
  • Fixed an issue where post exploitation does not work sometimes.
  • Fixed a form authentication issue where any slash character in credentials cannot be used.

22 Sep 2016

New Features Completely revamped the Invicti Enterprise vulnerability tracking system. Improvements Improved the users’ permissions as explained in Understanding and configuring Invicti Enterprise users permissions. Added several tooltips in the UI. Bug Fixes Fixed wrong websites threat levels (they were just representing the last scan’s threat level). Fixed the security overview chart which was showing …

New Features

Improvements

Bug Fixes

  • Fixed wrong websites threat levels (they were just representing the last scan’s threat level).
  • Fixed the security overview chart which was showing only the last scan’s threat level for each website.