Home
/
Documentation
/
Invicti Standard Release Notes
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
Release Notes

Invicti Standard

RSS FEED
28-Jan-2021
COPY LINK

NEW FEATURES

  • Added NIST SP 800-53 compliance classification and report template.
  • Added DISA STIG compliance classification and report template.
  • Added the OWASP ASVS 4.0 classification and report template.
  • Added header and footer section to customize reports.
  • Added an option to customize POST attacks for the Open Redirect engine.

NEW SECURITY CHECKS

  • Added PHP magic_quotes_gpc Is Disabled security check.
  • Added PHP register_globals Is Enabled security check.
  • Added PHP display_errors Is Enabled security check.
  • Added PHP allow_url_fopen Is Enabled security check.
  • Added PHP allow_url_include Is Enabled security check.
  • Added PHP session.use_trans_sid Is Enabled security check.
  • Added PHP open_basedir Is Not Configured security check.
  • Added PHP enable_dl Is Enabled security check.
  • Added ASP.NET Tracing Is Enabled security check.
  • Added ASP.NET Cookieless Session State Is Enabled security check.
  • Added ASP.NET Cookieless Authentication Is Enabled security check.
  • Added ASP.NET Failure To Require SSL For Authentication Cookies security check.
  • Added ASP.NET Login Credentials Stored In Plain Text security check.
  • Added ASP.NET ValidateRequest Is Globally Disabled security check.
  • Added ASP.NET ViewStateUserKey Is Not Set security check.
  • Added ASP.NET CustomErrors Is Disabled security check.
  • Added PHP session.use_only_cookies Is Disabled security check.
  • Added new Blind SQL Injection attack pattern.
  • Added Jinjava SSTI security check.
  • Added Whoops Framework Detected security check.
  • Added CrushFTP server detected security check.
  • Added database error message signature pattern for Hibernate.
  • Added Identified, Version Disclosure, and Out-of-date security checks for W3 Total Cache.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Next.JS React Framework.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Twisted Web HTTP Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Werkzeug Python WSGI Library.
  • Added Identified, Version Disclosure, and Out-of-date security checks for OpenResty.
  • Added Identified, Version Disclosure, and Out-of-date security checks for GlassFish.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Resin Application Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Plone CMS.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Trac Software Project Management Tool.
  • Added Identified, Version Disclosure, and Out-of-date security checks for IBM RTC.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Tornado Web Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Jetty Web Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Axway SecureTransport Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Artifactory.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Gunicorn Python WSGI HTTP Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for IBM Security Access Manager (WebSEAL).
  • Added Identified, Version Disclosure, and Out-of-date security checks for Nexus OSS.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Cowboy HTTP Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Python WSGIserver.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Restlet Framework.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Phusion Passenger.
  • Added Version Disclosure and Out-of-date security checks for Liferay Portal.
  • Added Version Disclosure and Out-of-date security checks for Tracy debugging tool.
  • Added detection for Varnish HTTP Cache Server.
  • Added detection for SonicWall VPN.
  • Added detection for Play Web Framework.
  • Added detection for Private Burp Collaborator Server.
  • Added detection for LiteSpeed Web Server.
  • Added detection for JBoss Enterprise Application Platform.
  • Added detection for JBoss Core Services.
  • Added detection for WildFly Application Server.
  • Added detection for Oracle HTTP Server.
  • Added version disclosure Daiquiri security check.

IMPROVEMENTS

  • Added Wordlist Entries feature to the Resource Finder security check group
  • Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled.
  • Improved Open Redirect attack patterns.
  • Improved TLS 1.0 issue remediation reference.
  • Added WCF service support to WSDL importer.
  • Added a fix to reduce the possibility of an out-of-memory problem.
  • Added authentication support to system proxy for PAC file.
  • Verification dialog remembers old logout keywords.
  • Added scan profile information and URL to all reports.
  • Added bypass list for scan policy settings.
  • Added scan scope variables to the Pre-Request Scripts.
  • Added information label to the Pre-Request Script settings panel
  • Added a fail tolerance to Puppeteer launch.
  • Improved Tomcat signature patterns.
  • Improved authenticator not to store the plain password in the request data
  • Added HTTP Request Logger to authentication
  • Added Canada region to the Invicti Enterprise settings
  • Added tooltip to the Excluded Usage Trackers feature.
  • Removed X-Scanner header from default scan policies
  • Added new sensitive comment patterns.
  • Revised the description of the Resource Finder checks option.
  • Removed header and footer settings for reports that do not contain header and footer in the save report dialog.
  • Added Incremental Scan to Knowledge Base reports.
  • Updated Invicti Standard splash screen.

FIXES

  • Fixed Lodash Identified security check signature.
  • Fixed WebLogic Version Disclosure security check signature.
  • Fixed Whoops Error Handling Framework Identified security check signature.
  • Fixed Zope Web Server Version Disclosure security check signature.
  • Fixed Grafana Version Disclosure security check signature.
  • Fixed ASP.NET MVC Version Disclosure security check signature.
  • Fixed Telerik Version Disclosure vulnerability severity to be low.
  • Fixed IIS Version Disclosure vulnerability severity to be low.
  • Fixed the grammar issues at the CSP Not Implemented report template.
  • Hide the scope tooltip at the manual authentication panel.
  • Fixed the order of Out-of-Date vulnerabilities; now sorting vulnerabilities by their severities.
  • Fixed the issue "link stuck error" was repeated many times in the scan logs.
  • Fixed the typo in the Pre-Request Scripts Menu.
  • Fixed a few typos in the Impact descriptions.
  • Fixed validating WAF settings before trying to test WAF connection
  • Fixed the issue where the Exclude Authentication Pages option could not be manually disabled when the Form Authentication is enabled.
  • Fixed an issue where the Form Authentication verification dialog loses focus and disappears.
  • Fixed directory modifiers limit usage
  • Fixed sending previous request headers while navigating to the Form Authentication's latest response URL.
  • Fixed an issue where the custom script dialog failed to display login page when requests encoded with Brotli
  • Fixed an issue that causes Reflected Parameter analyzer attacks to the ignored parameters when the breach engine is disabled
  • Fixed an issue that may cause the null reference exception when reflected parameter analyzer working
  • Fixed an issue that caused WASC ID is not sent properly in the Kenna Send To Action
  • Fixed an issue where the HTTP request is not redirected to HTTPS when Strict Transport Security is enabled
  • Fixed an issue that caused DOM simulation to fail because of the null windows and elements
  • Fixed an issue that is caused by NTLM, Kerberos, Negotiate authentication credentials send with every request without challenge
  • Fixed an issue that causes the Pre-Request Script requests to be ignored when its method is disallowed from the Scope settings
  • Fixed an issue that causes raw request created without cookies
  • Added SSL, Attack Possibility, and JavaScript files to Knowledge Base
  • Fixed the order of classification report ribbon menu.
  • Fixed handling the invalid characters of request headers set from the Pre-Request Scripts.
  • Fixed the tooltip of Send To Tasks button at the ribbon
  • Fixed unwanted warning on the auto authenticator
  • Fixed date and time zone problem on Swagger file.
  • Fixed null reference exception on excluded URL check.
  • Fixed multiple instance knowledge base render problem.
  • Fixed reporting style issues.
  • Fixed relativity of the charts in the Comparison Report.
  • Fixed grid showing on the logout detection screen.
  • Fixed scan resuming problem on unavailable host.
  • Fixed pop-up problem on the DOM simulation for better performance.
  • Fixed the logo at the Knowledge Base render error page.
  • Fixed an issue which causes unhandled exception when the link clicked multiple times on authentication verify dialog when interactive login is enabled
  • Fixed internet connection problem at test site configuration dialog.
  • Added information label to the Azure Configuration wizard.
  • Fixed request and response results in out-of-band vulnerabilities.
  • Fixed Blind SQL Injection cache issue.
  • Fixed wrong expiry time for cookie which occurs at DOM simulation.
  • Fixed the null reference exception while checking the source type.
  • Fixed the Basic Authentication header problem for chromium requests.
  • Fixed the null reference exception while getting authorization tokens.
  • Fixed an issue where XSLT requests are not intercepted.
  • Fixed Netsparker Helper Service dll not found issue.
  • Fixed the client certificate selection issue while logging in to the target website.
  • Fixed session storage problem at DOM simulation.
  • Fixed upload request problem that creates false positive at LFI engine.
  • Fixed chromium errors at authentication
  • Fixed the unhandled multiple choices redirect status code at requester.
  • Fixed the keyword-based logout detection stuck when the pop-up opened at chromium browsers.
  • Fixed the Generate Exploit button label in the ribbon menu and vulnerability pop-up menu.
  • Fixed an issue where the form value parser was not working.
  • Fixed unauthorized request handling in the license view.
  • Fixed an issue that causes invalid parent issue selection if Check Inverse is used at Security Checks
  • Fixed maximum logout detection issue.
  • Fixed the typo in the Pre-request Scripts menu.
  • Fixed a few typos in the Impact descriptions.
  • Fixed the issue that email disclosure was reported without identified email addresses.
  • Fixed an issue in the scan policy optimizer where the DOM preset was set wrong.
  • Removed URL signature field from the phpinfo detection pattern.
  • Fixed Perl version disclosure pattern.
  • Fixed the issue that movable type cannot be detected because the app name contained whitespace.
  • Removed the Fiddler core dependency from Fiddler Importer that caused issues in Linux agents.
  • Fixed the custom script dialog title.
  • Fixed the signature of Python version disclosure pattern.
  • Fixed the issue that charset error was repeated many times in the logs.
  • Fixed the issue that the attack parameter name was not displayed on error based SQL injection vulnerabilities.
  • Fixed an ArgumentNullException that was thrown when the proxy bypass list is null.
  • Fixed the request parsing error in TCP Requester.
  • Fixed the issue that header and footer were mixed up in the reports.
  • Fixed info icons position in the Knowledge Base reports.
  • Fixed the issue XSS payload was not highlighted correctly.
  • Fixed the typo in the base scan CLI argument.
  • Fixed the issue that the confirmation dialog was not displayed when the delete rows button in the context menu is used.
  • Fixed the inconsistencies in the summary page of Asana configuration wizard.
  • Fixed tooltip enabled/disabled states in Form Authentication, Client Certificate, and Smart Card Authentication settings.
  • Fixed the issue that search results were not highlighted correctly.
  • Fixed the issue that URL was not correctly encoded in Send To Action templates.
  • Fixed the issue request.Headers was empty in custom script API.
  • Fixed the issue Mithril version could not be detected.
  • Fixed the issue that SSTI could not be detected consistently because the code execution patterns were not loaded correctly.
  • Fixed the issue that version disclosure vulnerabilities were always fixed in retest.
  • Fixed the issue that causes FP Open Redirection because of the improper decoding of location header
  • Fixed Swagger parser that caused importing object with a parent node while the object is inside an array
28-Jan-2016
COPY LINK

IMPROVEMENTS

  • Improved support for Single Page Applications (SPA) by rewritting the DOM parser
  • Improved DOM Parser and DOM XSS performance
  • Added icons to scan policy combo box to denote optimized platforms for policies
  • Improved Korean language support
  • Attached proof for the blind SQLi vulnerabilities
  • Added "Proofs" knowledge base nodes
  • Removed out of scope links from URL rewrite report
  • Added HTTP response status code 308 to list of redirect status codes
  • Added link to TFS API download page for Send To extension
  • Added Crawling and Scan Performance knowledge base nodes
  • Eliminated web application fingerprinter's meta tag requests by re-using crawled link response
  • Improved performance of the email disclosure detection pattern significantly
  • Added automatic exploitation for Boolean and Blind SQL Injection vulnerabilities
  • Added .svg to default set of ignored extensions
  • Removed DOM XSS security checks from default built-in policy
  • Added a new built-in scan policy that includes DOM XSS security checks
  • Added a new scan policy setting section for JavaScript related settings
  • Removed outdated PCI 2.0, PCI 3.0 and OWASP Top Ten 2010 classifications and report templates

Bug Fixes

  • Fixed a NullReferenceException which could occur while editing a custom policy
  • Fixed a bug occurs when a proof is empty
  • Fixed the horizontal scroll bar that is shown while adding a new URL rewrite parameter
  • Fixed an issue with comparison report where two reports were showing the same date even if the latter one has been retested
  • Fixed a FileNotFoundException occurs while caching DOM requests
  • Fixed a ThreadInterruptedException thrown by DOM XSS scanner while trying to close application
  • Fixed an UnauthorizedAccessException occurs while cleaning the scan temporary directory
  • Fixed the explanation text for Entered Path and Below scope
  • Fixed the SSL/TLS fall back code to cover more HTTPS web sites
  • Fixed a CannotUnloadAppDomainException occurs while trying to close form authentication verifier dialog
  • Fixed an out of date JavaScript library version issue where identified version was bigger than Invicti’s latest version
  • Fixed the slow performance issue which occurs when "Automatically Detect Settings" proxy setting is enabled
  • Fixed the broken proceed button on trial popup dialog
  • Fixed an out of date JavaScript library version issue where version value cannot be captured
  • Fixed an issue with OWASP reports where vulnerabilities in same category were not being grouped together
  • Fixed a not found detection issue where redirect analysis fails on redirect cases
  • Fixed a broken compatibility issue which occurs while loading scan files exported with previous versions
28-Dec-2017
COPY LINK

FIXES

  • Fixed perhost certificate generation issue which renders manual crawling unusable.
  • Fixed an ArgumentNullException thrown from DOM simulation.
28-Dec-2015
COPY LINK

FIXES

  • Fixed a NullReferenceException which could occur while editing a custom policy
  • Fixed a bug occurs when a proof is empty
27-Jan-2017
COPY LINK

Fixes

  • Fixed an InvalidOperationException which occurs on some specific setups.
  • Fixed several scan activity list issues and enhanced performance.
26-Jun-2015
COPY LINK

IMPROVEMENTS

  • Increased the DomParserLoadUrlTimeout and DomParserSimulationTimeout values to handle unresponsive request cases
  • DomParserLoadUrlTimeout and DomParserSimulationTimeout are now modifiable through the scanner's advanced settings
  • Added Override Target URL with authenticated page form authentication option to support web sites which require dynamic Target URLs generated post-authentication (scanner will authenticate prior to accessing target URL)
  • Improved resource finder checks for websites which have custom 404 pages
  • Increased the default value of Maximum 404 Signature setting to be store more signatures
  • Improved timeout calculation for vulnerability checks which require late confirmation

FIXES

  • Fixed DOM simulation issue where all delegated events on an elements were not being called
  • Fixed a Heartbleed security check issue where it was causing the crawling phase to be stalled
26-Jul-2016
COPY LINK

FIXES

  • Fixed an issue in which Invicti crashes when using the Korean interface and trying to start a scan or load a scan file.
26-Apr-2019
COPY LINK

NEW FEATURES

  • Added "Do not differentiate HTTP and HTTPS protocols" option to scope settings
  • Added 3-Legged Token flow for OAuth2 authentication
  • Added an option to be able to use a fixed OAuth2 token type

NEW SECURITY CHECK

  • Added new XSS pattern that injects attack payload to HREF attribute

IMPROVEMENTS

  • Added reporter account id to JIRA Send To
  • Updated SSRF ipv6 pattern names
  • Improved the visibility of Resume button while performing a Manual Crawling
  • Improved the error message displayed while importing Swagger links

FIXES

  • Fixed retrying getting OAuth2 token
  • Fixed a NullReferenceException thrown when OAuth2 enabled scan is loaded
  • Fixed an UnhandledException thrown during DOM Simulation in some rare cases
  • Fixed pausing scan when OAuth2 authentication failed
  • Fixed logging OAuth2 error messages
  • Fixed showing context menu for activity viewer's group rows
  • Fixed a NullReferenceException thrown when mouse is moved over sitemap
  • Fixed the missing space character on Best Practice severity text on issues panel
  • Fixed the incorrect position of Force Pause button on high DPI screens
  • Fixed the white screen flashed on dark theme while navigating between KB screens
  • Fixed the tiny progress animation on license popup dialog
  • Fixed the dark theme issues on Advanced Settings screen
  • Fixed a KeyNotFoundException thrown when the scan has finished
  • Fixed the issue where ignoring first vulnerability variation ignores all variations
  • Fixed a NullReferenceException thrown while Security Checklist panel is being activated if Scan Policy Editor dialog is opened by Assistant
  • Fixed an issue where DOM simulation might conflict with some JS frameworks
  • Fixed the broken Ignore From this Scan context menu action on Sitemap panel
  • Fixed a NullReferenceException thrown from Invicti Assistant
  • Fixed the NullReferenceException thrown when a Manual Crawling scan is imported and then resumed
  • Fixed the issue where recently optimized scan policy is not selected when the Start a New Scan window is opened again
  • Fixed an issue where multiple persona could be selected on Form Authentication settings
  • Fixed the garbled configuration sample in Remedy section of HSTS Policy Not Enabled vulnerability
  • Fixed the incorrect behavior on Notifications panel when it is scrolled to the end
  • Fixed a NullReferenceException thrown while generating a report from a scan that contains a File Upload Vulnerability
  • Fixed an issue where an extra ampersand is appended to query string while generating URL of a Swagger imported link
  • Fixed an XmlException while trying to parse a sitemap.xml response that is not found
  • Fixed a GZip decoding issue while trying to decode a compressed sitmeap.xml
  • Fixed an unhandled NullReferenceException thrown from Sitemap
  • Fixed parsing OAuth2 response regardless of the response content type
  • Fix parsing JSON content type in Swagger parser to handle unexpected content types instead of creating a request for them
  • Fixed performance issues caused by excessive logging when Activity Tracking is enabled
  • Fixed a stuck scan issue on web sites using React JavaScript framework
  • Fixed a Postman file importing issue where the response is not base64 encoded
  • Fixed a NullReferenceException thrown while checking mutations on DOM
  • Fixed an unhandled "InvalidOperationException: Object is currently in use elsewhere" error
  • Fixed an error where XML and JSON responses could not be rendered on response viewers
  • Fixed an unhandled NullReferenceException thrown from Assistant
  • Fixed several NullReferenceException errors thrown while viewing knowledgebase items
  • Fixed an issue where the current ongoing scan could be deleted from Local Scans section
  • Fixed an InvalidOperationException "Database is not open" error
25-Oct-2019
COPY LINK

FIXES

  • Fixed an issue where the number of authentications was miscalculated in the Performance Report
  • Fixed an ObjectDisposedException that was occasionally thrown during passive analysis
  • Fixed an issue where passive analysis of XHR requests was causing a negative effect on scan times
  • Fixed an issue where the Dom Parser was occasionally making requests to excluded or out of scope URLs.
  • Fixed an issue where relative links found during DOM simulation were sometimes not added to the link pool
  • Fixed a NullReferenceException that was occasionally thrown by the Request Builder
  • Fixed a design problem that was causing empty areas in PDF reports
  • Fixed an issue where a wrong update button image was shown when Invicti was run for the first time after an update
  • Fixed a NullReferenceException that was thrown during Bulk Export operations
  • Fixed an issue where the tooltips of Advanced Settings were not properly displayed
  • Fixed the date controls in the Schedule Scan Dialog for high DPI screens
  • Fixed an issue where the Known Vulnerabilities section in the Out-of-Date Version vulnerabilities was being duplicated
  • Fixed a NullReferenceException that was thrown when the Target Url and the Basic Authentication Authority were different
25-May-2018
COPY LINK

FIXES

  • Fixed an issue where custom report policies could not be updated to the latest version of security check templates.
  • Fixed incorrect time and duration information of cloud scans.
  • Fixed empty request/response issue for scans exported to cloud.
  • Fixed the issue that the controlled scan won't start for selected links on sitemap.
25-Mar-2020
COPY LINK

FIXES

  • Fixed a case sensitivity issue in Imported Links which caused Content-Type headers to be sent without requests
  • Fixed an issue where the WAF Identification notification dialog was occasionally unclickable
  • Fixed issue links for the Azure Send To Action to match Azure's new link scheme
  • Fixed an issue that caused the computer to go into Sleep mode even when the advanced PreventSleepModeDuringScan setting was enabled
24-Sep-2018
COPY LINK

IMPROVEMENT

  • Improves licensing diagnostics mode

FIXES

  • Fixed parsing issue in Swagger Importer that occurs while importing Swagger files in YAML format
  • Fixed an issue that causes Invicti to fail to add certain pages to the sitemap when using the Manual Crawling