Changelogs

Invicti Standard

RSS Feed

22 Jun 2016

IMPROVEMENTS Improved the automatic form authentication script to click “button” HTML elements if no suitable button is found. FIXES Fixed the clipped dialog buttons on “Report Policy Editor”. Fixed the incompatibility issues of “Report Policy Editor” on some Windows 8/8.1 systems with Internet Explorer 10. Fixed a Report Policy issue where a vulnerability hidden from …

IMPROVEMENTS

  • Improved the automatic form authentication script to click “button” HTML elements if no suitable button is found.

FIXES

  • Fixed the clipped dialog buttons on “Report Policy Editor”.
  • Fixed the incompatibility issues of “Report Policy Editor” on some Windows 8/8.1 systems with Internet Explorer 10.
  • Fixed a Report Policy issue where a vulnerability hidden from a scan was still not being displayed when a report is generated using the Default Report Policy.
  • Fixed scope related bugs in SRI checks.

16 Jun 2016

NEW FEATURES Scanning of RESTful web services. Report Policies to customize the scan results and reports “Heuristic Rule Detection” support while using custom URL rewrite rules. Added an option to disable logout detection for form authentication. Added ASP.NET Web Application project import support. NEW SECURITY CHECKS Added Samesite cookie attribute check. Added Reverse Tabnabbing check. …

NEW FEATURES

NEW SECURITY CHECKS

  • Added Samesite cookie attribute check.
  • Added Reverse Tabnabbing check.
  • Added Subresource Integrity (SRI) Not Implemented check.
  • Added Subresource Integrity (SRI) Hash Invalid check.

IMPROVEMENTS

  • Various memory usage improvements to handle large web sites.
  • Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
  • Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
  • Improved coverage of LFI engine.
  • Added name completion for profile save as dialog.
  • Updated missing localized text for Korean translation.

FIXES

  • Fixed the issue of form authentication remembers the cookies from the previous scan while using the same Invicti instance for a new scan.
  • Fixed the incorrect progress bar while performing a controlled scan.
  • Fixed the issue of DOM Based XSS security checks enabled status were not being logged.
  • Fixed the “Cross-site Scripting via Remote File Inclusion” vulnerability was not being confirmed issue.
  • Fixed JIRA Send To action issue where the port number of the JIRA service were being ignored.
  • Fixed the synchronization issue on JavaScript Scan Policy section where UI elements are left enabled even though “Analyze JavaScript / AJAX” option is not checked.
  • Fixed the NullReferenceException thrown when scan is paused and resumed during performing form authentication.
  • Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
  • Fixed the broken layout of input controls on basic authentication dialog shown during form authentication.
  • Fixed the error reporting issue occurs when log file collection and/or compression fails.
  • Fixed the HTTP Archive Importer issue where POST method was parsed as GET when postData is empty.
  • Fixed the ObjectDisposedException thrown on form authentication verification dialog.
  • Fixed a bug where GWT parameter cannot be detected which contains a Base64 encoded value.
  • Fixed a time span parsing bug in Knowledge base report templates.
  • Fixed an issue where some vulnerabilities are treated as fixed while retesting.
  • Fixed an issue where XSS proof URL was missing alert function call.
  • Fixed a typo on “Base Tag Hijacking” vulnerability template.
  • Fixed the broken “Generate Debug Info” function of JavaScript simulation feature.

11 May 2016

IMPROVEMENTS Added PCI DSS 3.2 vulnerability ratings Update the PCI Compliance report template with the details of PCI DSS version 3.2

IMPROVEMENTS

  • Added PCI DSS 3.2 vulnerability ratings
  • Update the PCI Compliance report template with the details of PCI DSS version 3.2

05 May 2016

NEW SECURITY CHECK Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)

NEW SECURITY CHECK

  • Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)

03 May 2016

NEW FEATURES Added ModSecurity WAF rule generation feature. NEW SECURITY CHECKS Detection of SQLite Database files. Detection of Microsoft Outlook Personal Folders File (.pst) files. Detection of DS_Store files. Detection of SVN files, supporting the latest version of SVN. IMPROVEMENTS Improved LFI “Long attack – boot.ini” attack. Added Internet Explorer 10, 11 and Microsoft Edge …

NEW FEATURES

  • Added ModSecurity WAF rule generation feature.

NEW SECURITY CHECKS

  • Detection of SQLite Database files.
  • Detection of Microsoft Outlook Personal Folders File (.pst) files.
  • Detection of DS_Store files.
  • Detection of SVN files, supporting the latest version of SVN.

IMPROVEMENTS

  • Improved LFI “Long attack – boot.ini” attack.
  • Added Internet Explorer 10, 11 and Microsoft Edge browser user agent values.
  • Improved the performance of the scan session auto saves.
  • Improved link importing to better handle relative URLs.
  • Improved the “MIME Types” knowledge base list by ordering items alphabetically.
  • Added “Extract static resources” option to JavaScript scan policy settings.
  • Improved coverage of XML External Entity engine.

FIXES

  • Fixed an attacking issue that occurs when retesting a vulnerability in an incremental scan.
  • Fixed a link parsing issue in the text parser where links were incorrectly split.
  • Fixed a form authentication “Override Target URL with authenticated page” issue which caused a wrong URL to be identified as the “Target URL”.
  • Fixed a highlighting issue where the URL for “Insecure Frame (External)” vulnerability is partially highlighted.
  • Fixed an incorrect “Source Code Disclosure” vulnerability report when the response contained an ASP.NET event validation code sample.
  • Fixed an ObjectDisposedException which occured while trying to close the Authentication Verification dialog.
  • Fixed a broken link in XSS vulnerability templates.

11 Apr 2016

FIXES Fixed an exception that happens when reordering form values. Fixed the hidden URL text box on custom URL rewrite settings. Fixed the clipped automatic update notification label.

FIXES

  • Fixed an exception that happens when reordering form values.
  • Fixed the hidden URL text box on custom URL rewrite settings.
  • Fixed the clipped automatic update notification label.

08 Apr 2016

NEW FEATURES Added Proof of Concept generation for the CSRF vulnerability. Added Parameter-Based Navigation settings to better crawl and attack parameters that are used for website navigation. Added a new crawling option in the Scan Policy that allows users to add new extensions for the crawler to parse. NEW SECURITY TESTS Added Missing X-XSS-Protection Header …

NEW FEATURES

NEW SECURITY TESTS

  • Added Missing X-XSS-Protection Header vulnerability check.
  • Added Video.js JavaScript library detection.
  • Added Critical Form Send to HTTP vulnerability check.
  • Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

IMPROVEMENTS

  • Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid  multiple scanning of the same or similar parameters.
  • Added license load option to Help menu.
  • Improved “Not Found Analyzer” to better handle binary responses and long strings.
  • Changed the default settings of JIRA Send to Action for better out of the box support.
  • Added a link to the proof URL for XSS vulnerabilities.
  • Added link generation to Text Parser for all select element options.
  • Improved the DOM parser to skip redirect responses.
  • Added an option to allow the user to move the Invicti data directory to a different location.
  • Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
  • Added support for modifying asynchronous JavaScript executions in order to increase DOM Parser coverage.
  • Improved relative link parsing on JavaScript files.
  • Improved the coverage of file upload security checks.
  • Improved the coverage of XSS security checks.

FIXES

  • Fixed an issue where LFI attack patterns are reported as internal path disclosure.
  • Fixed the incorrect raw response representing SSL connections.
  • Fixed an issue where forms containing ignored parameters are not reported as CSRF vulnerability.
  • Fixed a case where dynamically generated HTML option elements’ change event were not being triggered.
  • Fixed cross-domain document access errors on DOM parser and XSS scanner.
  • Fixed an issue where a JSON request’s method was incorrectly recognized as POST rather than GET.
  • Fixed a retest issue where a vulnerability is reported as fixed incorrectly.
  • Fixed form values target setting to use Name as the default value when a Target is not selected.
  • Fixed an issue related with JavaScript “Load Preset Values” combo where selecting a preset value may revert the combo value to “(Custom)”.
  • Fixed a file extension parsing issue related with File Extension List knowledgebase item.
  • Fixed a hang issue occurs while performing JavaScript library checks.
  • Fixed a custom form authentication API issue where “ns” namespace was conflicting with a global variable on target web site (authentication API has been moved to “invicti” namespace preserving the “ns” backward compatibility)
  • Fixed a DOM Parser and XSS scanner bug that incorrectly follows redirects.
  • Fixed misplaced certainty label on vulnerability details for trial editions.
  • Fixed an ObjectDisposedException occurs on trial edition when you press escape key several times during application load.
  • Fixed a resource deployment issue occurs on Invicti installations with custom application data path.
  • Fixed a form values issue where empty form values should not set any default values for parameters.
  • Fixed an issue where trying to set Connection request header fails.

17 Mar 2016

IMPROVEMENTS Increased severity of “Insecure Transportation Security Protocol Supported (SSLv2)” vulnerability to “Important” Added support for adding several more request headers including the “Host” header FIXES Fixed a bug related to VDB update process where a computer with no internet access may not get newer VDB updates even when it is updated using the offline …

IMPROVEMENTS

  • Increased severity of “Insecure Transportation Security Protocol Supported (SSLv2)” vulnerability to “Important”
  • Added support for adding several more request headers including the “Host” header

FIXES

  • Fixed a bug related to VDB update process where a computer with no internet access may not get newer VDB updates even when it is updated using the offline installer

09 Mar 2016

SECURITY CHECKS Added “HSTS (HTTP Strict Transport Security) Not Enabled” security checks Added various checks being reported with “HTTP Strict Transport Security (HSTS) Errors and Warnings” Added version checks for OpenCart web application IMPROVEMENTS Improved JavaScript/DOM simulation and DOM XSS attacks Added “Form Values” support for JavaScript/DOM simulation and DOM XSS attacks Rewritten HSTS security …

SECURITY CHECKS

  • Added “HSTS (HTTP Strict Transport Security) Not Enabled” security checks
  • Added various checks being reported with “HTTP Strict Transport Security (HSTS) Errors and Warnings”
  • Added version checks for OpenCart web application

IMPROVEMENTS

  • Improved JavaScript/DOM simulation and DOM XSS attacks
  • Added “Form Values” support for JavaScript/DOM simulation and DOM XSS attacks
  • Rewritten HSTS security checks
  • Added evidence information to vulnerabilities list XML report
  • Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
  • Added the file name information for the local file inclusion evidence
  • Added support for specifying client certificate authentication certificate for manual crawling
  • Added source code to vulnerability details for “Source Code Disclosure” vulnerabilities
  • Added “Custom Not Found Analysis” activities to UI
  • Improved “Open in Browser” for XSS vulnerabilities and produced a vulnerable link with alert function
  • Improved Heuristic URL Rewrite implementation to detect more patterns and increase crawling efficiency
  • Improved the performance of DOM simulation by aggressively caching external requests
  • Improved the performance of DOM simulation by caching web page responses
  • Improved the performance of DOM simulation by blocking requests to known ad networks
  • Improved minlength and maxlength support for form inputs that sets a value with an appropriate length
  • Added support for matching inputs by label and placeholder texts on form values
  • Improved the vulnerability description on out-of-date cases where identified version is the latest version
  • Added database version, name and user proof for SQL injection vulnerabilities
  • Improved the loading performance of Start New Scan dialog
  • Added support for reordering form values to denote precedence
  • Optimized the attacks with multiple parameters to reduce the number of attacks
  • Added “Identified Source Code” section for “Source Code Disclosure” vulnerabilities

FIXES

  • Fixed an out of disk space issue which occurs while writing logs
  • Fixed the “scan will be paused” warning for a scan that is already paused
  • Fixed the toggle state of proxy toolbar button on cases when the operation is canceled
  • Fixed an issue which fails reading cookies on form authentication verification for cases where Set-Cookie response header is empty
  • Fixed an issue on sitemap tree where the results were still populating even though scan pauses after crawling
  • Fixed the issued requests which gets a timeout do not display any details on “HTTP Request / Response” tab
  • Fixed an issue with client certificate authentication where the client certificate may be sent to external hosts while making HTTP requests
  • Fixed cases where Invicti was making requests to addresses that are generated by its own attacks
  • Fixed an issue where crawling activity is not shown on the UI when the crawling activity is retried
  • Fixed elapsed time stops when the current scan is exported
  • Fixed an issue with JavaScript library version detection where wrong version is reported if the path to JavaScript file contains digits
  • Fixed missing AJAX requests on knowledgebase while doing manual crawling
  • Fixed the issue of unsigned eowp.exe shipped with installer
  • Fixed an ArgumentOutOfRangeException occurs on schedule dialog when a report template with an incorrect file name exists
  • Fixed the stacked severity bar chart on “Detailed Scan Report” gets split and overflows to the second page
  • Fixed HSTS engine where an http:// request may cause to loose current session cookie
  • Fixed an issue where extracted links by TextParser in a JavaScript file should be relative to the main document
  • Fixed the issues of delegated events not simulated if added to the DOM after load time
  • Fixed the issue where hidden resource requests made by Invicti are displayed on out of scope knowledgebase
  • Fixed the issue with automatic SSL protocol fallback which attempts the fallback even if the current security protocol is same with the fallback value
  • Fixed the issue of “Strict-Transport-Security” is being reported as “Interesting Header”
  • Fixed some Korean vulnerability templates which are wrong formatted
  • Fixed the broken HIPAA classification link

03 Mar 2016

Improvements Added “DROWN Attack” reporting

Improvements

  • Added “DROWN Attack” reporting

03 Mar 2016

Fixes Fixed an issue that causes auto update process to hang after restarting Invicti for the update

Fixes

  • Fixed an issue that causes auto update process to hang after restarting Invicti for the update

29 Jan 2016

Bug Fixes Fixed an issue with form authentication verification dialog where you may get a blank web page on left Fixed a cookie parsing issue where Invicti may fail to read some cookies on HTTP responses

Bug Fixes

  • Fixed an issue with form authentication verification dialog where you may get a blank web page on left
  • Fixed a cookie parsing issue where Invicti may fail to read some cookies on HTTP responses