Invicti Standard 30 Sep 2019
NEW FEATURES
- Added the ability to create custom Security Checks via a Scripting feature
- Added a new authentication, Manual Authentication, which allows you to import and replay your pre-recorded requests
- Added custom Vulnerability creation support to the Report Policy Editor
- Added a new 3-Legged Token flow type for OAuth2 authentication
- Added Microsoft Teams Send To integration
- Added Webhook Send To Integration
- Added Clubhouse Send To Integration
- Added Trello Send To Integration and configuration wizard
- Added Asana Send To Integration and configuration wizard
- Added a configuration wizard to the Jira Send To Action
- Added a Configuration Wizard to the Redmine Send To Action
- Added an option to the Save Report dialog for including and excluding Unconfirmed vulnerabilities
- Added an option to configure the file upload folder that the File Upload Engine attacks to find uploaded files
- Added information about SSL implementation in the Target Website to the Site Profile node in the Knowledge Base
- Added support for importing authentication settings from Postman files
- Added support for importing pre-request scripts from Postman files
- Added an ‘Enable or Disable logging recurring parameter detection’ option to the Advanced tab in the Options dialog
- Added a Delete button to the ‘Start a New Website or Web Service Scan’ dialog to enable the deletion of the current profile
- Added support for importing multiple IO/docs files from a zip file
NEW SECURITY CHECKS
- Added Web Cache Deception engine to the list of Security Checks
- Added a new XXE pattern for detecting the Axway SecureTransport 5.x XXE vulnerability
- Added new attack patterns for DOM based XSS
- Added new attack patterns for Remote Code Execution in Ruby
- Added new attack patterns for Out-of-band Remote Code Execution in Ruby
- Added new attack patterns for Remote Code Execution in Python
- Added new attack patterns for Open Redirect security check
- Added an email validation bypass payload for XSS
- Added a header injection XSS pattern
- Added a security check to determine whether an http website has implemented SSL/TLS
- Added a security check for File Content Disclosure in Ruby on Rails via exploiting Accept header
- Added mutation XSS patterns
- Fixed the SSRF confirmation problem
- Added Apple’s App-Site Association file detection
- Added exploitation support for File Content Disclosure in Ruby On Rails, CVE-2019-5418
- Added new LFI attack patterns for the access.log file
- Added support for exploiting JSONP endpoints with the format parameter in Ruby On Rails
- Added support for detecting Python remote code execution
- Added RFC compatible SSRF IPv6 patterns
- Improved the Apache Struts (CVE-2013-2251) attack pattern
- Added PHP Injection fixed one time Referrer attack
- Updated the attack value of the PHP Injection fixed one time attack pattern to use short notation instead of the print function
- Improved the regex pattern of the WebLogic version disclosure pattern
- Added a PoC pattern for Apache Struts (CVE-2013-2251)
- Added out-of-date checks for the Slick JavaScript library
- Added out-of-date checks for the ScrollReveal JavaScript library
- Added out-of-date checks for the MathJax JavaScript library.
- Added out-of-date checks for the Rickshaw JavaScript library
- Added out-of-date checks for the Highcharts JavaScript library
- Added out-of-date checks for the Snap.svg JavaScript library
- Added out-of-date checks for the Flickity JavaScript library
- Added out-of-date checks for the D3.js JavaScript library
- Added out-of-date checks for the Google Charts JavaScript library
- Added out-of-date checks for the Hiawatha and Cherokee server
- Added out-of-date checks for the Oracle WebLogic server
- Added out-of-date check for IIS
- Added version disclosure detection for the Hiawatha Server
- Added version disclosure detection for the Cherokee Server
- Added source code disclosure checks for Java Servlets
- Added source code disclosure checks for Java Server Pages
- Added new source code disclosure patterns for Java
- Added detection for .htaccess file Identified
- Added detection for Opensearch.xml files
- Added detection for SQLite error messages
- Added detection for security.txt files
- Added detection for swagger.json files
- Added detection for OpenSearch files
IMPROVEMENTS
- Redesigned all HTML reports
- Updated browser engine to Chromium v70
- Added support for array parameters in GET and POST requests
- Security Check Groups are now arranged into sub-groups in the Scan Policy Editor dialog
- Moved the vulnerability severity level, Best Practice, so that it takes precedence over the Information level
- Implemented scrolling to the bottom of the page after each DOM simulation completes
- Added support for generating HTML element code from select elements in the Form Authentication Custom Script Editor dialog
- Added the ability to search for Invicti Enterprise scans using the Target URL
- Changed the Password field to Token in the Jira Send To Actions integration
- Added scrollbar annotations to the Sitemap to indicate vulnerability locations
- Added Vulnerability Export Options to the Schedule Scan dialog
- Improved the accuracy of the scan progress calculation displayed in the Progress panel
- Added Postman variable support to the Postman Importer
- Added an option to the Advanced tab of the Options dialog to configure the maximum number of variations that will be reported
- Improved the Site Profile node in the Knowledge Base to display Database name and username information
- Improved the Site Profile node in the Knowledge Base to information about whether the exploited Database user has admin privileges
- Moved the Accept header’s related options to the Custom Headers panel
- Improved the error message displayed when an invalid Swagger file is imported
- Added an improvement to the application’s ‘remember last opened folders’ feature
- Optimized the size of late confirmation files to improve disk space consumption
- Added a new Invicti Assistant check to handle an excessive amount of application logs
- Added an application level notification to remind the user to restart the scan after profile or policy switch operations
- Updated the Ruby on Rails File Content Disclosure (CVE-2019-5418) vulnerability template
- Added generated proof data to the RoR File Content Disclosure report
- Improved the Proof list in the Knowledge Base to display multiple proofs with different values for the same website
- Improved the MimeType list to display request mime types
- Improved the display format of the redirect URL in the Open Redirect (DOM based) vulnerability
- Improved the Weak Ciphers Enabled vulnerability description
- Added zone.js support to the DOM simulation
- Removed Jira (Legacy) Send To Actions integration
- Changed the Unfuddle Send To Action’s create issue method’s request body data format from XML to JSON
- Updated the progress message displayed when multiple vulnerabilities are being sent via the Send To Action
- Improved TFS and Azure Send To Action to send issue details according to the Work Item type, and the Repro Steps field is set for bugs, while the Description field is set for issues or features
- Added a code block view to the Report Template viewer
- Added an information message to be displayed when closing Invicti if a Send To Action task is still executing
- Added custom field support to the ServiceNow Send To Action
- Added a message to be displayed if the Send To Actions settings have been configured incorrectly
- Updated the Remedy section of the Insecure Transportation Security Protocol Supported (SSLv2) vulnerability template
- Added a RAML option to the Enter Links/HTTP Requests dialog
- Optimized attack patterns environments to enable the Scan Policy Optimizer to produce more optimized policies
- Added a log to display when a vulnerability is discarded due to the Vulnerability Families feature
- Added an update to the progress warning on application closing
- Improved the calculation of attack possibilities of DNS-based SSRF attacks to prevent unnecessary attacks
- Included Ruby and Python RCE vulnerabilities in the vulnerability family
- Added a web server field to the access.log patterns for optimization
- Included SSRF vulnerabilities in the vulnerability family
- Improved the XSS vulnerability report to be more explicit about the data shown
- Added ‘Do not expect challenge (Basic Authentication)’ option to Form Authentication logout detection
- Updated the Impact sections of all Cross-site Scripting vulnerability templates
- Added ISO27001 information to the Vulnerabilities List (Detailed) XML report
- Added an injection prefix to the attack parameter and value name in the vulnerability templates when the vulnerability has an injection request and response
- Moved Code Execution via SSTI vulnerabilities to the Code Evaluation family
- Added highlighting to Stored XSS
- Improved User Agent settings in the Scan Policy editor
- Added missing environment information for attack patterns
- Increased the Start New Scan dialog’s default height to prevent showing the inner scroll bars
- Added logs for URL Rewrite settings
- Added logs for Form Authentication settings
- Added a warning message to be displayed a used Scan Policy is deleted
- Added the attack pattern name to the debug header information
- Updated the Remedy sections of all Cross-site Scripting vulnerability templates
- Added command search capability to the application’s main menu
- Improved the Update Available dialog
- Improved the X-Frame-Options header check to report misconfiguration when two different settings are used at the same time
- Improved parsing in nested JSON OAuth2 token responses
- Added missing HIPAA classifications to Out-of-Date vulnerability templates.
- Added an explanation to the Controlled Scan Summary popup about vulnerability families
- Improved the Swagger parser to read multipart/form-data mime types
- Improved system registry related Remedy sections in the vulnerability templates
- Added drag and drop capability to URL Rewrite settings
- Added verification to Authentication settings
- Added an additional External Reference to the IIS Out of Date vulnerability template
- Added a default initial directory to Imported Links and the scan Import dialog box
- Updated the Save Report dialog UI
- Updated broken reference links in the Report Policy
- Added validation that checks empty Header Authentication settings
- Set the default folder of the Open File dialog to Invicti Scans during the importing of a scan
FIXES
- Fixed an ObjectDisposedException that was thrown when activities were cancelled in the Activity Panel
- Fixed the capitalization of server-side applications in the Site Profile
- Fixed an issue where all Proofs were not listed in the Knowledge Base node
- Fixed an exception that occurred when updating the Proof data in the Site Profile
- Fixed an issue in the exploitation of the Code Evaluation vulnerability where a wrong proof was generated.
- Fixed an issue where the Proof Of Exploit title was displayed on the vulnerability template when there was no proof
- Fixed a double encoding issue in the Generate Exploit template for XSS
- Fixed an encoding issue in the confirmation phase of PHP wrapper-based LFI attacks
- Fixed incorrect behavior in the Internal Proxy
- Fixed VDB update requests that don’t use the upstream proxy issue
- Fixed a Code Evaluation pattern that attacks URL Rewrite parameters
- Fixed an issue where similar kinds of SQL Injection vulnerabilities were being reported in the same URL Rewrite parameter
- Fixed an issue where the value of the Accept-Language header of the Imported Links were overwritten during a scan
- Fixed an issue where the Cache-Control header was added by default to Imported Links
- Fixed an issue causing Report Policy Editor to fail while saving new template references.
- Fixed duplicate template references in the Default Report Policy
- Fixed the problem of the Progress dialog not displaying while importing links from CSV files
- Fixed an issue that occured when the re-crawling phase was skipped
- Fixed the Suggested Action for the Best Practice severity in the report templates
- Fixed the problem of the progress not being updated in the Link Importer
- Fixed the problem of the progress not being displayed correctly while importing links from an Invicti session file
- Fixed the Remedy and External References links in the Vulnerability Viewer so that they open in the default browser
- Fixed a problem where the value of the User-Agent header was overwritten for imported link requests
- Fixed an issue where Invicti was attacking the HTTP endpoint of a URL instead of attacking the HTTPS protocol
- Fixed various typos in the vulnerability templates
- Fixed several Cookie related issues by updating Cookie parsing and storage according to the latest RFC 6265
- Fixed an issue in the Sitemap where it was displaying 404 pages
- Fixed the attack payload of the Function – End Comment – Double Quote – Encoded pattern
- Fixed the issue where the header values of the Imported Links were not prioritized over header policy settings
- Fixed an issue where the Base64 payload was not being encoded properly during the confirmation of PHP wrapper-based attacks
- Fixed a CVSS scores rendering issue in the Vulnerability panel
- Fixed the issue where the plus character was not encoded in PHP cookie attacks
- Fixed the Double Encoding problem in the Static Resource Finder attacks
- Fixed the URL Encode problem in the Static Resource Finder attacks
- Fixed an issue where variations were not shown in the report when a vulnerability was ignored
- Prevented the attacker from attacking the Sitemap.xml file
- Fixed an issue where Resource Finder requests were not carried out when the server returned a 403 Forbidden error
- Fixed a NullReferenceException that was thrown during the execution of the late confirmation phase
- Fixed the Double Encoding problem in PHP Wrapper Confirmation attacks
- Fixed the problem where the request was loaded to the request builder following injection and identification requests
- Fixed a problem in the filtered Issues panel that prevented vulnerabilities from being ignored
- Fixed an issue where the Force Pause button icon and label were overlying each other
- Fixed the custom field names in the Version Disclosure templates
- Fixed the problem where an AppDomainUnloadedException was sometimes thrown when the Custom dialog was closing
- Fixed an ObjectDisposedException that was sometimes thrown when Invicti was closing
- Fixed the escaping of forward slashes in custom scripts
- Fixed the Not operand issue in the Sitemap filter function
- Fixed an issue where the favicon of the scanned website was not updated in the Sitemap
- Fixed the problem where the attack payload was not properly encoded during the Code Execution check
- Fixed an issue where a vulnerability that was found in a different parameter on the same link was discarded due to Vulnerability Families
- Fixed an issue that caused vulnerabilities that came from static resources to be added to the wrong parent in the Sitemap
- Fixed the Proof generation for the Ruby Remote Code Execution vulnerability
- Fixed a bug in the XSS vulnerability confirmation
- Fixed the empty message displayed in the Sitemap where the filtered view did not display any data on loading
- Fixed the localization issue on scans that occured when the application language was modified
- Fixed inconsistent reporting of DNS-based SSRF
- Fixed the format of the confirmation attack payload in XSS to be hex-based
- Fixed the XSS exploitation template to handle injection request
- Fixed the CSS selector generation inside iframes in the Custom Script dialog
- Fixed the XSS confirmation that failing with a Base64 payload
- Fixed an exception that was thrown by displaying a warning message when a read-only Scan Policy file is used
- Fixed the issue where the responses of Full URL attacks were not parsed for links
- Fixed an issue where the Too Many Logouts error messages were displayed even when Form Authentication was disabled
- Fixed the problem where invalid Send To Action settings were removed from the Options dialog
- Fixed the problem where the Hawk test results were cleared during Scan Policy optimization
- Fixed an issue where Invicti was mistakenly making requests to Excluded URLs even when they were JS or CSS files
- Fixed an issue where Ignored Parameters were not ignored while analyzing recurring parameters
- Fixed the incorrect Sitemap root node size for high DPI screens
- Fixed a bug in the XSS vulnerability confirmation where the name of the triggered JS function was incorrect
- Fixed an issue with code generation in the Custom Script dialog while the IDs of input elements contained username or password literals
- Fixed a NullReferenceException that was thrown from the Internal Proxy
- Fixed the problem of light toolbars displayed when the Dark Theme was configured
- Fixed the argument exception in the File menu
- Fixed the grammar error in the Trial License error message
- Fixed auto start problem that occurred following installation
- Fixed the inconsistent state of the Start a New Website or Web Service Scan dialog where an unauthorized Scan Policy file exists
- Removed the ‘ps aux’ command from exploitation process
- Fixed an issue where the Invicti UI tabs were occasionally throwing exceptions
- Fixed a NullReferenceException that was caused during the handling of XHR requests in DOM simulation
- Fixed a comparison error that occured when the Sitemap panel attempted to order its nodes
- Fixed an issue that occurred with the Exclude This Branch From Attack option that caused missing operations during authenticated scans
- Fixed the problem where previous session data was cleared during Form Authentication
- Fixed the problem of an empty file name in the LFI proof data
- Fixed the issue where the cloud settings dialog was displayed repeatedly on the Scan Import screen
- Fixed the Sitemap and Issues panel’s button paddings
- Fixed an issue where the error logs in the Swagger importer were displayed twice
- Fixed an issue in the Request Builder where the request method changed to POST while a PATH request was being edited
- Fixed an issue where cookies that were set in a JavaScript context were not being captured properly
- Fixed an issue where Invicti was occasionally conducting requests with stale cookie values
- Fixed the resetting of the Activity Viewer’s column sizes layout reset
- Fixed a persistence issue in the Invicti Assistant notifications
- Fixed the customization menu displayed in the Auto Send to Settings panel.
- Fixed an issue where the attack payload was not carried out for some URL Rewrite attacks
- Fixed an Insecure HTTP use reported on a redirected response
- Fixed the activation of the Progress Panel displayed after the resumption of a scan
- Fixed an issue where the Authorization header was duplicated when it was provided via Imported Links
- Fixed the column sizes in the Request Builder
- Fixed a bug that occurred while parsing the favicon image source of the Target Website.
- Fixed the issue where the default Content-Type was treated as text/html when no Content-Type was specified
- Fixed an issue that caused the Exclude by CSS Selector field to be cleared in the JavaScript section of the Scan Policy Editor dialog when loading preset values
- Fixed the grouped node’s count in the Sitemap panel
- Fix the attack value that was not implemented correctly in RFI confirmation attacks
- Fixed the issue where the request identifier could not be detected due to invalid characters in the JSON value
- Fixed the GET icon that was displayed for POST requests in the Issues panel
- Fixed an issue where a confirmed vulnerability was removed because of Vulnerability Family checks
- Fixed an issue where an eval block was treated as a non-executable block in XSS confirmation
- Fixed an issue where some links were treated as the same when parameter-based navigation was configured
- Made the Progress panel’s percentage label more precise
- Fixed some character encoding problems in the Request Builder
- Fixed an exception that occurred when updating the Site Profile node in the Knowledge Base panel
- Updated the Send To Action template files in order to render vulnerability fields properly
- Fixed the grouped node filter issue in the Sitemap panel
- Fixed several stability issues with the browser engine
- Fixed a NullReferenceException in the Content Security Policy engine
- Fixed some Korean text
- Fixed the problem where the JavaScript settings tab scrollbar was not displaying properly in the Scan Policy Editor
- Fixed an issue where the Content-Type header was not always set properly for POST requests
- Fixed the Knowledge Base Viewer search issue where adding a space and clearing caused a loss of styles in the report
- Fixed a validation error in the Swagger Importer
- Fixed the bug where the XXE engine made a confirmation attack using the same payload
- Fixed an issue that caused a NullReferenceException to be thrown when a filter was applied on the Sitemap
- Fixed the problem where an obsolete column was deleted during migration of an old Report policy
- Fixed a typo in the WASC classification link
- Fixed the issue where the database username was being added incompletely to the Site Profile node of the Knowledge Base
- Fixed an issue where obsolete vulnerability types were listed in the Report Policy Editor
- Fixed setting OAuth2 label to unmodified state while using the default Scan Profile
- Fixed the problem where the user-agent was not set for requests when the user agent was forced in the Scan Policy Editor
- Fixed the issue where Request Builder columns were not resized correctly in high DPI environments
- Fixed the default height of the Browser View panel which caused inconsistent scrollbar behaviour
- Fixed the digit color in the HTTP Request/Response panel
- Fixed an issue that caused a NullReferenceException to be thrown when accessing the Identification node in the sSitemap
- Fixed an issue that prevented the Cookie Analyzer Engine settings from being reset
- Fixed a JavaScript exception from being thrown during the simulation of React websites
- Fixed an issue that caused the Target URL to also be scanned when a scan was configured for Imported Links only
- Fixed an issue that allowed duplicate headers in the Scan Policy Editor
- Fixed an issue where removed vulnerability types were still listed in the Vulnerability ProfileEditor dialog
- Fixed the precedence values of Possible SSRF vulnerabilities
- Fixed the signature pattern of the IIS Version Disclosure template
- Fixed the culture-specific date format used in the Vulnerability List Report templates
- Fixed the custom report’s duplicate name extension problem
- Fixed an issue that caused vulnerabilities to be reported on 404 pages
- Fixed an issue that allowed invalid characters to be entered in the Target Website or Web Service URL field
- Fixed a KeyNotFoundException that was sometimes thrown when a request’s Content-Type was not set
- Fixed an issue concerning the auto-complete behaviour of the SQL Injection panel
- Fixed the issue where proof generation did not work correctly for redirected URLs in Boolean SQL Injection engine
- Fixed an issue where the SSL Checker engine stopped working when. the user unchecked the ‘Do not differentiate HTTP and HTTPS protocols’ option in the Scope settings
- Fixed the problem where the SQL injection exploitation continued indefinitely
- Fixed the padding of dialogs where users are using the application within high DPI screens
- Fixed the default width of the Activity Viewer’s columns
- Fixed an issue where some engines were not working in Controlled Scan because some attacks are skipped due to Vulnerability Families
- Fixed an issue that prevented the Custom 404 Analyzer from detecting 404 pages
- Fixed an issue where the Invicti Assistant-generated Scan Policy file name was exceeding the length limit
- Fixed an Internal Proxy error caused by the PATCH method
- Fixed a NullReferenceException that was causing the Controlled Scan to continue indefinitely
- Fixed a confirmation bug in the SQL engine
- Fixed the problem caused when users were importing links with the authentication header by overriding the existing OAuth2 token
- Fixed an issue that caused an update error when multiple Invicti Standard instances were opened
- Fixed an issue where the selected policy showed Default Security Checks after restarting the scan via the Invicti Assistant
- Fixed an issue in the CSRF engine where non-hidden inputs could be treated as anti CSRF tokens
- Fixed a duplicate link creation issue in the Report Policy editor when you update and save the remedy section
- Fixed the problem that occured while sending hidden vulnerabilities via the Auto Send To feature
- Fixed the failure of the Auto Send To feature that occured when the Send To Action values had been changed
- Fixed the width of Activity Viewer columns for high DPI screens
- Fixed the setting of the OAuth2 token name while using a fixed token type
- Fixed the setting of the OAuth2 token to override empty authentication headers while importing links
- Fixed an issue where empty headers were added to requests imported from Postman
- Fixed the problem of the hanging progress bar that occurred during scanning
- Fixed an issue where a request with an empty body was treated as a JSON request
- Fixed an issue where an XSS vulnerability was reported inside of non-executable HTML tags
- Fixed an issue where the scan folder was deleted after deleting a scan from the Local Scans folder
- Fixed a NullReferenceException that was thrown when running a Controlled Scan after importing a scan file
- Fixed a bug where a Link not Selected error was shown, even though it was selected in the Controlled Scan panel
- Fixed an issue where Invicti was missing passive vulnerability checks for endpoints that occured as XmlHttpRequests
- Fixed a bug where Controlled Scans could not be started for the selected nodes
- Fixed an issue that caused an ArgumentException to be thrown when activating a license
- Fixed the button height in the Controlled Scan panel to remove an empty area
- Fixed the problem where the OAuth2 refresh token timer stopped after a scan was finished
- Fixed an issue that caused the PathTooLongException when checking effective scope at start new scan dialog.
- Fixed the newline in the Regex Pattern of SVN disclosures
- Fixed an issue where the URL Rewrite settings panel was not highlighted when a setting had been changed
- Fixed the issue where the Controlled Scan was stuck when the scan state had been paused
- Fixed the status of the taskbar icon following the end of a Retest scan
- Resource Finder activities will now be stopped faster when the scan is paused
- Fixed a bug that occurred during the parsing of the refresh token of Implicit OAuth2 flow’s response
- Fixed the problem where it was impossible to get a new OAuth2 token if refresh token was not set
- Fixed the problem that occurred when navigating the Sitemap and Knowledge Base nodes with the keyboard
- Disabled the Save option in the Default profile in the Start New Website or Web Service Scan dialog
- Fixed a bug that occurred when setting the Scan Profile before testing OAuth2 credentials
- Fixed an issue where no warnings were displayed when Basic/NTLM authentication settings were left empty
- Fixed the Vulnerability Severity Level order in the Report Policy Editor’s context menu
- Fixed the Best Practice severity level’s caption in the Report Policy Editor’s context menu
- Fixed the Vulnerability Severity Level’s order in the profile list in the Report Policy Editor dialog
- Fixed an ArgumentNullException that was thrown when the F9 key was pressed
- Fixed an issue that caused an invalid file name error in the ave Report dialog
- Fixed the issue where a Base64 value could not be decoded due to an invalid length in the Encoder panel
- Fixed the proxy authentication problem in manual crawling when a custom proxy is configured
- Fixed an issue to prevent the ampersand character from being encoded in an XML attack
- Fixed the Azure DevOps Send To Action to enable it to send vulnerabilities to the TFS
- Fixed an issue where the attack parameter was not shown for some vulnerabilities in the Detailed Scan Report
- Fixed an issue where redundant logs were written for enforced Basic Authentication setting
- Fixed the issue where auto-complete enabled was not reported when there was only one password input
- Fixed the issue where auto-complete was treated as enabled when the attribute value was ‘new-password’
- Fixed the problem where multiple OAuth2 refresh token requests were sent while refreshing tokens
- Fixed the stale activities still remaining on the list at the end of the scan
- Fixed the broken order function of External References in the Report Policy Editor
- Fixed an unhandled UnauthorizedAccessException that was occasionally thrown while closing the Form Authentication Custom Script dialog
- Fixed the issue where some special XML chars were encoded when the parameter was already encoded