17 Oct 2016
New Features Added the ability to configure the scanner to scan websites which are linked from the target website. Added the Common Vulnerability Scoring System (CVSS) in vulnerability reports. Added the OWASP Proactive Guide to classification list. New Web Security Checks Added security checks for Content Security Policy (CSP) web security standard. Added DOM based …
New Features
- Added the ability to configure the scanner to scan websites which are linked from the target website.
- Added the Common Vulnerability Scoring System (CVSS) in vulnerability reports.
- Added the OWASP Proactive Guide to classification list.
New Web Security Checks
- Added security checks for Content Security Policy (CSP) web security standard.
- Added DOM based open redirection security check.
Improvements
- Improved the Cross-site Scripting (XSS) vulnerability security checks coverage.
- Renamed “Permanent XSS” vulnerability to “Stored XSS”.
- Added type ahead search functionality for Scan Policy > Security Checks.
- Added HTTP methods to AJAX / XML HTTP Requests knowledge base section.
- Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
- Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
- Improved DOM simulation by simulating “contextmenu” events.
- Increased the default values for “Maximum Page Visit” and “Max. Number of Parameters to Attack on a Single Page” settings.
- Improved XML parsing during crawling by parsing empty XML elements as parameters too.
- Added the ability to attack parameter names.
- Added a note to vulnerability detail for non-exploitable frame injection.
- Added .jhtml and .jsp attacks to file upload engine.
- Improved CORS security checks.
- Improved Open Redirect engine to detect CNAME injection such as example.com.r87.com.
- Improved XSS confirmation for vulnerabilities found inside noscript tags.
- Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.
Bug Fixes
- Fixed a form authentication issue where the last form authentication sequence requests were prematurely cancelled.
- Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
- Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
- Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
- Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
- Fixed a DOM simulation issue occurs when there is a form element with name “action” on target web page.
- Fixed duplicate “Email Address Disclosure” reporting issue.
- Fixed a NullReferenceException on occurs during CORS security checks.
- Fixed a CSRF exploit generation issue where the generated file is empty.
- Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
- Fixed a text parsing issue where relative URLs were not supported as base href values.
- Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
- Fixed an XSS attacking issue where duplicate attacks are made for same payload.
- Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
- Fixed an issue where post exploitation does not work sometimes.
- Fixed a form authentication issue where any slash character in credentials cannot be used.
22 Sep 2016
New Features Completely revamped the Invicti Enterprise vulnerability tracking system. Improvements Improved the users’ permissions as explained in Understanding and configuring Invicti Enterprise users permissions. Added several tooltips in the UI. Bug Fixes Fixed wrong websites threat levels (they were just representing the last scan’s threat level). Fixed the security overview chart which was showing …
New Features
- Completely revamped the Invicti Enterprise vulnerability tracking system.
Improvements
- Improved the users’ permissions as explained in Understanding and configuring Invicti Enterprise users permissions.
- Added several tooltips in the UI.
Bug Fixes
- Fixed wrong websites threat levels (they were just representing the last scan’s threat level).
- Fixed the security overview chart which was showing only the last scan’s threat level for each website.
04 Jul 2016
NEW FEATURES Support and Scanning of RESTful web services. Auto Heuristic URL Rewrite Rules can be used with Custom URL Rewrite rules during a website security scan. New Reporting utility. Added the new option “Crawl & Attack at the Same Time” setting to new scan page. NEW SECURITY CHECKS Added Samesite cookie attribute check. Added …
NEW FEATURES
- Support and Scanning of RESTful web services.
- Auto Heuristic URL Rewrite Rules can be used with Custom URL Rewrite rules during a website security scan.
- New Reporting utility.
- Added the new option “Crawl & Attack at the Same Time” setting to new scan page.
NEW SECURITY CHECKS
- Added Samesite cookie attribute check.
- Added Reverse Tabnabbing check.
- Added Subresource Integrity (SRI) Not Implemented check.
- Added Subresource Integrity (SRI) Hash Invalid check.
IMPROVEMENTS
- Various memory usage improvements to better handle large websites.
- Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
- Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
- Improved coverage of Local File Inclusion security check engine.
- Improved the automatic form authentication script to click the “button” HTML elements if no suitable button is found.
- Improved the “HTML Base Tag Hijacking” vulnerability template.
- Improved the long-term memory usage of the DOM simulation and cross-site scripting (XSS) scanning.
- DOM simulation smart filtering now prunes unnecessary DOM branches.
- Improved the detection of “Redirect Body Too Large” vulnerability.
BUG FIXES
- Fixed the “Cross-site Scripting via Remote File Inclusion” vulnerability, which was not being confirmed automatically.
- Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
- Fixed an HTTP Archive Importer issue during which the POST method was parsed as GET when postData is empty.
- Fixed a bug in which a GWT parameter that contained a Base64 encoded value was not detected.
- Fixed a time span parsing bug in Knowledge base report templates.
- Fixed an issue in which some vulnerabilities are treated as fixed while retesting.
- Fixed an issue in which XSS proof URL was missing alert function call.
- Fixed the broken “Generate Debug Info” function of JavaScript simulation feature.
- Fixed a NullReferenceException that can be thrown by the Subresource integrity security checks.
- Fixed cURL login sample in API documentation.
05 May 2016
NEW SECURITY CHECKS Detection of a Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)
NEW SECURITY CHECKS
- Detection of a Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)
04 May 2016
New Features Ability to export the scanners’ findings as ModSecurity web application firewall rules. Scan Time Window that allows you to specify when the scanner can scan your website or not. NEW SECURITY CHECKS Detection of SQLite Database files. Detection of Microsoft Outlook Personal Folders File (.pst) files. Detection of DS_Store files. Detection of SVN …
New Features
- Ability to export the scanners’ findings as ModSecurity web application firewall rules.
- Scan Time Window that allows you to specify when the scanner can scan your website or not.
NEW SECURITY CHECKS
- Detection of SQLite Database files.
- Detection of Microsoft Outlook Personal Folders File (.pst) files.
- Detection of DS_Store files.
- Detection of SVN files, supporting the latest version of SVN.
IMPROVEMENTS
- Improved LFI “Long attack – boot.ini” attack.
- Added Internet Explorer 10, 11 and Microsoft Edge browser user agent values.
- Improved the performance of the scan session auto saves.
- Improved link importing to better handle relative URLs.
- Improved the “MIME Types” knowledge base list by ordering items alphabetically.
- Added “Extract static resources” option to JavaScript scan policy settings.
- Improved coverage of XML External Entity engine.
FIXES
- Fixed an attacking issue that occurs when retesting a vulnerability in an incremental scan.
- Fixed a link parsing issue in the text parser where links were incorrectly split.
- Fixed a form authentication “Override Target URL with authenticated page” issue which caused a wrong URL to be identified as the “Target URL”.
- Fixed a highlighting issue where the URL for “Insecure Frame (External)” vulnerability is partially highlighted.
- Fixed an incorrect “Source Code Disclosure” vulnerability report when the response contained an ASP.NET event validation code sample.
- Fixed a broken link in XSS vulnerability templates.
11 Apr 2016
New Features Added the functionality to pause and resume scans. Added support for automatic crawling and scanning of Parameter-Based Navigation websites. Added a new option in the Scan Policy to allow users to add new extensions for the crawler to text parse. Added support to allow users to select a scanning agent for a scan …
New Features
- Added the functionality to pause and resume scans.
- Added support for automatic crawling and scanning of Parameter-Based Navigation websites.
- Added a new option in the Scan Policy to allow users to add new extensions for the crawler to text parse.
- Added support to allow users to select a scanning agent for a scan in an on-premises installation.
New Security Checks
- Added Missing X-XSS-Protection Header vulnerability check.
- Added Video.js JavaScript library detection.
- Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.
Improvements
- Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid multiple scanning of the same or similar parameters.
- Improved “Not Found Analyzer” to better handle binary responses and long strings.
- Added a link to the proof URL for XSS vulnerabilities.
- Added link generation to Text Parser for all select element options.
- Improved DOM parser to skip redirect responses.
- Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
- Added support for modifying asynchronous javascript executions in order to increase DOM Parser coverage.
- Improved relative link parsing on JavaScript files.
- Improved the coverage of file upload security checks.
- Improved the coverage of XSS security checks.
- Improved UI of the scan policy optimized wizard.
- API authentication method updated for backward compatibility.
Bug Fixes
- Fixed an issue where LFI attack patterns were being reported as internal path disclosure.
- Fixed the incorrect raw response representing SSL connections.
- Fixed an issue where forms containing ignored parameters were not reported as a CSRF vulnerability.
- Fixed a case where dynamically generated HTML option elements’ change event were not being triggered.
- Fixed cross-domain document access errors on DOM parser and XSS scanner.
- Fixed an issue where a JSON request’s method was incorrectly recognized as POST rather than GET.
- Fixed a retest issue where a vulnerability fix is reported by mistake.
- Fixed form values target setting to use Name as the default value when a Target is not selected.
- Fixed a file extension parsing issue related with File Extension List knowledgebase item.
- Fixed a hang issue that occurs while performing JavaScript library security checks.
- Fixed a custom form authentication API issue where “ns” namespace was conflicting with a global variable on target website – auth API has been moved to “netsparker” namespace preserving the “ns” backward compatibility.
- Fixed a DOM Parser and XSS scanner bug that incorrectly followed redirects.
- Fixed a form values issue – empty form values should not set any default values for parameters.
- Fixed an issue during which the setting of the Connection request header failed.
23 Mar 2016
Improvements Increased severity of the Insecure Transportation Security Protocol Supported (SSLv2) vulnerability to Important Added support for adding several more request HTTP headers including the “Host” header
Improvements
- Increased severity of the Insecure Transportation Security Protocol Supported (SSLv2) vulnerability to Important
- Added support for adding several more request HTTP headers including the “Host” header
15 Mar 2016
New Features Scan profiles can now be shared with all team members Scan profiles can be assigned as a primary scan profile for a website so whenever a new scan is being configured for a website, the default scan profile will be the primary one New Web Security Checks Added security check for the new …
New Features
- Scan profiles can now be shared with all team members
- Scan profiles can be assigned as a primary scan profile for a website so whenever a new scan is being configured for a website, the default scan profile will be the primary one
New Web Security Checks
- Added security check for the new DROWN SSL/TLS vulnerability
- Added “HSTS (HTTP Strict Transport Security) Not Enabled” security checks
- Added various checks being reported with “HTTP Strict Transport Security (HSTS) Errors and Warnings”
- Added version checks for OpenCart web application
Improvements
- Improved JavaScript/DOM simulation for better DOM XSS security checks
- Added “Form Values” support for JavaScript/DOM simulation and DOM XSS attacks
- Authentication settings moved from website to scan launch screen to be included in scan profile
- Scan scheduling operations seperated from scan launch screen
- Changed the “Configure a new scan” page to a more ergonomic interface
- Users with admin permission can no longer see team member’s API token
- Added endpoint type field to activity logs. (API or Web UI)
- Added a new scan policy setting section for JavaScript related settings
- Rewritten HSTS security checks
- Added evidence information to vulnerabilities list XML report
- Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
- Added the file name information for the local file inclusion evidence
- Added source code to vulnerability details for “Source Code Disclosure” vulnerabilities
- Improved Heuristic URL Rewrite implementation to detect more patterns and increase crawling efficiency
- Improved the performance of DOM simulation by aggressively caching external requests
- Improved the performance of DOM simulation by caching web page responses
- Improved the performance of DOM simulation by blocking requests to known ad networks
- Improved minlength and maxlength support for form inputs that sets a value with an appropriate length
- Added support for matching inputs by label and placeholder texts on form values
- Improved the vulnerability description on out-of-date cases where identified version is the latest version
- Added database version, name and user proof for SQL injection vulnerabilities
- Optimized the attacks with multiple parameters to reduce the number of attacks
- Added “Identified Source Code” section for “Source Code Disclosure” vulnerabilities
Bug Fixes
- Fixed an issue which fails reading cookies on form authentication verification for cases where Set-Cookie response header is empty
- Fixed an issue with client certificate authentication where the client certificate may be sent to external hosts while making HTTP requests
- Fixed cases where Invicti was making requests to addresses that are generated by its own attacks
- Fixed elapsed time stops when the current scan is exported
- Fixed an issue with JavaScript library version detection where wrong version is reported if the path to JavaScript file contains digits
- Fixed missing AJAX requests on knowledge base while doing manual crawling
- Fixed HSTS engine where an http:// request may cause to loose current session cookie
- Fixed an issue where extracted links by TextParser in a JavaScript file should be relative to the main document
- Fixed the issues of delegated events not simulated if added to the DOM after load time
- Fixed the issue where hidden resource requests made by Invicti are displayed on out of scope knowledgebase
- Fixed the issue with automatic SSL protocol fallback which attempts the fallback even if the current security protocol is same with the fallback value
- Fixed the issue of “Strict-Transport-Security” is being reported as “Interesting Header”
- Fixed the broken HIPAA classification link
29 Jan 2016
New Features Added “Fixed Vulnerabilities” chart to website and global dashboard Added vulnerability list to website dashboard Improvements Improved support for Single Page Applications (SPA) and dynamic web applications by rewriting the DOM parser Improved DOM Parser and DOM XSS performance Added trend report support for all scan groups Improved cookie validation on the new …
New Features
- Added “Fixed Vulnerabilities” chart to website and global dashboard
- Added vulnerability list to website dashboard
Improvements
- Improved support for Single Page Applications (SPA) and dynamic web applications by rewriting the DOM parser
- Improved DOM Parser and DOM XSS performance
- Added trend report support for all scan groups
- Improved cookie validation on the new scan page
- Removed web application fingerprint step from the Scan Policy Optimizer wizard
- Added tooltips for URL rewrite settings on the new scan page
- Added automatic exploitation for Boolean and Blind SQL Injection vulnerabilities
- Added proof of concept for the blind SQLi vulnerabilities
- Added “Proofs” knowledge base nodes
- Improved “Remember Me” functionality on the login page
- Removed out of scope links from URL rewrite report
- Added HTTP response status code 308 to list of redirect status codes
- Added Crawling and Scan Performance knowledge base nodes
- Eliminated web application fingerprinter’s meta tag requests by re-using crawled link response
- Improved performance of the email disclosure detection pattern significantly
- Added .svg to default set of ignored extensions on the policy settings
Bug Fixes
- Fixed documentation of conditionally required fields in API
- Fixed editing issues on collective editor of vulnerability tasks
- Disabled website verification for on-premises installations
- Fixed a bug which could occur while taking a screenshot during the scan
- Fixed a bug that occurs when a proof of concept is empty
- Fixed a FileNotFoundException occurs while caching DOM requests
- Fixed the explanation text for Entered Path and Below scope
- Fixed the SSL/TLS fall back code to cover more HTTPS web sites
- Fixed an out of date JavaScript library version issue where identified version was bigger than Invicti’s latest version
- Fixed the slow performance issue which occurs when “Automatically Detect Settings” proxy setting is enabled
- Fixed an out of date JavaScript library version issue where version value cannot be captured
- Fixed a not found detection issue where redirect analysis fails on redirect cases
21 Jan 2016
First Official Release
First Official Release
18 Jan 2016
FIXES Fixed a bug where vulnerability evidence was not persisted as expected
FIXES
- Fixed a bug where vulnerability evidence was not persisted as expected
18 Jan 2016
FEATURES Mobile friendly UI with a lot of design improvements Added support for sending notification email for canceled scans IMPROVEMENTS Improved resource finder checks for websites which have custom 404 pages Increased the default value of Maximum 404 Signature setting to be store more signatures Improved timeout calculation for vulnerability checks which require late confirmation …
FEATURES
- Mobile friendly UI with a lot of design improvements
- Added support for sending notification email for canceled scans
IMPROVEMENTS
- Improved resource finder checks for websites which have custom 404 pages
- Increased the default value of Maximum 404 Signature setting to be store more signatures
- Improved timeout calculation for vulnerability checks which require late confirmation
- Replaced scan finish dates with scan urls in global dashboard
- Permissions can be entered while inviting user
- Added icon for scheduled scan items
- Optimized instance launch times for AWS agents
- Improved API documentation for scan policy and website endpoints
- Improved website address validation rules
- Improved website selection on the new scan page
- Added tooltips to scan policy and new scan pages
- Added Enable Content Type Checks setting to scan policy scope section
- Improved validation for scan profile names
- Improved notification email templates
FIXES
- Scheduled scan’s target url’s scheme could not be changed
- Fixed tooltip text for completed scans
- Fixed a bug where entered URL rewrite rule was overridden on focusing to regex input
- Fixed an issue where Ignore These Content Types setting was not set correctly
- Fixed an issue where scan policy names were duplicated
- Fixed an issue where form authentication settings were not initialized correctly for group scans
- Fixed DOM simulation issue where all delegated events on an elements were not being called
- Fixed a Heartbleed security check issue where it was causing the crawling phase to be stalled