Release Notes

Invicti Standard

RSS FEED

6.1

COPY LINK

NEW FEATURES

Added Authentication Profiles
Added the Overall Latest Version field to out-of-date vulnerabilities
Added multiple vulnerabilities reporting support to passive and singular custom scripts
Added Acunetix 360 integration

NEW SECURITY CHECKS

Implemented JSON Web Token (JWT) security check
Added the SSL Certificate is About to Expire security check
Added StackPath Web Application Firewall (WAF) detection.
Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Proxy Server.
Added Identified, Version Disclosure, and Out-of-date security checks for JavaServer Pages
Added Identified, Version Disclosure, and Out-of-date security checks for Kong Server
Added Identified, Version Disclosure, and Out-of-date security checks for Liferay Digital Experience Platform.
Added Identified, Version Disclosure, and Out-of-date security checks for Taleo Web Server
Added Version Disclosure and Out-of-date security checks for Sugar Customer Relationship Management (CRM)
Added Version Disclosure and Out-of-date security checks for Squid
Added Identified and Out-of-date security checks for Magento
Added Out-of-date security check for Daiquiri
Added Identified security check for Plesk (Windows)
Added Identified security check for Vegur
Added Identified security check for HupSpot
Added Identified security check for DataDome
Added Identified security check for Craft CMS
Added Identified security check for Windows Azure Web Apps
Added Identified security check for OpenVPN Access Server
Added Identified security check for Squarespace
Added Identified security check for Plesk (Linux)
Added Identified security check for Lighthouse
Added Identified security check for BitNinja Captcha Server
Added Identified security check for Pardot Server

IMPROVEMENTS

Added Scan Paused, Scan Resumed, Scan Canceled, and Scan Finished states to the log category.
Send to Request Builder option is now visible for Issue Group Nodes
Added page type field to vulnerability reports
Added Authentication Profile name to reports
Improved RAML Importer to import the ZIP files
Added application name and version information to a vulnerability report
Implemented Swagger path parameter default value
Fixed a Dom XSS scan stuck issue
Fixed Daiquiri Identified reporting redundant custom field issue.
Improved Common Weakness Enumeration (CWE) classifications for Out-of-Date Version vulnerabilities
Added a new Akamai Content Delivery Network (CDN) detection signature
Added a new Varnish Cache detection signature
Added missing Identified security checks for the existing technologies
Improved the summary section of the Version Disclosure template for SharePoint
Improved TRACE/TRACK Method Detected security check
Improved SVN Detected security check
Improved Version Disclosure security check and report template for Phusion Passenger
Improved Caddy Web Server Identified security check.
Improved WAF Identifier security check.
Added Blind SQL Injection security check with a new XOR payload for MySQL
Proxy credential passed to Chrome page authentication
Vulnerabilities ordered by severity in the Comparison Report

FIXES

Fixed Invicti license decrypt problem
HTTPS Requests are recorded as HTTP
Fixed the requested security protocol is not supported error
Fixed handling Protocol Buffers encoding type
Fixed miswritten product name
Fixed Phusion Passenger version disclosure template and added Out-of-Date mapping
Fixed analyzing headers even if the identification source is the crawler
Fixed an issue that may cause deadlock during adding items to Sitemap
Fixed an issue that caused out-of-scope URLs to be scanned when the override target URL option is enabled and the authentication is failed while scanning.
Fixed issue where headers in Postman collection were not replaced with variables
Fixed an issue that cause SSL validation callback returns invalid SSL certificates as out-of-scope links
Added disable-feature flag to the browser manager
Fixed a null reference exception while generating Knowledge Base report
Rare error when loading overlay window showed was ignored
Fixed out-of-scope imported links showing in Knowledge Base Rest API List
Fixed a detection issue with the Akamai CDN signature.
Fixed a detection issue with Tomcat Identified security check.
Fixed the signatures of phpMyAdmin Identified security check
Fixed big size upload error
The Exclude Authentication Page option will be checked if there is a selected authentication profile
Fixed DPI settings at Custom Script Dialog
Disabled GPU acceleration to prevent rendering errors and black bars
Fixed UI bugs at General Scan Profile Settings
Fixed issue max page visit was not received but showing in Knowledge Base because of max signature limit
Fixed Custom 404 Regex in Invicti Enterprise scan data is shown as Auto 404 at Invicti Standard
Fixed malformed VDB exception while getting the latest version of the application
Severity null control added to the Vulnerability Profile dialog
Fixed a non-recurring parameter while logging in with auto-authenticator
Fixed Scan Policy Report migration primary key error
Fixed saving Crawl & Attack option to the Scan Profile
Fixed Logout detection window shows first entered URL for every login simulation error
Fixed reporting false positive HSTS vulnerability

6.0.2.30446

COPY LINK

NEW FEATURES

Added TLS 1.3 support
Added the character limit setting for Blind SQL Injection proof generation and enabled proof generation by default
Added the Common Vulnerability Scoring System field to the known vulnerabilities
Added the Vulnerability Database version to the scan logs

IMPROVEMENTS

Improved IPv6 support to cover all SSL checks
Added an advanced setting option to turn on/off the "disable-web-security" command line option while launching chromium
Added the redirect navigation support for DOM Parser
Fixed Ghost Chromium problems and DOM simulation leaks
Added multiple ISO Classification support
Added alphabetical order to the Knowledge Base nodes
Updated Invicti Shark (IAST) licensing
Improved WAF Identification checks to prevent false positives
Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled
Improved Open Redirection checks
Updated Capture Group for OpenResty Version Disclosure
Updated DS_Store File Found Report Template
Changed the Referrer-Policy Report Template names to be more accurate
Refined Possible Stored XSS Vulnerability template
Added missing external references to SSL Templates that are removed after the merge
Added IAST suffix to titles of vulnerability detected by Invicti Shark
Updated OpenSSL regex
Updated OpenSSL version disclosure regex
Updated SSTI patterns to use specific type to match code execution patterns

NEW SECURITY CHECKS

Added Short XSS Attack to bypass character limit checks
Added Revoked SSL Certificate check
Added SSL Certificate's Name and Hostname Mismatch security check
Added SSL Certificate is not signed by a trusted root certification authority security check
Added Daiquiri Identified security check
Added Expired SSL Certificate security check
Added ZSH History File Detected
Added DOM XSS pattern for the script SRC Injection

FIXES

Fixed an issue with simultaneous access to the same object while updating the sitemap during scanning
Fixed unexpected error when saving parse from URL in form values screen
Fixed the Chrome address bar displaying in different resolutions on the verify login form
Fixed the detected logout status when an unreachable link is given
Fixed the customization menu at the form authentication's custom script dialog
Fixed unsupported browser issue for Headless Chromium
Fixed weak ciphers not reported for additional websites issue
Fixed ignoring weak ciphers check because of the ROBOT attack
Fixed logging HTTPS requests as HTTP when LogHttpRequests option is enabled
Updated Invicti Updater icons
Fixed an issue where the Postman Importer ignores the authorization header that is defined in a request item
Updated requester not to send Accept-Language header if it is not enabled in a scan policy
Fixed an issue that occurred when exporting custom reports generated from Compliance, Detailed Scan, and Executive Summary report
Fixed a synchronization problem while creating puppeteer instances
Fixed an issue where external schema was not added when importing WSDL
Fixed the Write Lock Leak in LinkPool
Disabled mouse wheel on the Include/Exclude URLs with Regex radio group
Fixed the typo in the jQuery validation out-of-date vulnerability type
Fixed the issue Untrusted Root certificate was not reported on the self-signed certificates
Fixed the issue that the wrong version was reported in the web app fingerprinting
Fixed False Positive weak credentials vulnerability
Fixed the issue that logs were not correctly formatted in the Logs panel
Fixed the issue that SSL vulnerabilities found in additional sites might be reported in the wrong URL
Fixed the issue that authenticated link was not crawled
Fixed the issue that the proof URL was not added to XSS
Fixed word-wrapping in Tags label in the Azure DevOps Send to Action Configuration Wizard
Removed the logging for the replacing control characters in headers
Changed the log level of DOM simulation timeout from Error to Warning
Fixed the issue that another hash was appended to URLs with a fragment on DOM XSS attacks
Fixed the issue that SSL certificates were not analyzed for each website when there are additional websites
Fixed the issue that URI fragment was parsed incorrectly
Fixed OpenSSL version disclosure regex
Fixed WS_FTP Log check
Fixed F5 BIG-IP WAF detection
Fixed the typo in the jQuery Validation Out-of-date Vulnerability type
Fixed Extractor for Lodash in repository.json by adding a new function
Fixed WildFly regex for the WildFly Application Server Identified
Fixed Whoops Error Handling framework signature
Fixed the signature for Liferay Portal Identified
Fixed Version Disclosure for Artifactory by adding missing custom field tag
Fixed regex of Grafana Version Disclosure
Fixed OpenResty regex for Version Disclosure
Fixed the regex of Liferay Portal Version Disclosure pattern

6-Oct-2017

COPY LINK

NEW SECURITY CHECK

Added "Out of Band Code Evaluation (Apache Struts 2)" security check (CVE-2017-12611).

IMPROVEMENTS

Improved the stability of DOM and JavaScript simulation.
Improved report templates.

6-Nov-2020

COPY LINK

NEW SECURITY CHECKS

Added Oracle WebLogic Server Remote Code Execution (CVE-2020-14882)
Added Oracle WebLogic Server Authentication Bypass (CVE-2020-14883)

6-Feb-2020

COPY LINK

IMPROVEMENTS

Added a new field to the Out-of-date Vulnerabilities that specifies end of life date for abandoned branches
Added missing tooltips to the Enabled check box of Script Settings and Manual Authentication Settings panels
Added missing XML documentations to the Custom Scripting templates

FIXES

Updated Youtrack Send To action to render custom fields
Fixed an issue where dock panels were not properly initialized when a command line argument was provided and autopilot mod was off
Fixed an issue that caused a rendering problem in the login/logout detection and the custom script panels
Fixed duplicate listing of authentication types in OAuth2 settings panel
Fixed an issue where the Sitemap sorting method was not being applied when None method was selected

6-Apr-2017

COPY LINK

New Security Check

Added new vulnerability checks for Apache Struts framework vulnerabilities.

Improvements

Added JSON format option for "Crawled URL(s) List", "Scanned URL(s) List" and "Vulnerabilities List" report templates.
Improved Blind SQL Injection detection for MySQL databases.

Fixes

Fixed the incorrect weak signature algorithms reported for root certificates.
Fixed the broken editing capabilities on report policy editor.
Fixed the empty activity list issue during scans.
Fixed the missing custom cookie issue on imported scans.

6-Apr-2015

COPY LINK

BREAKING CHANGES

Invicti 4 requires .NET 4.5.2 to run. You must have Windows Vista or Windows Server 2008 or above to install .NET 4.5.2 and use Invicti 4.
Form authentication was redesigned and now it is much easier to configure and all automated. If you had login details configured using the previous wizard you need to reconfigure them.
The file format of profiles has changed from binary to XML. If you have custom profiles you have to recreate them.
The default profiles shipped with Invicti have been removed. Please use the default Scan Policies instead.
URL Rewrite settings have been moved from Scan Policy to profile settings. Therefore if you have Scan Policies with URL Rewrite configuration create a new custom Profile and configure the URL Rewrite settings in your custom profile.

Should you have any queries or encounter any problems do not hesitate to submit a ticket through our Help Center.

FEATURES

Redesigned the "Start a New Scan" dialog window - now it is even easier than before to configure new scans
New macro-less form authentication configuration (DOM Based Form Authentication that replaces HTTP Based Form Authentication)
Ability to automatically crawl and scan web applications built with Google Web Toolkit (GWT)
Added "Incremental Scanning" feature - perform an incremental scan over an existing scan that only attacks to new pages introduced since last scan
Added "Retest All" functionality to perform one-click retest on all vulnerabilities found
Added support for Remote File Inclusion (RFI) Exploitation
Added support for Remote Code Execution via LFI (PHP) Exploitation
Added new Executive Summary Report template
Added support for importing HTTP Archive (HAR) files

SECURITY CHECKS

Added new security checks in Invicti to identify the below vulnerabilities and security flaws:

Cross Frame Scripting vulnerability check
Missing Content-Type and X-Content-Type-Options header checks
Cross-Origin Resource Sharing check
Mixed Content check to detect if a mixed content is loaded over HTTP within an HTTPS page
XML External Entity (XXE) Engine
File Upload Engine
Detection of insecure JSONP endpoints susceptible to attacks like Rosetta Flash
Misconfigured Access-Control-Allow-Origin header
Credit Card Disclosure

IMPROVEMENTS

Improved DOM XSS attack patterns
Increased coverage for Open Redirection vulnerabilities
Improved Internal Path Disclosure detection patterns for Windows and *nix
Improved Connection String detection to cover more cases and run faster
Imported links are now displayed in a list on Start a New Scan Dialog and selected links can be removed
Internal Path Disclosure (*nix) checks have been improved by excluding paths found in JavaScript and CSS files
Improved sensitive keyword list for Comments Knowledge base item
Reporting cookie attributes like Secure, HttpOnly, etc. in Cookies Knowledge base item
Current user-agent string set in scan policy settings is now being used during DOM simulation and DOM XSS attacks
Improved attacking for URLs with multiple parameters by also attacking with empty parameter values
Improved wording for Auto Complete Enabled vulnerability template
Improved Open Redirect detection to include redirects performed by JavaScript code
Added an option to perform DOM simulation when necessary in Open Redirect engine
Reduced the number of requests made to detect Not Found pages
Included Static Resource Finder requests in activity pane
Improved CVS file detection pattern
Improved the error message displayed on start up to provide more details
Improved Retest feature to perform retests for singular engine vulnerabilities like ASP Debug Enabled, OpenSSL Heartbleed Vulnerability, etc.
Improved URL encoding to use %20 while encoding space character (Use UsePlusForSpaceEncoding to force encode spaces as plus signs)
Separated HTML5 engine checks in scan policy to provide granular selection chance
Improved Insecure Transportation Security Protocol Supported (SSLv3) vulnerability template wording
Added CWE classification values for SSLv2 and SSLv3 vulnerabilities
Added retest support for RoR RCE vulnerabilities
Added scan policy settings to ignore certain Content Type values
Improved Vulnerability List (XML) report template to include OWASP 2013 classifications for vulnerabilities
Improved user interface to display Browser View tab and hide Vulnerability tab when selected Sitemap node is not a vulnerability
Exposed Signature property for Vulnerability instances in Reporting API
Added classification information for Possible Reflected File Download vulnerability
Added timeout support for regex pattern execution to prevent hangs on exceptional responses (timeout value can be modified using SignatureRegexTimeout Advanced Setting)
Changed request timeout setting's unit from milliseconds to seconds in the policy setting UI
Improved SSN detection
Improved link parsing in Text Parser
Added HTTP method and attack parameter names to activity pane
Improved LFI confirmation using web.config file
Added extra GET requests for the ones having non-GET HTTP methods
Added referer checks for DOM XSS
Improved binary detection for font requests
Added Nginx configuration information for HSTS Not Enabled vulnerability template
Improved GIT detected vulnerability template
Auto save message is now displaying the time scan is saved
Revised Interesting Headers list to filter some well-known headers
Added form name and action as custom field in CSRF engine
Improved the error message text shown when a PDF report cannot be overwritten
Added Save button to save changes on current profile
Added attack pattern to find an SQL injection vulnerability in MySQL limit clause (version >= 5)
Added attack pattern to find an LFI vulnerability in Rails (CVE-2014-0130)
Improved how disk full cases are handled during a scan
Improved the order of how vulnerabilities are listed in reports
Improved phpMyAdmin detection
Improved Stack Trace Disclosure (Java) detection

FIXES

Fixed Content-Type header parsing where any quotes should be removed from charset attribute
Fixed an encoding issue with an RFI attack pattern affecting Full Query String and Referer attacks
Fixed a hang occurs while performing SSL analyze on sites with some cipher suites
Fixed parameter encoding issue in Reverse Shell feature
Fixed a space character encoding issue in exploit generation
Fixed the generated code in exploits to include calls to alert function instead of invicti function
Fixed an encoding bug in RFI attacks to a URL with URL rewrite configuration
Fixed an issue that crashes Invicti if a Standard edition license contains an invalid URL
Fixed a crash in URL rewrite pattern which occurs when invalid regex patterns are entered
Fixed DOM parser simulation to select non-default values in select elements
Fixed retest to detect vulnerabilities requiring late confirmation (Blind Command Injection, Blind SQL Injection, etc.)
Fixed an issue where WebDav engine could not perform a retest correctly
Fixed a bug in email disclosure vulnerability where duplicate emails were being displayed
Fixed the tooltip on Add New client certificate button by correcting the supported file extension
Fixed the decoding issue with UTF-16 responses where text response is recognized as binary
Fixed duplicate confirmation issue during retest
Fixed the performance issue with Custom Cookies text box to handle large values
Fixed an issue with Tab key when the focus is on a list and does not move away to next control
Fixed a bug related with Excluded/Included Links where the values are getting back to default when all values are deleted
Fixed the Start Scan button text when Pause Scan After Crawling is checked
Fixed the configuration sample in Tomcat Directory Listing vulnerability template
Fixed an issue with importers where the HTTP methods like PUT, DELETE, etc. of requests are not preserved
Fixed an issue with cookie parsing where a Version = 1 cookie with an explicit domain which doesn't start with a dot was being ignored
Fixed issues with Version = 1 cookies
Fixed an issue where confirmation is done with an incorrect signature in Expression Language Injection engine
Fixed a hang in Text Parser caused by a large base64 encoded image in page source code
Fixed a DOM XSS performance issue on pages using custom fonts
Fixed an issue of hanging requests in activity pane when a JSON/XML request fails for intrusive engines
Fixed trimmed activity duration in activity pane for large values
Fixed a StackOverflowException thrown by LFI exploitation
Fixed an issue with PDF report generation when the HTML report does not have a .htm file extension
Fixed a bug with Controlled Scan where the scan policy used during the scan should not prevent user to perform checks that are not in the policy
Fixed a bug in Detailed Scan Report where DOM XSS engine is not displayed as enabled
Fixed a bug occurs when Invicti tries to read the URL from clipboard and clipboard is open by another application
Fixed trimmed security test names in controlled scan
Fixed a bug where the max number of parameters to attack is not handled correctly
Fixed a bug in DOM simulation to provide correct target element when events are simulated
Fixed a bug in Scan Policy editor occurs by ignoring changes while clicking tabs on left
Fixed a cookie parsing bug occurs when port attribute value is not quoted
Fixed the refresh issue on Knowledgebase issues where the expand states are now preserved between refreshes
Fixed a cookie parsing bug where cookies were stopped being parsed in case of an empty Set-Cookie header
Fixed a scan file creation issue on systems where the Windows Documents folder is located on a network location
Fixed a log message issue reporting when Find Hidden Resources finishes
Fixed a high DPI text issue on Retest message dialog
Fixed a cookie parsing issue when Expires attribute contains a comma
Fixed a link parsing issue where parameters with empty names are added
Fixed a bug in Crawled URL List report where URLs discovered by Static Resource Finder are not listed
Fixed a bug in automated command line scans where interrupting and starting a new scan through UI asks for exit confirmation

6-Apr-2015

COPY LINK

IMPROVEMENTS

Improved coverage of DOM based XSS engine
Improved the search on raw response viewer
Improved form authentication API click functions to mark/unmark checkbox elements
Improved "Insecure transportation security protocol (SSLv3)" vulnerability template
Added the page URL and the number of the page as a log to verification dialog while executing custom scripts
Added the number of custom script pages to the hint on verification dialog and the hint now has a tooltip that displays the custom script code
Improved DOM parser to handle both on and off states of checkbox elements
Improved the message on cases where File > Import fails due to old scan file format
Added TextParserRegexTimeout advanced setting to modify the timeout value of pattern matching in Text Parser
Added the request URL as a log to tell which request has a response that matches current logout pattern of form authentication
Improved memory handling to prevent Out-of-memory issues during long scans
Improved the pattern match logs to be issued once to prevent the clutter

FIXED

Fixed a crash that occurs during application close while trying to log a message to UI
Fixed report templates to include correct lower-case versions of image file names to display them correctly on case-sensitive OS file systems
Fixed a crash in form authentication verification where missing persona causes issues during logout detection
Fixed custom script execution in form authentication to skip execution of auto login script on pages where script is deliberately left blank
Fixed a few crashes that occur when the custom script window is closed while the page was loading
Fixed an issue with logout detection where invalid URLs could be accepted as overridden login required URL
Fixed creation of redundant DocumentsNetsparkerCredential folder on new installations
Fixed random missing developer tools pane on custom script window
Fixed a crash that happens when the form authentication verification dialog is closed during logout keyword detection
Fixed several memory issues where redundant object instances were not reclaimed
Fixed a memory issue where long parameter values causing large memory allocations
Fixed signature generation for URL Rewrite links

5-Oct-2016

COPY LINK

FIXES

Fixed an issue which prevents resource files (report templates, etc.) updates.

5-May-2016

COPY LINK

NEW SECURITY CHECK

Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)

4-Jun-2020

COPY LINK

IMPROVEMENTS

Added Request API to Form Authentication's Custom Script
Added ability to add, edit and remove HTTP parameters and headers from Custom Security Check requests
Improved the Jira Send To Action to include a new Components field
Improved the SSL security check implementation
Improved the design of default Report Templates

FIXES

Fixed a memory leak in the Attacking phase
Fixed a CSS Parser issue that caused infinite loops while parsing invalid css files
Fixed an Attacker issue that caused a memory leak
Fixed a Null Reference Exception that occurred during crawling
Fixed the parsing of duplicate content-type headers

31-Dec-2018

COPY LINK

FIXES

Fixed an InvalidOperationException thrown when application is forced to close during computer shutdown
Fixed the clipboard format of Knowledgebase URL Rewrite List item
Fixed a race condition that causes an ArgumentOutOfRangeException when rate limiting option is used