Invicti Standard

IMPROVEMENTS

• Increased severity of "Insecure Transportation Security Protocol Supported (SSLv2)" vulnerability to "Important"
• Added support for adding several more request headers including the "Host" header

FIXES

• Fixed a bug related to VDB update process where a computer with no internet access may not get newer VDB updates even when it is updated using the offline installer

New Security Checks

• New security check that detects insecure targets in Content Security Policy.
• Added checks for exposure of trace.axd in ASP.NET applications.
• New security check for Time Based Server-Side Request Forgery.
• Added Markdown Injection attack pattern to XSS engine.
• Added a Code Evaluation check for Apache Struts framework.

Improvements

• Improved Boolean SQL Injection detection.
• Updated the Local File Inclusion vulnerability classifications.
• Improved Trace/Track security checks.
• Improved coverage of XSS engine in redirects.
• Added policy optimization support for SSRF security checks.
• Added exploit generation support for "Cross-site Scripting via Remote File Inclusion" vulnerability.
• Added a specialized parser to parse JavaScript responses better to reduce discovering incorrect links.
• Improved form authentication logout detection by ignoring the responses of some attacks to prevent incorrect logout detections.
• Added type ahead search box for Security Check Groups on Scan Policy Editor.
• Added "Send to Request Builder" context menu item for activities on scan activity pane.
• Added input validation for placeholder patterns on Custom URL rewrite grid.
• Added scheduling support for Incremental Scan feature.
• Added the number of crawled links next to scanned host names on sitemap tree.
• Improved code generation for form authentication custom scripts.
• Improved proxy options UI. Now proxy address inputs can be pasted along with user credentials and port.
• Added VDB support to Blind & Boolean SQLi post exploitation.
• Added an info message to Browser View tab that tells this view is a limited preview.
• Added file parameter type support to Request Builder.
• Added support for multiple report exporting to Scheduled Scans.
• Added the number of vulnerability severities of current scan to status bar.
• Added Copy URL and Copy as cURL context menu items to Imported Links grid.
• Added pause scan button to interactive login dialog.
• Improved sqlmap command generation by adding database server type parameter.
• Start New Scan dialog is made resizable.
• Added Search feature to Imported Links.
• Added Cancel button for Request Builder.
• Added support for checking Open Redirection vulnerability on Refresh response header.
• Added the XPath information of the element that causes the DOM XSS vulnerability.
• Added "Sub Path Max Dynamic Signatures" setting for Heuristic URL Rewrite detection.
• Added database specific queries for the selected SQLi vulnerability on exploitation panel.
• Added a JavaScript scan policy option to filter events that are attached to "document" by name to a constant set of mousedown, keyup etc. to reduce triggered event count during the simulation.
• Added a JavaScript scan policy option to exclude HTML elements such as logout buttons from event simulation by CSS selectors.
• Added finding vulnerabilities which sink into window.name capability for DOM XSS security checks.
• Improved coverage of Local File Inclusion engine so that a vulnerability can be found in a full url attack.

Bug Fixes

• Fixed several issues related to DOM parsing and simulation.
• Fixed a NullReferenceException thrown by HTTP Methods checks.
• Fixed a StackOverflowException caused by JSON responses with too many nested elements.
• Fixed PoC generation during post exploitation for time based SQLi checks.
• Fixed incorrect bearer token log message on verify dialog even when bearer token detection is disabled.
• Fixed a NullReferenceException while confirming a Boolean SQLi vulnerability.
• Fixed several issues related with splash screen to make sure it is hidden when the application is loaded.
• Fixed a NullReferenceException thrown by logout detection while trying to close the application.
• Fixed an issue where scan is paused when an additional host is unreachable.
• Fixed an issue where the new link nodes added under an excluded branch on sitemap tree were not excluded.
• Fixed the misleading message that is shown when a manual crawling scan is started, Form Authentication feature no more requires installing a certificate to your computer.
• Fixed IndexOutOfRangeException thrown while trying to open Scan Policy Editor dialog if the UI language is set to Korean.
• Fixed keyboard tab order on Form Authentication settings.
• Fixed an issue where injection HTTP response displays an empty string because deserialized file does not contain the HTML response of the attack.
• Fixed typos in CSP vulnerability templates.
• Fixed the broken impacts table on Executive Summary Report PDF when the table spans 2 pages.
• Fixed several issues related with report policy naming when the name is invalid or too long.
• Fixed generated blank pages on PDF reports.
• Fixed OperationCanceledException thrown during extra confirmation.
• Fixed UI glitches on form authentication Custom Script dialog caused when splitters are resized.
• Fixed several Request Builder issues.
• Fixed Test Credentials button on basic authentication settings which does not send Authorization request header if Do Not Expect Challange check box is checked.
• Fixed the ignored email are still reported on knowledge base issue.
• Fixed a bug where double encoded attacks are not exploitable in browser when proof URL is clicked.
• Fixed an issue where source code disclosure is reported in JS and CSS files.
• Fixed an SQL exploitation issue where executing a SQL query which expects an integer result is no longer giving failure for PostgreSQL database.
• Fixed a Text Parser issue where single quote characters were being captured as part of links.
• Fixed the incorrect path disclosure caused by the Shellshock attack.
• Fixed a TargetInvocationException thrown when a new license is trying to be loaded using Help > Load New License menu item.
• Fixed missing SSRF proofs under Proofs knowledge base.
• Fixed an ArgumentException thrown by DOM XSS checks when the web site is crawled using manual crawling mode.
• Fixed incorrect encoded parameter names for multipart/form-data forms.
• Fixed the incorrect auto update notification even when you have a more up-to-date version of the application.
• Fixed the large right margin on Knowledge Base Report (PDF) summary page.
• Fixed the splash screen that is shown in front of the trial popup message.
• Fixed the performance issues of recrawling related to DOM XSS checks on web sites with lots of links.
• Fixed the incorrect CR LF encoding issues on proof URLs.
• Fixed a retest issue where all parameters of the link were being retested whereas only the vulnerable parameter must be retested.
• Fixed the visual glitch occurs on Imported Links section upon importing new links.
• Fixed DOM Parser clearInterval JavaScript function simulation.
• Fixed an issue where stored XSS vulnerability is reported in an XHR response rather than in the page itself which makes XHR request.
• Fixed an issue where Boolean SQLi vulnerability is missed due to crawled parameter value.
• Fixed an issue where reflected XSS vulnerability is missed because the reflected payload is HTML encoded in an attribute.
• Fixed an issue where Text Parser does not handle the same referenced JavaScript in different files.

NEW FEATURES

• Scanning of RESTful web services.
• Report Policies to customize the scan results and reports
• "Heuristic Rule Detection" support while using custom URL rewrite rules.
• Added an option to disable logout detection for form authentication.
• Added ASP.NET Web Application project import support.

NEW SECURITY CHECKS

• Added Samesite cookie attribute check.
• Added Reverse Tabnabbing check.
• Added Subresource Integrity (SRI) Not Implemented check.
• Added Subresource Integrity (SRI) Hash Invalid check.

IMPROVEMENTS

• Various memory usage improvements to handle large web sites.
• Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
• Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
• Improved coverage of LFI engine.
• Added name completion for profile save as dialog.
• Updated missing localized text for Korean translation.

FIXES

• Fixed the issue of form authentication remembers the cookies from the previous scan while using the same Invicti instance for a new scan.
• Fixed the incorrect progress bar while performing a controlled scan.
• Fixed the issue of DOM Based XSS security checks enabled status were not being logged.
• Fixed the "Cross-site Scripting via Remote File Inclusion" vulnerability was not being confirmed issue.
• Fixed JIRA Send To action issue where the port number of the JIRA service were being ignored.
• Fixed the synchronization issue on JavaScript Scan Policy section where UI elements are left enabled even though "Analyze JavaScript / AJAX" option is not checked.
• Fixed the NullReferenceException thrown when scan is paused and resumed during performing form authentication.
• Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
• Fixed the broken layout of input controls on basic authentication dialog shown during form authentication.
• Fixed the error reporting issue occurs when log file collection and/or compression fails.
• Fixed the HTTP Archive Importer issue where POST method was parsed as GET when postData is empty.
• Fixed the ObjectDisposedException thrown on form authentication verification dialog.
• Fixed a bug where GWT parameter cannot be detected which contains a Base64 encoded value.
• Fixed a time span parsing bug in Knowledge base report templates.
• Fixed an issue where some vulnerabilities are treated as fixed while retesting.
• Fixed an issue where XSS proof URL was missing alert function call.
• Fixed a typo on "Base Tag Hijacking" vulnerability template.
• Fixed the broken "Generate Debug Info" function of JavaScript simulation feature.

NEW FEATURES

• Added Invicti Enterprise Integration to the license activation dialog which enables the activation of a license using the Invicti Enterprise Information
• Added a WAF Identification feature that detects whether the target website is using a Web Application Firewall that blocks Invicti attacks, and warns the user about it
• Added a SANS Top 25 Scan Policy and report
• Added login confirmation to ensure that Invicti was able to acquire an authentication session after conducting the login sequence, in order to notify users in case of any failure due to changed credentials
• Added an Auto Export feature which enables the automatic export of all old session files not previously uploaded to Invicti Enterprise when connected to its servers
• Added FortiWeb WAF integration
• Added YouTrack Send To integration
• Added Freshservice Send To integration

NEW SECURITY CHECKS

• Added version disclosure and out-of-date checks for Telerik Web UI
• Added detection and out-of-date checks for Java and GlassFish

IMPROVEMENTS

• Improved the Postman importer to generate URL Rewrite rules automatically from the postman file
• Added a new logout confirmation request to the Logout Detection process
• Updated the AttackUsage properties of mXSS patterns to increase scan performance
• Added a text field to the Report Policy Editor for displaying GUID values of custom vulnerabilities
• Added a Copy Rules button to the URL Rewrite tab in the Start a New Website or Web Service Scan dialog
• Added Region information to the new Invicti Enterprise Information section in the Invicti Enterprise tab
• Added search tags and a shortcut key to the Search tab on the ribbon
• Added the ability to sort the Name and Value grid view in the OAuth2 tab
• Added a warning about unsupported settings in the OTP column in the Form authentication tab
• Added a transparency feature to the Scan Search, accessed by pressing CTRL
• Added a URL to provide extra information to help distinguish similar results in the Raw Requests and Responses tabs
• Improved vulnerability summary suggestions to recommend that only confirmed vulnerabilities should be fixed immediately in the Executive Summary Report
• Improved the Report Policy using the CWE and SANS top 25 standards
• Added a new Max Response Headers Length option to the Advanced tab

FIXES

• Fixed an issue where the RedirectBodyTooLarge vulnerability was being falsely reported when the redirect location was triple encoded
• Fixed a NullReferenceException that was thrown in the ReflectedParameterAnalyzer component
• Fixed an issue where Invicti Assistant retains generated optimized Scan Policies even if it has been disabled
• Fixed the Pre-Request Script tab's Presets button's enabled state
• Fixed a visual text wrapping issue that occured when all Resource Finder options were selected in the Scan Policy Optimizer dialog
• Fixed an issue where the Proxy Authentication fields in Proxy tab of the Scan Policy Editor was not being disabled when the Use Current User’s Windows Credentials checkbox was selected
• Fixed an issue that caused Invicti to freeze when the Scan Finished dialog was displayed while another dialog was open
• Fixed the signature of the nginx.conf pattern
• Fixed an issue that caused the Total Vulnerability Count not to be updated when a vulnerability was removed from the Issues panel
• Fixed an issue that caused the wrong information to be copied about the node when Ctrl+C was used in the Issue and Sitemap panels
• Fixed an issue that caused the Context button to overlay the Vulnerability Counts icons in the Local Scans files tab
• Fixed an issue where the Import From File dropdown in the Imported Links tab was not displaying the last opened folder
• Fixed an issue that showed the wrong exception message in the Test Credentials dialog for the authentication tabs, when the website was unreachable
• Fixed WAF button display names in the Vulnerability tab on the ribbon
• Fixed a validation problem that occured in mandatory fields in the WAF settings tab
• Fixed an issue that caused the scrollbar color not to be applied in the request/response panel.
• Fixed an issue that showed the wrong tooltip in the Form Authentication tab's verified settings
• Fixed an issue that caused vulnerability counts to be calculated incorrectly when grouping the Issue panel by URL
• Fixed an issue that caused some 404 nodes to not be visible when a filter was applied using search text
• Fixed a problem that caused the generation of empty Comparison Reports
• Fixed an issue where version vulnerabilities could not be fetched from the database when application names contained space characters
• Fixed an issue that caused inconsistent sorting results for the Sitemap nodes.
• Fixed an issue that caused an ArgumentException in the CORS Checker
• Fixed an issue that caused the Exploit LFI panel to not display its content when the height was set too small
• Fixed the Extracted Version of Java Servlet Version Disclosure vulnerability so that it no longer includes a slash
• Fixed an issue where the WebLogic Server was occasionally being incorrectly reported as the Application server of the target website
• Fixed an issue where the XSS attack file had been overwritten, which caused the wrong injection request to be displayed when reporting Stored XSS vulnerabilities
• Changed the notifications icons, and removed unnecessary extra space from the unread Notifications button
• Fixed a NullReferenceException in the XSS Analyzer
• Fixed a scope issue in the Resource Finders and in the Drupal RCE Engine
• Fixed a subdomain problem in the Phishing by Navigating Tabs vulnerability
• Removed a context menu from the Send To Actions tab
• Fixed an issue that caused the template not to be applied in the Subscriptions context menu
• Fixed a grammatical error in an Invicti Assistant notification
• Fixed issues in the Blind SQL injection confirmation for redirects and timeouts
• Fixed an issue that caused OTP settings to be applied when Persona information was missing in the Form Authentication tab
• Fixed an issue that prevented the Local Scans' file's context buttons from being clicked when the scroll bar was displayed.
• Fixed the issue where Custom Field values were incorrectly displayed in older scans
• Fixed the signature patterns of the ASP.NET and Apache Module version disclosures so that they capture the version correctly
• Fixed the handling of null Responses in Requests made using the Pre-Request Script feature.
• Fixed a problem where a horizontal scrollbar was displayed in the search dialog
• Refactored the JSON Regex to eliminate excessive backtracking
• Fixed an issue where the Internal Proxy was updating headers that already had default values
• Fixed a problem in Report Templates where custom logos were incorrectly aligned
• Fixed a NullReferenceException error that was thrown when a Theme was not selected in the General tab of the Options dialog
• Fixed the Send To Action panel to display default names with normal font instead of bold
• Fixed an issue that caused a crash when an internal server error occurred during the export of a scan to Invicti Enterprise.
• Fixed the width of the grid view in the Report Policy Editor
• Fixed the focus back on the Sitemap and Issues panels after their search boxes are cleared
• Fixed a race condition in the parsing of the Finish Time calculation which caused an exception to be thrown
• Fixed a couple of localization problems in the Knowledge Base Report.
• Fixed URL alignment in reports

FIXES

• Fixed a Web App Fingerprinter issue causing degraded performance.

IMPROVEMENT

• Improved Source Code Disclosure (ColdFusion) attack pattern

FIXES

• Fixed multiple logout detection popups being unnecessarily shown
• Fixed an issue that was causing Scheduled Scans to run slower than regular scans
• Fixed an issue where redundant scan folders are created when scans are auto saved
• Fixed a performance issue caused in scans with excessive amount captured links
• Fixed a NullReferenceException thrown by Expect CT security checks
• Fixed an ArgumentNullException thrown by Expect CT security checks
• Fixed a NullReferenceException thrown by Sitemap tree
• Fixed the broken paddings on RFI knowledgebase proof representation of tasklist command

NEW FEATURE

• Added JavaScript timeout settings for Open Redirect and XSS confirmation in Scan Policy.

IMPROVEMENT

• Improved the parsing of large JavaScript files.

FIXES

• Fixed the empty target URL text box on start new scan window on initial load.
• Fixed the hang issue caused by popup windows during form authentication.
• Fixed the exception that occurs when root directory node is excluded in sitemap.
• Fixed an exception thrown while shutting down the application.
• Fixed a NullReferenceException occurs while trying to parse compressed sitemap files.
• Fixed a serialization exception issue occurs while trying to load older scan files.
• Fixed the broken tooltip message on Custom Form Authentication Script dialog.
• Fixed the exception that occurs when importing scan file because the path has invalid chars.
• Fixed duplicate activities displayed while analyzing crawled pages.

NEW FEATURES

• Added Pivotal Tracker Send To integration
• Added test website (Target URL) configuration to enable the scanning of REST websites with selected XML and JSON mime type(s)
• Added ability to add, remove or edit request parameters, headers and edit the request body in pre-request scripts
• Added a Fragment Parsing checkbox to the Crawling tab of the Scan Policy Editor dialog

NEW SECURITY CHECKS

• Added a new vulnerability for Same Site Cookies that are set to None and not marked as secure

IMPROVEMENTS

• Improved the Webhook Send To Action to enable it to send data from the query string when the POST or PUT method is selected
• Improved the Jira Send To Action to include Epic Key and Epic Name fields
• Updated the default value for Allow Out-of-scope XHR requests from False to True, to improve the simulation process
• Improved Form Authentication to capture All Authorization Headers instead of just Bearer Authentication Tokens
• Improved the scan performance with memoization of Passive Security Checks
• Optimized Stored XSS checks to eliminate unnecessary DOM simulations in PermanentXssSignature
• Optimized signature detection to avoid executing unnecessary Regex checks
• Improved the attack payload of the Open - Integer (MySQL) pattern

FIXES

• Fixed the problem where the authentication header was parsing if an empty OAuth2 token type was provided
• Fixed a typo in the XSS vulnerability template
• Fixed a typo in Expect-CT engine error message
• The WAF Identified dialog is no longer displayed when Invicti is started from the command line in Silent Mode
• Fixed an issue that meant the Target URL was not crawled when the Override Target URL with authenticated page checkbox was enabled in the Form Authentication tab of the Start a New Website or Web Service Scan dialog
• Fixed the visibility of the scan search bar
• Fixed the Regex Pattern of the BREACH Engine's sensitive keywords
• Fixed an issue where the Possible OOB Command Injection Vulnerability was reported as confirmed
• Fixed the exception that was thrown if the script file name was empty when the Execute button was clicked in the Custom Scripts panel
• Fixed the problem where the XXE engine was reporting a false positive on possible XXEs
• Data Type Mismatch errors are now ignored while importing OpenAPI (Swagger) documents
• Fixed an issue where Authentication Verification was failing to complete in Silent Mode when the Target URL was unreachable
• Fixed an issue that caused the crawler to be exited abnormally and stopping the scan when Invicti Assistant changed the Scan Settings
• Fixed a NullReferenceException in the Custom Scripts panel
• Fixed an issue that caused the link to get stuck in Crawling causing the scan to take too long
• Fixed a NRE that occurred when a Retest was performed on an imported scan
• Fixed an issue that occasionally caused scans to hang when the Target URL timed out on requests
• Removed an extra semicolon from the Actions to Take section of the Insecure Transportation Security Protocol Supported vulnerability templates

NEW FEATURES

• Manual Crawling (Proxy Mode) now supports protocols like TLS 1.1 and 1.2.
• Added scan policy settings for CSRF security checks.
• Added ability to use custom HTTP headers during scan.
• Added element exclusion support using CSS query selectors for DOM/JavaScript simulation.
• Added /generatereport CLI argument for report generation from scan session files.
• Added hex editor view for requests on request builder.
• Added attacking optimization option for recurring parameters on different pages.
• Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.

NEW SECURITY CHECKS

• Added Referrer Policy security checks.
• Added markdown injection XSS patterns.
• Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
• Added Database Name Disclosure security checks for MS SQL and MySQL.
• Added Out of Date security checks for several JavaScript libraries.
• Added Remote Code Evaluation (Node.js) security checks.
• Added SSRF detection with server-status.
• Added user controllable cookie detection.
• Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.

IMPROVEMENTS

• Updated the links to several external references.
• Added cancellation of ongoing attack activities when excluded from site map.
• Improved JavaScript and CSS resource parsing.
• Added exploitation for XXE vulnerabilities.
• Added DOM simulation options to scan policy optimizer wizard.
• Improved Mixed Content vulnerability reporting by separating them according to resource types.
• Improved the CSS query selector generation on form authentication custom script dialog.
• Improved boolean SQL injection detection for redirect responses.
• Improved WSDL parsing for files that contain optional extensions.
• Added current scan profile, scan policy and report policy names to status bar.
• Improved .sql file detection signature.
• Improved the highlighting of patterns on HTTP responses.
• Added extra confirmation for weak credentials detection.
• Added POST parameters to crawling activities on scan activity list.
• Added scan policy option to allow XHR requests during DOM simulation.
• Added response statistics to request builder.
• Added form value for password input types to default scan policy.
• Added status column to the request history in request builder.
• Increased the maximum response size limit for JavaScript resources.
• Improved the send to JIRA error message.
• Added maximum number of option elements per select element to simulate scan policy setting.
• Added filter 'colon' events scan policy option to filter events that contain colon character in its name during DOM simulation.
• Improved error based SQLi exploitation by generating prefix/suffix dynamically.
• Improved command injection vulnerability detection by prepending original parameter value to attack payload.
• Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.

FIXES

• Fixed the incorrect imported link count when search panel is active on the grid view.
• Fixed the "Open in Browser" context menu action broken for root nodes on site map.
• Fixed the undefined password value issue on form authentication custom script dialog.
• Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
• Fixed the duplicate import link issue.
• Fixed request builder issues on parsing query string and encoding.
• Fixed a request builder issue where the error dialog should not be shown while switching tabs if the raw request is empty.
• Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
• Fixed the broken custom cookie issue where the custom cookie is not sent for imported scan files.
• Fixed crawling of URLs on pages where base element points to some other URL.
• Fixed some missing vulnerabilities on site map.
• Fixed the slow performing certificate load operation on start new scan dialog.
• Fixed the incorrect vulnerability severity counts on bar chart and status bar.
• Fixes an issue where blacklisted Invicti attacks prevent further source code disclosures in HTML response.
• Fixed the splash screen which stays open when Invicti is started from command line.
• Fixed the focus stealing issue when HTML response contains the autofocus attribute.
• Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
• Fixed missing response on request builder when the request is loaded from history list.
• Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
• Fixed an issue where signature fails to match MS SQL username in error messages.
• Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.

FIXES

• Fixed a form authentication issue where the URL in Location response header is followed even if status code is not a redirection status code.

IMPROVEMENT

• Improved the list of resources discovered by the resource finder.

FIXES

• Fixed an issue that caused legacy trial license activation failure.
• Fixed a FormatException thrown when a scan was started using a trial license.
• Fixed an issue where when frame vulnerabilities were detected via DOM, it was not possible to locate the source code.
• Fixed an XPathException caused by an input node with special characters.
• Fixed an exception thrown by the report policy editor when an unbalanced parenthesis was entered into the vulnerability type search box.
• Fixed a NullReferenceException thrown by the DOM parser component.
• Fixed the problem where manually crawled pages were not updated in the Sitemap.

IMPROVEMENTS

• Improved the form authentication element click API by providing the mouse coordinates.

FIXES

• Fixed an object leak causing performance issues during scans.
• Fixed a backup file check where scan policy selections were not honoured.
• Fixed the broken Basic, NTLM/Kerberos "Test Credentials" button.
• Fixed the unencrypted credentials saved with profile files.
• Fixed the JavaScript parsing issue by checking the mime type of the script tags.
• Fixed the broken email disclosure detection which was not able to match multiple emails.
• Fixed the incorrect links parse on JavaScript source map files.