Invicti Enterprise On-Premises

New Features

• Completely revamped the Invicti Enterprise vulnerability tracking system.

Improvements

• Improved the users’ permissions as explained in Understanding and configuring Invicti Enterprise users permissions.
• Added several tooltips in the UI.

Bug Fixes

• Fixed wrong websites threat levels (they were just representing the last scan’s threat level).
• Fixed the security overview chart which was showing only the last scan’s threat level for each website.

NEW FEATURES

• Support and Scanning of RESTful web services.
• Auto Heuristic URL Rewrite Rules can be used with Custom URL Rewrite rules during a website security scan.
• New Reporting utility.
• Added the new option “Crawl & Attack at the Same Time” setting to new scan page.

NEW SECURITY CHECKS

• Added Samesite cookie attribute check.
• Added Reverse Tabnabbing check.
• Added Subresource Integrity (SRI) Not Implemented check.
• Added Subresource Integrity (SRI) Hash Invalid check.
  

IMPROVEMENTS

• Various memory usage improvements to better handle large websites.
• Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
• Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
• Improved coverage of Local File Inclusion security check engine.
• Improved the automatic form authentication script to click the “button” HTML elements if no suitable button is found.
• Improved the “HTML Base Tag Hijacking” vulnerability template.
• Improved the long-term memory usage of the DOM simulation and cross-site scripting (XSS) scanning.
• DOM simulation smart filtering now prunes unnecessary DOM branches.
• Improved the detection of “Redirect Body Too Large” vulnerability.

BUG FIXES

• Fixed the “Cross-site Scripting via Remote File Inclusion” vulnerability, which was not being confirmed automatically.
• Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
• Fixed an HTTP Archive Importer issue during which the POST method was parsed as GET when postData is empty.
• Fixed a bug in which a GWT parameter that contained a Base64 encoded value was not detected.
• Fixed a time span parsing bug in Knowledge base report templates.
• Fixed an issue in which some vulnerabilities are treated as fixed while retesting.
• Fixed an issue in which XSS proof URL was missing alert function call.
• Fixed the broken “Generate Debug Info” function of JavaScript simulation feature.
• Fixed a NullReferenceException that can be thrown by the Subresource integrity security checks.
• Fixed cURL login sample in API documentation.

NEW SECURITY CHECKS

• Detection of a Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)

New Features

• Ability to export the scanners’ findings as ModSecurity web application firewall rules.
  
• Scan Time Window that allows you to specify when the scanner can scan your website or not.

NEW SECURITY CHECKS

• Detection of SQLite Database files.
• Detection of Microsoft Outlook Personal Folders File (.pst) files.
• Detection of DS_Store files.
• Detection of SVN files, supporting the latest version of SVN.

IMPROVEMENTS

• Improved LFI “Long attack – boot.ini” attack.
• Added Internet Explorer 10, 11 and Microsoft Edge browser user agent values.
• Improved the performance of the scan session auto saves.
• Improved link importing to better handle relative URLs.
• Improved the “MIME Types” knowledge base list by ordering items alphabetically.
• Added “Extract static resources” option to JavaScript scan policy settings.
• Improved coverage of XML External Entity engine.

FIXES

• Fixed an attacking issue that occurs when retesting a vulnerability in an incremental scan.
• Fixed a link parsing issue in the text parser where links were incorrectly split.
• Fixed a form authentication “Override Target URL with authenticated page” issue which caused a wrong URL to be identified as the “Target URL”.
• Fixed a highlighting issue where the URL for “Insecure Frame (External)” vulnerability is partially highlighted.
• Fixed an incorrect “Source Code Disclosure” vulnerability report when the response contained an ASP.NET event validation code sample.
• Fixed a broken link in XSS vulnerability templates.

New Features

• Added the functionality to pause and resume scans.
• Added support for automatic crawling and scanning of Parameter-Based Navigation websites.
• Added a new option in the Scan Policy to allow users to add new extensions for the crawler to text parse.
• Added support to allow users to select a scanning agent for a scan in an on-premises installation.
  

New Security Checks

• Added Missing X-XSS-Protection Header vulnerability check.
• Added Video.js JavaScript library detection.
• Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

Improvements

• Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid  multiple scanning of the same or similar parameters.
• Improved “Not Found Analyzer” to better handle binary responses and long strings.
• Added a link to the proof URL for XSS vulnerabilities.
• Added link generation to Text Parser for all select element options.
• Improved DOM parser to skip redirect responses.
• Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
• Added support for modifying asynchronous javascript executions in order to increase DOM Parser coverage.
• Improved relative link parsing on JavaScript files.
• Improved the coverage of file upload security checks.
• Improved the coverage of XSS security checks.
• Improved UI of the scan policy optimized wizard.
• API authentication method updated for backward compatibility.

Bug Fixes

• Fixed an issue where LFI attack patterns were being reported as internal path disclosure.
• Fixed the incorrect raw response representing SSL connections.
• Fixed an issue where forms containing ignored parameters were not reported as a CSRF vulnerability.
• Fixed a case where dynamically generated HTML option elements’ change event were not being triggered.
• Fixed cross-domain document access errors on DOM parser and XSS scanner.
• Fixed an issue where a JSON request’s method was incorrectly recognized as POST rather than GET.
• Fixed a retest issue where a vulnerability fix is reported by mistake.
• Fixed form values target setting to use Name as the default value when a Target is not selected.
• Fixed a file extension parsing issue related with File Extension List knowledgebase item.
• Fixed a hang issue that occurs while performing JavaScript library security checks.
• Fixed a custom form authentication API issue where “ns” namespace was conflicting with a global variable on target website – auth API has been moved to “netsparker” namespace preserving the “ns” backward compatibility.
• Fixed a DOM Parser and XSS scanner bug that incorrectly followed redirects.
• Fixed a form values issue – empty form values should not set any default values for parameters.
• Fixed an issue during which the setting of the Connection request header failed.

Improvements

• Increased severity of the Insecure Transportation Security Protocol Supported (SSLv2) vulnerability to Important
• Added support for adding several more request HTTP headers including the “Host” header

New Features

• Scan profiles can now be shared with all team members
• Scan profiles can be assigned as a primary scan profile for a website so whenever a new scan is being configured for a website, the default scan profile will be the primary one
  

New Web Security Checks

• Added security check for the new DROWN SSL/TLS vulnerability
• Added “HSTS (HTTP Strict Transport Security) Not Enabled” security checks
• Added various checks being reported with “HTTP Strict Transport Security (HSTS) Errors and Warnings”
• Added version checks for OpenCart web application

Improvements

• Improved JavaScript/DOM simulation for better DOM XSS security checks
  
• Added “Form Values” support for JavaScript/DOM simulation and DOM XSS attacks
• Authentication settings moved from website to scan launch screen to be included in scan profile
• Scan scheduling operations seperated from scan launch screen
• Changed the “Configure a new scan” page to a more ergonomic interface
  
• Users with admin permission can no longer see team member’s API token
• Added endpoint type field to activity logs. (API or Web UI)
• Added a new scan policy setting section for JavaScript related settings
• Rewritten HSTS security checks
• Added evidence information to vulnerabilities list XML report
• Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
• Added the file name information for the local file inclusion evidence
• Added source code to vulnerability details for “Source Code Disclosure” vulnerabilities
• Improved Heuristic URL Rewrite implementation to detect more patterns and increase crawling efficiency
• Improved the performance of DOM simulation by aggressively caching external requests
  
• Improved the performance of DOM simulation by caching web page responses
• Improved the performance of DOM simulation by blocking requests to known ad networks
• Improved minlength and maxlength support for form inputs that sets a value with an appropriate length
• Added support for matching inputs by label and placeholder texts on form values
• Improved the vulnerability description on out-of-date cases where identified version is the latest version
• Added database version, name and user proof for SQL injection vulnerabilities
• Optimized the attacks with multiple parameters to reduce the number of attacks
• Added “Identified Source Code” section for “Source Code Disclosure” vulnerabilities

Bug Fixes

• Fixed an issue which fails reading cookies on form authentication verification for cases where Set-Cookie response header is empty
• Fixed an issue with client certificate authentication where the client certificate may be sent to external hosts while making HTTP requests
• Fixed cases where Invicti was making requests to addresses that are generated by its own attacks
• Fixed elapsed time stops when the current scan is exported
• Fixed an issue with JavaScript library version detection where wrong version is reported if the path to JavaScript file contains digits
• Fixed missing AJAX requests on knowledge base while doing manual crawling
• Fixed HSTS engine where an http:// request may cause to loose current session cookie
• Fixed an issue where extracted links by TextParser in a JavaScript file should be relative to the main document
• Fixed the issues of delegated events not simulated if added to the DOM after load time
• Fixed the issue where hidden resource requests made by Invicti are displayed on out of scope knowledgebase
• Fixed the issue with automatic SSL protocol fallback which attempts the fallback even if the current security protocol is same with the fallback value
• Fixed the issue of “Strict-Transport-Security” is being reported as “Interesting Header”
• Fixed the broken HIPAA classification link

New Features

• Added “Fixed Vulnerabilities” chart to website and global dashboard
• Added vulnerability list to website dashboard

Improvements

• Improved support for Single Page Applications (SPA) and dynamic web applications by rewriting the DOM parser
• Improved DOM Parser and DOM XSS performance
• Added trend report support for all scan groups
• Improved cookie validation on the new scan page
• Removed web application fingerprint step from the Scan Policy Optimizer wizard
• Added tooltips for URL rewrite settings on the new scan page
• Added automatic exploitation for Boolean and Blind SQL Injection vulnerabilities
• Added proof of concept for the blind SQLi vulnerabilities
• Added “Proofs” knowledge base nodes
• Improved “Remember Me” functionality on the login page
• Removed out of scope links from URL rewrite report
• Added HTTP response status code 308 to list of redirect status codes
• Added Crawling and Scan Performance knowledge base nodes
• Eliminated web application fingerprinter’s meta tag requests by re-using crawled link response
• Improved performance of the email disclosure detection pattern significantly
• Added .svg to default set of ignored extensions on the policy settings

Bug Fixes

• Fixed documentation of conditionally required fields in API
• Fixed editing issues on collective editor of vulnerability tasks
• Disabled website verification for on-premises installations
• Fixed a bug which could occur while taking a screenshot during the scan
• Fixed a bug that occurs when a proof of concept is empty
• Fixed a FileNotFoundException occurs while caching DOM requests
• Fixed the explanation text for Entered Path and Below scope
• Fixed the SSL/TLS fall back code to cover more HTTPS web sites
• Fixed an out of date JavaScript library version issue where identified version was bigger than Invicti’s latest version
• Fixed the slow performance issue which occurs when “Automatically Detect Settings” proxy setting is enabled
• Fixed an out of date JavaScript library version issue where version value cannot be captured
• Fixed a not found detection issue where redirect analysis fails on redirect cases

First Official Release

FIXES

• Fixed a bug where vulnerability evidence was not persisted as expected

FEATURES

• Mobile friendly UI with a lot of design improvements
• Added support for sending notification email for canceled scans

IMPROVEMENTS 

• Improved resource finder checks for websites which have custom 404 pages
• Increased the default value of Maximum 404 Signature setting to be store more signatures
• Improved timeout calculation for vulnerability checks which require late confirmation
• Replaced scan finish dates with scan urls in global dashboard
  
• Permissions can be entered while inviting user
• Added icon for scheduled scan items
• Optimized instance launch times for AWS agents
• Improved API documentation for scan policy and website endpoints
• Improved website address validation rules
• Improved website selection on the new scan page
• Added tooltips to scan policy and new scan pages
• Added Enable Content Type Checks setting to scan policy scope section
• Improved validation for scan profile names
• Improved notification email templates

FIXES

• Scheduled scan’s target url’s scheme could not be changed
• Fixed tooltip text for completed scans
• Fixed a bug where entered URL rewrite rule was overridden on focusing to regex input
• Fixed an issue where Ignore These Content Types setting was not set correctly
• Fixed an issue where scan policy names were duplicated
• Fixed an issue where form authentication settings were not initialized correctly for group scans
• Fixed DOM simulation issue where all delegated events on an elements were not being called
• Fixed a Heartbleed security check issue where it was causing the crawling phase to be stalled

FEATURES

• Added automatic configuration of URL rewrite rules
• Added the Scan Policy Optimizer
• Added automated evidence collection to several confirmed vulnerabilities
• Added sessionStorage and localStorage support
• Added URL Rewrite knowledgebase node to list the URL patterns that have been discovered
• Added support for deleting a team member permanently
• Added support for detecting outdated versions of popular JavaScript client-side libraries
  
• Added vulnerability tasks’ todo list to dashboard
• Added “Do not expect challenge” option to basic authentication settings
• Added “Override Target URL with authenticated page” option to form authentication settings
• Added several new knowledge base nodes to report SSL and CSS issues, and one for slowest pages
• Added “Websites that have shortest fix time” and “Websites that have longest fix time” tables on global dashboard
• Added support for displaying relative dates in a friendly format
• Added import links support to new scan API endpoint

NEW SECURITY CHECKS

• Added Windows Short File Name security checks
• Added several new backup file checks
• Added web.config pattern for LFI checks
• Added boot.ini pattern for LFI checks
• Added a signature which checks against a passive backdoor affecting vBulletin 4.x and 5.x versions
• Added a signature which checks against an error message generated by regexp function at MySQL database
• Added DAws web backdoor check
• Added MOF Web Shell backdoor check
• Added RoR database configuration file detection
• Added RoR version disclosure detection
• Added RoR out-of-date version detection
• Added RoR Stack Trace Disclosure
• Added RubyGems version disclosure detection
• Added RubyGems out-of-date version detection
• Added Ruby out-of-date version detection
• Added Python out-of-date version detection
• Added Perl out-of-date version detection
• Added RoR Development Mode Enabled detection
• Added Django version disclosure detection
• Added Django out-of-date version detection
• Added Django Development Mode Enabled detection
• Added PHPLiteAdmin detection
• Added phpMoAdmin detection
• Added DbNinja detection
• Added WeakNet Post-Exploitation PHP Execution Shell (WPES) detection
• Added Adminer detection
• Added Microsoft IIS Log File detection
• Added Laravel Configuration File detection
• Added Laravel Debug Mode Enabled detection
• Added Laravel Stack Trace Disclosure
• Added S/FTP Config File detection

IMPROVEMENTS 

• Improved calculating algorithm of vulnerability fix times
• Manage team permission replaced with “Admin” permission
• Added support to see website dashboard without scan group filter
• Added scan type information to “Detailed Scan Report”
• Added paging support for scan policy list
• Improved new user email template
• Increased website verification failure limit
• Changed vulnerability chart’s colors on the dashboard page
• Added icons for displaying vulnerability status on the vulnerability task page
• Knowledgebase items are expanded by default if they contain a single item
• Added retestable information to vulnerability detail on the scan report page
• Users are redirected to scan group create page if no scan group is found on new scan
• Added a warning message if target path does not end with a trailing slash on the new scan
• Added first seen date information to vulnerabilities page
• Several scan performance improvements to reduce memory usage
• Improved credit card detection to eliminate false positives
• HTTP cookie handling code written from scratch to conform with the latest RFCs which modern browsers also follow
• SSL cipher support check code has been rewritten to support more cipher suites
• SSL checks are now made for target URLs even when protocol is HTTP
• Updated embedded chrome based browser engine to version 41
• Added more ignored parameters for ASP.NET web applications
• Improved scan policy versioning where new security checks are automatically included or excluded by default on existing scan policies
• Improved LFI pattern that matches win.ini files
• Improved XSS coverage by adding an attack pattern for email inputs which require an @ character
• Improved cookie vulnerability details to show all cookies that are not marked as Secure or HttpOnly
• Improved out-of-date vulnerability templates by including severity information of vulnerabilities for that version of software
• Improved out-of-date vulnerability reporting by increasing the severity of the vulnerability if that version of software has an important vulnerability
• Improved Ruby version disclosure detection
• Improved SQL injection vulnerability template by adding remedy information for more development environments
• Improved common directory checks by adding more known directory names
• Updated default user agent
• Improved the default Anti-CSRF token name list
• Improved database error messages vulnerability detection for Informix
• Added new XSS attack pattern for title tag in which JavaScript execution is not possible
• Improved XHTML attacks to check against XSS vulnerabilities
• Optimized confirmation of Boolean SQLi
• Added exploitation for Remote Code Evaluation via ASP vulnerability
• Revamped DOM based XSS vulnerability detail with a table showing XPath column
• Changed SQLi attack patterns specific to MSSQL database with shorter ones
• Improved SQLi attack pattern which causes a vulnerability in LIMIT clauses specific to MySQL database
• DOM simulation is turned off for hidden input types which causes a false-positive confirmed XSS vulnerability
• Improved the “Name” form value pattern to match more inputs
• Improved confirmation of Expression Language Injection vulnerability
• Improved Frame Injection vulnerability details
• Added .phtml extension to detect code execution via file upload
• Improved blind SQL injection detection on some INNER JOIN cases
• Improved external references section of “Remote Code Evaluation (PHP)” vulnerability
• Added retest support for several vulnerability types
• Improved Apache Tomcat detection patterns
• Increased the number of sensitive comments reported
• Improved text parser improvements
• Added separate checks in scan policy for each supported web app fingerprint application

FIXES

• Fixed an issue where imported relative links were not set correctly
• Fixed an issue where scheduled scan names were duplicated
• Fixed URL rewrite analysis to respect case sensitivity settings
• Fixed a form authentication issue which image submit elements were not clicked
• Fixed an issue occurs when the HTTP response body starts with unicode BOM
• Fixed Open Redirect security checks where it should not perform DOM based checks if DOM checks are turned off
• Fixed static resource finder where it was not following a redirect
• Fixed DOM simulation hangs if a rogue JavaScript call enters an endless loop
• Fixed slow XSS highlights on some responses
• Fixed a bug where Full-Url LFI attack which is specific to Ruby-on-Rails applications could not be confirmed
• Fixed a bug where XSS vulnerability could not be confirmed when injection occurs in the middle of a CSS style
• Fixed a bug where generated XSS exploit did not work due to incorrect encoding
• Fixed a bug where a false-positive file upload vulnerability was reported
• Fixed a bug where maximum amount of hard fails was preventing next scan making HTTP requests
• Fixed “”Missing Content-Type”” reporting issue where redirected responses should not be reported
• Fixed an issue where send failures were not being handled while making HTTP requests
• Fixed credit card reporting issue where the value specified in default form values section should not be reported
• Fixed the trimmed parameter name issue on controlled scan panel
• Fixed documentation for nginx vulnerability template that explains how to fix the issue
• Fixed HSTS support for form authentication HTTP requests
• Fixed a URI parsing issue where non-HTTP(S) protocols are ignored
• Fixed a bug where an attribute based attack could not be confirmed as XSS
• Fixed a bug where an injection with “”javascript:”” protocol for XSS attacks occurs after a new line
• Fixed a bug where exploitation goes into loop and causes an unresponsive UI for error based SQLi
• Fixed a bug where redirection happens relatively and reported as Open Redirect vulnerability
• Fixed an issue where a Groovy RCE is reported as Perl RCE
• Fixed a WSDL parsing issue where reference parameters were not handled correctly
• Fixed a WSDL parsing issue where XML types were not handled correctly
• Fixed an issue that occurs during form authentication with an HSTS site that performs redirects to an URL with http protocol
• Fixed a bug where the hash is reported incorrectly in a DOM based XSS vulnerability
• Fixed the misleading content in basic authentication over clear text vulnerability