Invicti Standard

Engines & Exploitation

• Experimental Second Order SQL Injection support added. Doesn't support confirmation or exploitation yet.
• Confirmation added to Permanent Cross-site Scripting Engine
• SQL Injection Error based confirmation added for PostgreSQL, MySQL and Oracle.
• SQL Injection Engine was missing string based SQL Injection vulnerabilities in LIKE clauses when crawler can't find the correct search string. This issue is fixed and works regardless of the found default string.
• URI Based Cross-site Scripting Confirmation added
• URI Based issues were reported more than once, this problem fixed
• LFI Engine and exploitation works better now. Several minor bugs addressed.
• Many possible SQL Injections issues removed as we are now sure they are not vulnerable
• XSS Confirmation now bypasses more blacklists
• Content-Type based XSS detection added and ratings changed
• Email disclosure check improved
• Minor bugs addressed in Unix and Windows Internal Path Disclosure issues. Windows Internal Path Disclosure improved.

Proxy

• Proxy settings moved to global settings
• Now you can see the active proxy settings in the status bar
• Invicti now support NTLM, Basic, Digest, Kerberos and Negotiation Authentication for Proxy

GUI

• New Community menu added for easier access to Invicti Blog and Request a Feature
• All message boxes use the correct theme now
• Attack Possibility in the dashboard is now more accurate
• Some typos and missing tooltips addressed

Form Authentication

• Several minor bugs addressed and features improved
• Now it's possible to use use Form Authentication even when the website requires NTLM, Basic, Digest, Kerberos and Negotiation Authentication as well
• Now it's possible to use Form Authentication even when server uses an invalid SSL certificate

Parsers

• Text parser works better now

Installer

• Installer simplified
• Extra checks added for .NET Framework 3.5 SP1 check and installation

Other Fixes & Improvements

• Extra runtime checking and error handling added for .NET Framework 3.5 SP1 and SQL Server CE dependencies
• Static and Backup tests weren't working when Invicti launched from CLI in auto-pilot mode
• LFI Panel crashes fixed
• Full HTTP Response added XML Reports
• XML reports doesn't show attack parameter anymore if the vulnerability identified passively such as Server Version Disclosure
• Several other minor bug fixes and improvements

NEW SECURITY CHECKS

• Added RSA Private Key Detected vulnerability check

IMPROVEMENTS

• Improved Credit Card Disclosure detection
• Reporting cookie name in "Cookie values used in Anti-CSRF token" issue
• Improved "Delegated event" simulation in DOM Parser
• Improved comment order in knowledgebase by displaying comments having sensitive keywords first
• Improved the wording at "ViewState is not Encrypted" vulnerability report template
• Improved DOM Parser and DOM XSS by providing the received response headers to JavaScript context
• Improved Exclude/Include patterns to match parameter names and values in addition to the URL
• Improved resource finder to accept HTTP 401 and 500 status codes when a hidden resource is discovered
• Improved logging of regex timeout issues with additional parameter name and URL information
• Improved reporting API documentation by including more types

FIXES

• Fixed "Options Method Enabled" vulnerability reporting by adding status code checks
• Fixed a NullReferenceException issue that occurs when Invicti is started using command line
• Fixed an encoding issue for parameter names in multipart/form-data requests
• Fixed an issue related to form authentication verification in which the Continue button is missing on the verification dialog if there is no configured persona
• Fixed click simulation in custom form authentication scripting by preventing the extra click on elements
• Fixed an SSL connection issue where the target web server demands only TLS 1.1 or TLS 1.2 protocols
• Fixed custom data reporting in vulnerability templates by removing the extra space added to the values
• Fixed custom data reporting in vulnerability templates to get rid of the bullet point if there is only a single custom data
• Fixed an issue with "Out of Scope" links reported under knowledgebase where the links discovered in DOM Parser are not reported
• Fixed a report template customization issue where modifying a report template while Invicti is running was causing it to fail during report generation
• Fixed a multipart/form-data request issue where "filename" attribute was not submitted for file upload parameters
• Fixed a dashboard issue where the progress bar is stuck on Crawl Only scans even though crawling finishes
• Fixed a custom URL rewrite bug where rules with multiple numeric parameters were not being matched
• Fixed custom URL rewrite test interface where only visible rows were being tested before

NEW SECURITY TESTS

• Form Hijacking Security Checks added
• Base Tag Hijacking Security Checks added

IMPROVEMENTS

• Added several new backup file checks to improve the coverage
• Improved the number of combinations that Common Directory checks find
• Added support for using digits in custom URL rewrite parameter names
• Added new XSS attack patterns to detect a full URL vulnerability and remote XSS attacks
• Added HTTP POST method support for Open Redirection security tests
• Improved resource finder behavior by falling back to GET requests when HEAD requests are failing
• Improved detection of XSS vulnerabilities in CSS blocks
• Improved vulnerability template for Open Redirection vulnerabilities
• Increased coverage by finding LFI vulnerabilities exposed to file:// protocol
• Set default maximum vulnerability report limit to 1000 for active engines
• Improved detection of Remote Code Execution and DoS in HTTP.sys vulnerability

FIXES

• Fixed a race condition issue which occurs while adding new links on DOM simulation
• Fixed an InvalidOperationException issue which occurs while trying to apply token parameter values
• Fixed incorrect parsing of multiple response headers with same name on DOM simulation and DOM XSS attacks
• Fixed a vulnerability template generation issue where temporary files were being kept on disk
• Fixed installer to handle .NET framework versions released after 4.5.2
• Fixed the incorrect description text for SQL Injection security test on scan policy editor dialog
• Fixed "Maximum 404 Pages to Attack" scan policy option which was previously limiting the maximum page number to 10 no matter what set with this option

NEW SECURITY CHECKS

• Added Remote Code Execution and DoS in HTTP.sys (CVE-2015-1635) security check

IMPROVEMENTS

• Improved Auto Complete Enabled vulnerability report by highlighting input name on response viewer
• Improved Auto Complete Enabled vulnerability report by displaying all the matching input names
• Improved PCI reporting by adding PCI 3.1 data to vulnerabilities

FIXES

• Fixed the wrong highlighting of selected row on custom URL rewrite rule editor while testing rules

BUG FIX

• Fixed SocketException error which occurs during Heartbleed check

BUG FIXES

• Fixed a bug where application hangs in Heartbleed engine
• Fixed SOAP WSDL parser to parse web services containing .NET System.Data references
• Fixed SOAP WSDL parser to parse web services containing array parameters

Read the blog post for more details about this version

NEW FEATURE

• New option available to specify the type of parameter when configuring URL rewrite rules, e.g. numeric, date, alphanumeric

IMPROVEMENTS

• Improved the performance of the DOM Parser
• Improved the performance of the DOM cross-site scripting scanner
• Optimized DOM XSS Scanner to avoid scanning pages with same source code
• Changed the default HTTP User agent string of built-in policies to Chrome web browser User agent string
• Improved selected element simulation for select HTML elements
• Added new patterns for Open Redirect engine

BUG FIXES

• Fixed a bug in WSDL parser which prevents web service detection if XML comments are present before the definitions tag
• Fixed a bug in WSDL parser which prevents web service detection if an external schema request gets a 404 not found response
• Fixed a bug that occurs when custom URL rewrite rules do not match the URL with injected attack pattern and request is not performed
• Fixed a configure form authentication wizard problem where the web browser does not load the page if the target site uses client certificates
• Fixed a crash in configure form authentication wizard that occurs when HTML source code contains an object element with data: URL scheme is requested
• Fixed a bug in DOM Parser where events are not simulated for elements inside frames
• Fixed a cookie parsing bug where a malformed cookie was causing an empty HTTP response

NEW WEB SECURITY TEST

• Added Insecure Transportation Security Protocol Supported (SSLv3) vulnerability check (POODLE vulnerability)

BUG FIXES

• Fixed a specific issue where generic email addresses were not being reported.
• Fixed form authentication configuration wizard problem where it couldn't handle pages with popups.
• Fixed an issue where Invicti was crashing when the application is closed during report generation.
• Fixed a crash which occurs on systems where Trebuchet MS font is missing
• Fixed 2 Heartbleed engine bugs.

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• OpenSSL Heartbleed checks added

FIXES

• Fixed an InvalidCastException occurs on DOM Parser on some configurations
• Fixed some incorrect UI control sizes and locations

NEW WEB SECURITY TEST

• Added Bash Command Injection Vulnerability (Shellshock Bug) check.

NEW FEATURE

• Added exploitation support for Remote Code Evaluation and Command Injection engines.

FIX

• Fixed a bug in WSDL parser that crashes application when a type is recursively referenced.

BUG FIX

• Fixed an issue where an imported NSS file containing multiple version vulnerabilities was throwing exceptions during report generation