Invicti Standard 11 May 2018

FEATURES

  • Netsparker Enterprise integration: ability to import and export scans between the scanners.
  • New user interface with new skin and improved usability.
  • Smart Card authentication support.
  • Attack Radar panel that shows detailed attacking progress of security checks.
  • Added the OWASP 2017 Top Ten classifications report template.
  • Added Server-Side Template Injection (SSTI) vulnerability checks.

SECURITY CHECKS

  • Expect-CT security checks.
  • Added various new web applications in the application version database.
  • Added out of date checks for Hammer.JS, Phaser, Chart.js, Ramda, reveal.js, Fabric.js, Semantic UI, Leaflet, Foundation, three.js, PDF.js, Polymer.

IMPROVEMENTS

  • Crawler can now parse multiple sitemaps in a robots.txt file.
  • Improved the representation of POST, JSON and XML parameters on sitemap.
  • Added support for opening links in all web browsers installed on the computer.
  • Improved high DPI support.
  • Improved sorting on Issues panel.
  • New Extensions scan policy settings to specify which extensions should be crawled and attacked.
  • Added activity status text for XSS and Open Redirect confirmation phases.
  • Added target link address to status bar on vulnerability descriptions.
  • Added “Import from Scan Session” option to populate form values based on an existing scan.
  • Added support for parsing swagger documents in yaml format.
  • Added Open Redirect and XSS confirmation timeout settings.
  • Added support for parsing relative meta refresh URLs.
  • Moved Knowledge base items to own panel.
  • Improved the vulnerability summary section of Detailed Scan Report.
  • Added “Copy to Clipboard” link to unmatched URL rewrite rules table within URL Rewrite knowledge base.
  • Improved the usability of User Agent scan policy settings.
  • Favicon of the target website shown to sitemap tree.
  • Search capability in the Knowledge base details.
  • Improved parsing of websites using React framework.
  • Content-Security-Policy-Report-Only header is not reported as an interesting header.
  • Added support for sending text to Encoder panel from other panels in the application.
  • Added save report button to Knowledge base.
  • Added “Ignore Authentication” option to Request builder.
  • Added a hotkey to “Ignore from This Scan” menu.
  • Added “Force User Agent” setting to force the selected User Agent value on scan policy.
  • Added support for Postman v2.1 version.
  • Scan logs in Logs panel are now saved along with scan file.
  • Added an extra consistency check to ROBOT attacks.
  • Added scan policy settings to include/exclude certain cookie names from Cookie security checks.
  • Improved the “Interesting Header” list support.
  • Added anti-CSRF token support for Blind SQL Injection exploitation.
  • Removed BOM from JSON and XML report templates.
  • Improved the numbers reported on dashboard.
  • Added summary table to several reports.
  • Variations are retested before starting an incremental scan.
  • Improved JavaScript content check performance while detecting out of date checks.
  • Added multi-thread support to Controlled Scan.
  • Added anti-CSRF token support for tokens in request headers, meta tags, manual crawling and imported links.
  • Added command line auto update option.
  • Renamed FogBugz send to action to its new name Manuscript.
  • Testing Send To actions now creates issues on target systems.
  • GitHub Send to action now works with organization accounts and private repositories.
  • Scan Policy and Report Policy editor dialogs remember their locations and sizes.
  • Added support for handling HTTP 307 redirects.
  • DS_STORE files are discovered and parsed.
  • Improved MySQL double encoded string attacks.

FIXES

  • Fixed scheduled scans to prevent incorrect settings to be saved.
  • Fixed the overflow issue of “Maximum 404 Signatures” scan policy setting.
  • Fixed the unsaved Disallowed HTTP Methods issue for scan profiles.
  • Fixed some possible vulnerabilities missing [Possible] indicator in title.
  • Fixed the exception that occurs when importing scan file because the path has invalid chars.
  • Fixed an ArgumentOutOfRangeException occurs when the back button clicked on the Scan Policy Optimizer.
  • Fixed the incorrect “Exclude Branch” icon.
  • Fixed the missing Host header issue on Request Builder.
  • Fixed the issue where header enabled and disabled states are not preserved in Postman v2 files.
  • Fixed the issue where the selected vulnerability is not being recognized while performing a retest.
  • Fixed the issue where all variations are removed from Issues panel if a parent vulnerability is removed.
  • Fixed the issue where parent vulnerability is striked out in sitemap when a variation is fixed after retest.
  • Fixed the issue where some vulnerabilities that are not fixed comes up as fixed after retest.
  • Fixed highlighting problem for “Password Transmitted over HTTP” vulnerability.
  • Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
  • Fixed incorrect “[Possible] WS_FTP Log File Detected” vulnerability.
  • Fixed the issue where a variation node is not added to the Issues panel.
  • Fixed incorrect average speed calculation on Detailed Scan Report.
  • Fixed some issues in Incremental Scan and Controlled Scan where some vulnerabilities are reported as fixed while they still exist.
  • Fixed the issue where same post parameters appears twice in the request builder form.
  • Fixed Hawk validation error by not following redirects.
  • Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
  • Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
  • Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
  • Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
  • Fixed the SSL check hang on HTTP only hosts.
  • Fixed LFI engine by not analyzing source code disclosure on binary responses.
  • Fixed a validation issue for some Swagger documents.
  • Fixed the issue where CSP keywords are not reported when used without single quotes.
  • Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
  • Fixed the issue where cookie header in raw request not added to the sqlmap command.
  • Fixed the issue where crawler keeps trying to crawl target URL when clicked Retry if there is a connection failure.
  • Fixed incorrect source code disclosures reported in binary responses.
  • Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
  • Fixed out of date version reporting behavior when no ordinal is found in version database.
  • Fixed Lighttpd version disclosure detection signatures.
  • Fixed a Swagger parsing issue.
  • Fixed broken proxy chaining in manual crawl mode.