Changelogs

Invicti Standard

RSS Feed

22 Sep 2017

NEW SECURITY CHECK Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-9805).

NEW SECURITY CHECK

  • Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-9805).

18 Sep 2017

FIX Fixed an out of memory issue.

FIX

  • Fixed an out of memory issue.

13 Sep 2017

IMPROVEMENTS Improved the form authentication element click API by providing the mouse coordinates. FIXES Fixed an object leak causing performance issues during scans. Fixed a backup file check where scan policy selections were not honoured. Fixed the broken Basic, NTLM/Kerberos “Test Credentials” button. Fixed the unencrypted credentials saved with profile files. Fixed the JavaScript parsing …

IMPROVEMENTS

  • Improved the form authentication element click API by providing the mouse coordinates.

FIXES

  • Fixed an object leak causing performance issues during scans.
  • Fixed a backup file check where scan policy selections were not honoured.
  • Fixed the broken Basic, NTLM/Kerberos “Test Credentials” button.
  • Fixed the unencrypted credentials saved with profile files.
  • Fixed the JavaScript parsing issue by checking the mime type of the script tags.
  • Fixed the broken email disclosure detection which was not able to match multiple emails.
  • Fixed the incorrect links parse on JavaScript source map files.

24 Aug 2017

NEW FEATURES New Basic, NTLM, Digest and Kerberos authentication settings to support multiple credentials for different URL paths. NEW SECURITY CHECKS Checks for default pages of IIS 10.0, 8.5, 7.5, 7.0 web servers. Checks for WordPress Setup Configuration File. Remote Code Execution checks for Node.js on Windows. IMPROVEMENTS Improved Local File Inclusion (LFI) attack patterns. …

NEW FEATURES

  • New Basic, NTLM, Digest and Kerberos authentication settings to support multiple credentials for different URL paths.

NEW SECURITY CHECKS

  • Checks for default pages of IIS 10.0, 8.5, 7.5, 7.0 web servers.
  • Checks for WordPress Setup Configuration File.
  • Remote Code Execution checks for Node.js on Windows.

IMPROVEMENTS

  • Improved Local File Inclusion (LFI) attack patterns.
  • Improved DOM XSS attack patterns.
  • Improved Blind Command Injection detection on Linux systems.
  • Added response compression and length information to HTTP Request Builder.
  • Displaying times in 24-hour format on scan reports.
  • Improved DOM/JavaScript simulation.
  • Improved the performance of email address disclosure detection.
  • Improved the performance of database connection string disclosure detection.
  • Improved the performance of JavaScript library detection.
  • Improved the performance of RoR database configuration detection.
  • Improved “Enter Links” dialog by adding format selection for all the supported import formats.
  • Added parameter type information to nodes on “Issues” panel.
  • Improved scan import performance significantly.
  • Added context menu item for sitemap root node to open the scan folder.
  • Improved resource finder to find more hidden resources.
  • Time zone information added to reports.
  • Improved support for simulating customized select elements.
  • Improved NTLM, Digest and Kerberos authentication support.
  • Improved DOM simulation stability and performance.
  • Added the list of URLs that do not match the rewrite rules on URL Rewrite knowledge base.
  • Added number of links that match to a URL Rewrite rule on URL Rewrite knowledge base.
  • Added out of scope links count information to the knowledge base.
  • Improved the default parameter name list for Parameter Based Navigation.
  • Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
  • Improved boolean and blind SQL injection checks for MySQL databases.
  • Improved blind SQL injection checks for PostgreSQL databases.
  • Added excluded URLs list to the detailed scan report.
  • Improved reflected and stored XSS detection.
  • HSTS checks now reports missing preload directives.
  • Updated Korean translation.
  • Added XML report types for Crawled URLs List and Scanned URLs List reports.
  • Added toolbar to open and copy URLs for Browser View tab.
  • Improved JSON response parsing.
  • Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
  • Improved email disclosure checks by checking host names against to public suffix list.

FIXES

  • Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
  • Fixed an incorrect “Password Transmitted over HTTP” issue for relative URLs on pages redirected to HTTPS addresses.
  • Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
  • Fixed the missing activities while performing a controlled scan.
  • Fixed the missing DOM parsing activity when “Override Target URL with authenticated page” option is selected.
  • Fixed the incorrect total security check count while performing controlled scans on activity list.
  • Fixed incorrect “Interesting Header” report for Content-Security-Policy header.
  • Fixed the redundant extra headers added to requests while using request builder.
  • Fixed the disabled “Start Proxy” button when Invicti is opened after an application crash.
  • Fixed directory listing is not reported issues on some IIS versions.
  • Fixed page break issues on reports.
  • Fixed the issue where comments in CSS files are not parsed.
  • Fixed the incorrect URL found in CSS comments.
  • Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
  • Fixed an IndexOutOfRangeException caused by CSP checks.
  • Fixed the signature pattern which fails to match “Programming Error Message (PHP)” in multiple lines.
  • Fixed markdown XSS attack patterns causing incorrect findings.
  • Fixed the double quote encoding issue on generated sqlmap commands.
  • Fixed incorrect “Interesting Header” reports for some headers.
  • Fixed the incorrect http protocol displayed for SSL vulnerabilities.
  • Fixed the duplicate delete confirmation message while deleting the scan and report policies using a keyboard shortcut.
  • Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
  • Fixed the incorrect progress report during controlled scans.
  • Fixed the encoding issue on reported DOM XSS stack traces.
  • Fixed the highlighting issue of multiple custom data reported on vulnerabilities.
  • Fixed the incorrect rows deleted issue when multiple rows are selected on imported links section.
  • Fixed the incorrect behaviour of move up/down controls on custom URL rewrite section.
  • Fixed the maximum crawled URL limit exceeded issue.
  • Fixed duplicate resource finder requests.
  • Fixed CSS escaping in CSS selector generation.
  • Fixed the failing error report when the unexpected exception title is too long.
  • Fixed the WADL import issue where the operation fails for responses with no status codes.
  • Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
  • Fixed incorrect cURL and sqlmap commands when basic authentication is used.
  • Fixed the incorrect missing object-src report on CSP checks.
  • Fixed an issue where default crawled value is double-encoded instead of single.
  • Fixed the problem where the unique links added twice while importing Postman files.
  • Fixed the “Property set method not found” that occurs while using FogBugz send to action
  • Fixed the missing content for Site Profile section of Knowledge Base report.
  • Fixed “The selected task no longer exists.” error when trying to run a scheduled scan on some Windows machines.

19 Jul 2017

IMPROVEMENTS Enhanced and fixed several DOM simulations. Removed redundant SSL logs caused by HSTS security checks. Improved localization capabilities of Report Policy Editor.

IMPROVEMENTS

  • Enhanced and fixed several DOM simulations.
  • Removed redundant SSL logs caused by HSTS security checks.
  • Improved localization capabilities of Report Policy Editor.

14 Jun 2017

NEW FEATURES Manual Crawling (Proxy Mode) now supports protocols like TLS 1.1 and 1.2. Added scan policy settings for CSRF security checks. Added ability to use custom HTTP headers during scan. Added element exclusion support using CSS query selectors for DOM/JavaScript simulation. Added /generatereport CLI argument for report generation from scan session files. Added hex …

NEW FEATURES

  • Manual Crawling (Proxy Mode) now supports protocols like TLS 1.1 and 1.2.
  • Added scan policy settings for CSRF security checks.
  • Added ability to use custom HTTP headers during scan.
  • Added element exclusion support using CSS query selectors for DOM/JavaScript simulation.
  • Added /generatereport CLI argument for report generation from scan session files.
  • Added hex editor view for requests on request builder.
  • Added attacking optimization option for recurring parameters on different pages.
  • Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.

NEW SECURITY CHECKS

  • Added Referrer Policy security checks.
  • Added markdown injection XSS patterns.
  • Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
  • Added Database Name Disclosure security checks for MS SQL and MySQL.
  • Added Out of Date security checks for several JavaScript libraries.
  • Added Remote Code Evaluation (Node.js) security checks.
  • Added SSRF detection with server-status.
  • Added user controllable cookie detection.
  • Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.

IMPROVEMENTS

  • Updated the links to several external references.
  • Added cancellation of ongoing attack activities when excluded from site map.
  • Improved JavaScript and CSS resource parsing.
  • Added exploitation for XXE vulnerabilities.
  • Added DOM simulation options to scan policy optimizer wizard.
  • Improved Mixed Content vulnerability reporting by separating them according to resource types.
  • Improved the CSS query selector generation on form authentication custom script dialog.
  • Improved boolean SQL injection detection for redirect responses.
  • Improved WSDL parsing for files that contain optional extensions.
  • Added current scan profile, scan policy and report policy names to status bar.
  • Improved .sql file detection signature.
  • Improved the highlighting of patterns on HTTP responses.
  • Added extra confirmation for weak credentials detection.
  • Added POST parameters to crawling activities on scan activity list.
  • Added scan policy option to allow XHR requests during DOM simulation.
  • Added response statistics to request builder.
  • Added form value for password input types to default scan policy.
  • Added status column to the request history in request builder.
  • Increased the maximum response size limit for JavaScript resources.
  • Improved the send to JIRA error message.
  • Added maximum number of option elements per select element to simulate scan policy setting.
  • Added filter ‘colon’ events scan policy option to filter events that contain colon character in its name during DOM simulation.
  • Improved error based SQLi exploitation by generating prefix/suffix dynamically.
  • Improved command injection vulnerability detection by prepending original parameter value to attack payload.
  • Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.

FIXES

  • Fixed the incorrect imported link count when search panel is active on the grid view.
  • Fixed the “Open in Browser” context menu action broken for root nodes on site map.
  • Fixed the undefined password value issue on form authentication custom script dialog.
  • Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
  • Fixed the duplicate import link issue.
  • Fixed request builder issues on parsing query string and encoding.
  • Fixed a request builder issue where the error dialog should not be shown while switching tabs if the raw request is empty.
  • Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
  • Fixed the broken custom cookie issue where the custom cookie is not sent for imported scan files.
  • Fixed crawling of URLs on pages where base element points to some other URL.
  • Fixed some missing vulnerabilities on site map.
  • Fixed the slow performing certificate load operation on start new scan dialog.
  • Fixed the incorrect vulnerability severity counts on bar chart and status bar.
  • Fixes an issue where blacklisted Invicti attacks prevent further source code disclosures in HTML response.
  • Fixed the splash screen which stays open when Invicti is started from command line.
  • Fixed the focus stealing issue when HTML response contains the autofocus attribute.
  • Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
  • Fixed missing response on request builder when the request is loaded from history list.
  • Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
  • Fixed an issue where signature fails to match MS SQL username in error messages.
  • Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.

06 Apr 2017

New Security Check Added new vulnerability checks for Apache Struts framework vulnerabilities. Improvements Added JSON format option for “Crawled URL(s) List”, “Scanned URL(s) List” and “Vulnerabilities List” report templates. Improved Blind SQL Injection detection for MySQL databases. Fixes Fixed the incorrect weak signature algorithms reported for root certificates. Fixed the broken editing capabilities on report …

New Security Check

  • Added new vulnerability checks for Apache Struts framework vulnerabilities.

Improvements

  • Added JSON format option for “Crawled URL(s) List”, “Scanned URL(s) List” and “Vulnerabilities List” report templates.
  • Improved Blind SQL Injection detection for MySQL databases.

Fixes

  • Fixed the incorrect weak signature algorithms reported for root certificates.
  • Fixed the broken editing capabilities on report policy editor.
  • Fixed the empty activity list issue during scans.
  • Fixed the missing custom cookie issue on imported scans.

16 Mar 2017

New Security Checks New security check that detects insecure targets in Content Security Policy. Added checks for exposure of trace.axd in ASP.NET applications. New security check for Time Based Server-Side Request Forgery. Added Markdown Injection attack pattern to XSS engine. Added a Code Evaluation check for Apache Struts framework. Improvements Improved Boolean SQL Injection detection. …

New Security Checks

  • New security check that detects insecure targets in Content Security Policy.
  • Added checks for exposure of trace.axd in ASP.NET applications.
  • New security check for Time Based Server-Side Request Forgery.
  • Added Markdown Injection attack pattern to XSS engine.
  • Added a Code Evaluation check for Apache Struts framework.

Improvements

  • Improved Boolean SQL Injection detection.
  • Updated the Local File Inclusion vulnerability classifications.
  • Improved Trace/Track security checks.
  • Improved coverage of XSS engine in redirects.
  • Added policy optimization support for SSRF security checks.
  • Added exploit generation support for “Cross-site Scripting via Remote File Inclusion” vulnerability.
  • Added a specialized parser to parse JavaScript responses better to reduce discovering incorrect links.
  • Improved form authentication logout detection by ignoring the responses of some attacks to prevent incorrect logout detections.
  • Added type ahead search box for Security Check Groups on Scan Policy Editor.
  • Added “Send to Request Builder” context menu item for activities on scan activity pane.
  • Added input validation for placeholder patterns on Custom URL rewrite grid.
  • Added scheduling support for Incremental Scan feature.
  • Added the number of crawled links next to scanned host names on sitemap tree.
  • Improved code generation for form authentication custom scripts.
  • Improved proxy options UI. Now proxy address inputs can be pasted along with user credentials and port.
  • Added VDB support to Blind & Boolean SQLi post exploitation.
  • Added an info message to Browser View tab that tells this view is a limited preview.
  • Added file parameter type support to Request Builder.
  • Added support for multiple report exporting to Scheduled Scans.
  • Added the number of vulnerability severities of current scan to status bar.
  • Added Copy URL and Copy as cURL context menu items to Imported Links grid.
  • Added pause scan button to interactive login dialog.
  • Improved sqlmap command generation by adding database server type parameter.
  • Start New Scan dialog is made resizable.
  • Added Search feature to Imported Links.
  • Added Cancel button for Request Builder.
  • Added support for checking Open Redirection vulnerability on Refresh response header.
  • Added the XPath information of the element that causes the DOM XSS vulnerability.
  • Added “Sub Path Max Dynamic Signatures” setting for Heuristic URL Rewrite detection.
  • Added database specific queries for the selected SQLi vulnerability on exploitation panel.
  • Added a JavaScript scan policy option to filter events that are attached to “document” by name to a constant set of mousedown, keyup etc. to reduce triggered event count during the simulation.
  • Added a JavaScript scan policy option to exclude HTML elements such as logout buttons from event simulation by CSS selectors.
  • Added finding vulnerabilities which sink into window.name capability for DOM XSS security checks.
  • Improved coverage of Local File Inclusion engine so that a vulnerability can be found in a full url attack.

Bug Fixes

  • Fixed several issues related to DOM parsing and simulation.
  • Fixed a NullReferenceException thrown by HTTP Methods checks.
  • Fixed a StackOverflowException caused by JSON responses with too many nested elements.
  • Fixed PoC generation during post exploitation for time based SQLi checks.
  • Fixed incorrect bearer token log message on verify dialog even when bearer token detection is disabled.
  • Fixed a NullReferenceException while confirming a Boolean SQLi vulnerability.
  • Fixed several issues related with splash screen to make sure it is hidden when the application is loaded.
  • Fixed a NullReferenceException thrown by logout detection while trying to close the application.
  • Fixed an issue where scan is paused when an additional host is unreachable.
  • Fixed an issue where the new link nodes added under an excluded branch on sitemap tree were not excluded.
  • Fixed the misleading message that is shown when a manual crawling scan is started, Form Authentication feature no more requires installing a certificate to your computer.
  • Fixed IndexOutOfRangeException thrown while trying to open Scan Policy Editor dialog if the UI language is set to Korean.
  • Fixed keyboard tab order on Form Authentication settings.
  • Fixed an issue where injection HTTP response displays an empty string because deserialized file does not contain the HTML response of the attack.
  • Fixed typos in CSP vulnerability templates.
  • Fixed the broken impacts table on Executive Summary Report PDF when the table spans 2 pages.
  • Fixed several issues related with report policy naming when the name is invalid or too long.
  • Fixed generated blank pages on PDF reports.
  • Fixed OperationCanceledException thrown during extra confirmation.
  • Fixed UI glitches on form authentication Custom Script dialog caused when splitters are resized.
  • Fixed several Request Builder issues.
  • Fixed Test Credentials button on basic authentication settings which does not send Authorization request header if Do Not Expect Challange check box is checked.
  • Fixed the ignored email are still reported on knowledge base issue.
  • Fixed a bug where double encoded attacks are not exploitable in browser when proof URL is clicked.
  • Fixed an issue where source code disclosure is reported in JS and CSS files.
  • Fixed an SQL exploitation issue where executing a SQL query which expects an integer result is no longer giving failure for PostgreSQL database.
  • Fixed a Text Parser issue where single quote characters were being captured as part of links.
  • Fixed the incorrect path disclosure caused by the Shellshock attack.
  • Fixed a TargetInvocationException thrown when a new license is trying to be loaded using Help > Load New License menu item.
  • Fixed missing SSRF proofs under Proofs knowledge base.
  • Fixed an ArgumentException thrown by DOM XSS checks when the web site is crawled using manual crawling mode.
  • Fixed incorrect encoded parameter names for multipart/form-data forms.
  • Fixed the incorrect auto update notification even when you have a more up-to-date version of the application.
  • Fixed the large right margin on Knowledge Base Report (PDF) summary page.
  • Fixed the splash screen that is shown in front of the trial popup message.
  • Fixed the performance issues of recrawling related to DOM XSS checks on web sites with lots of links.
  • Fixed the incorrect CR LF encoding issues on proof URLs.
  • Fixed a retest issue where all parameters of the link were being retested whereas only the vulnerable parameter must be retested.
  • Fixed the visual glitch occurs on Imported Links section upon importing new links.
  • Fixed DOM Parser clearInterval JavaScript function simulation.
  • Fixed an issue where stored XSS vulnerability is reported in an XHR response rather than in the page itself which makes XHR request.
  • Fixed an issue where Boolean SQLi vulnerability is missed due to crawled parameter value.
  • Fixed an issue where reflected XSS vulnerability is missed because the reflected payload is HTML encoded in an attribute.
  • Fixed an issue where Text Parser does not handle the same referenced JavaScript in different files.

16 Feb 2017

FIXES Fixed a Web App Fingerprinter issue causing degraded performance.

FIXES

  • Fixed a Web App Fingerprinter issue causing degraded performance.

14 Feb 2017

FIXES Fixed a form authentication issue where the URL in Location response header is followed even if status code is not a redirection status code.

FIXES

  • Fixed a form authentication issue where the URL in Location response header is followed even if status code is not a redirection status code.

08 Feb 2017

FIXES Fixed an issue on Custom Form Authentication script editor where an extra header sent causing some pages not to load. Fixed a form authentication issue where cookies with same names were not updated. Fixed an issue where vulnerability is not reported due to XML Content-Type which exploitation might not be possible. Fixed a compatibility …

FIXES

  • Fixed an issue on Custom Form Authentication script editor where an extra header sent causing some pages not to load.
  • Fixed a form authentication issue where cookies with same names were not updated.
  • Fixed an issue where vulnerability is not reported due to XML Content-Type which exploitation might not be possible.
  • Fixed a compatibility issue occurs while trying to load an old scan session file.

08 Feb 2017

FIX Fixed clipped Scan Policy Editor dialog issue on high DPI display settings.

FIX

  • Fixed clipped Scan Policy Editor dialog issue on high DPI display settings.