Invicti Standard

NEW FEATURES

• Added the ability to configure the scanner to scan websites which are linked from the target website.
• Added the Common Vulnerability Scoring System (CVSS) in vulnerability reports.
• Added ability to play sounds while certain program events occur (i.e. scan finished, vulnerability found).
• Added OWASP Proactive Guide to classification list.

NEW SECURITY CHECKS

• Added security checks for Content Security Policy (CSP) web security standard.
• Added DOM based open redirection security check.

IMPROVEMENTS

• Improved XSS security checks coverage.
• Improved the Report Policy Editor.
• Improved the default filename of generated exploits.
• Renamed “Permanent XSS” vulnerability to “Stored XSS”.
• Authentication credentials are now stored encrypted in profile files.
• Increased the number of vulnerabilities for which the scanner highlights the text related to the vulnerability in the HTTP response viewer.
• Added an option to follow redirects for the HTTP Request Builder.
• Added auto completion support to Scan Policy > Headers grid for well-known request headers.
• Added the version information of Invicti to the reports.
• Added type ahead search functionality for Scan Policy > Security Checks.
• Added HTTP methods to AJAX / XML HTTP Requests knowledgebase section.
• Added editing support for imported links.
• Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
• Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
• Added JavaScript dialog support for form authentication verification dialog.
• Improved HTTP request logging by splitting log files once a certain amount of requests are logged.
• Improved DOM simulation by simulating “contextmenu” events.
• Added “Attacked Parameters” column to “Scanned URLs List” report.
• Improved Manual Crawl (Proxy Mode) feature to work as passive and not re-issue the requests made during manual crawl phase.
• Increased the default values for “Maximum Page Visit” and “Max. Number of Parameters to Attack on a Single Page” settings.
• Improved XML parsing during crawling by parsing empty XML elements as parameters too.
• Added the ability to attack parameter names.
• Added a note to vulnerability detail for non-exploitable frame injection.
• Added .jhtml and .jsp attacks to file upload engine.
• Improved CORS security checks.
• Improved Open Redirect engine to detect CNAME injection such as example.com.r87.com.
• Added tooltips for long texts shown on activity dashboard.
• Added current DOM XSS attack information to activity pane.
• Improved XSS confirmation for vulnerabilities found inside noscript tags.
• Added a new method (Vulnerability.GetTemplateSections) for reporting API to be able to get vulnerability template section content separately.
• Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.
• Added /resumescan parameter to command line options to resume the loaded scan.

FIXES

• Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
• Fixed the position of clipped auto update notification.
• Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
• Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
• Fixed an issue where switching between builder and raw tabs causes POST parameter to be removed on Request Builder.
• Fixed the duplicate log printed for same WSDLs.
• Fixed a NullReferenceException thrown when the Request Builder fails to make a request with the current SecurityProtocol setting.
• Fixed the blurred message dialog icons on high DPI screens.
• Fixed various navigation issues of Previous and Next buttons on HTTP Response viewer.
• Fixed the missing GET parameter request builder issue occurs when a full querystring/URL attack request is sent.
• Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
• Fixed a DOM simulation issue occurs when there is a form element with name “action” on target web page.
• Fixed the duplicate cookie issue occurs while using Manual Crawling (Proxy Mode) scanning feature.
• Fixed duplicate “Email Address Disclosure” reporting issue.
• Fixed a NullReferenceException on occurs during CORS security checks.
• Fixed an issue where current OS UI language was not being selected automatically upon first start.
• Fixed a CSRF exploit generation issue where the generated file is empty.
• Fixed an issue where injection/identification responses are unable to display for file upload vulnerability.
• Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
• Fixed a text parsing issue where relative URLs were not supported as base href values.
• Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
• Fixed an XSS attacking issue where duplicate attacks are made for same payload.
• Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
• Fixed an issue where post exploitation does not work sometimes.
• Fixed a form authentication issue where any slash character in credentials cannot be used.

FIXES

• Fixed an issue in which Invicti crashes when using the Korean interface and trying to start a scan or load a scan file.

FIXES

• Fixed a NullReferenceException thrown during late confirmation.
• Fixed an incorrect crawling activity reported on scan summary dashboard UI while performing a passive analysis of an attack response.
• Fixed a Request Builder issue where response is incorrectly reported as binary.
• Fixed a Request Builder issue where “Enable Raw Request Body” option is initially selected when a GET request is dropped on the builder.

NEW FEATURES

• Added the HTTP Request Builder penetration testing tool.
• Added a button on start new scan dialog to open target URL on default web browser.
• Added a new activity type group called “Passive Analysis” which shows the analysis activity of attack responses.

IMPROVEMENTS

• Improved the “HTML Base Tag Hijacking” vulnerability template.
• Improved the long-term memory usage of the DOM simulation and cross-site scripting (XSS). scanning
• DOM simulation smart filtering now prunes unnecessary DOM branches.
• Improved the detection of “Redirect Body Too Large” vulnerability.

FIXES

• Fixed an issue in which the editing of a report policy can cause some external references to be removed unintentionally.
• Fixed an issue in which multiple tabs on the web browser could be opened while trying to open a vulnerability URL.
• Fixed a comparison report issue in which charts were not being generated according to selected report policy.
• Fixed a NullReferenceException that can be thrown by the Subresource integrity security checks.
• Fixed a report policy editor bug where clicking check all/none affects the vulnerability types that are not currently displayed.
• Fixed an issue where the vulnerability types disabled on current report policy were affecting the number of vulnerability count on “Issues” panel title.

IMPROVEMENTS

• Improved the automatic form authentication script to click “button” HTML elements if no suitable button is found.

FIXES

• Fixed the clipped dialog buttons on “Report Policy Editor”.
• Fixed the incompatibility issues of “Report Policy Editor” on some Windows 8/8.1 systems with Internet Explorer 10.
• Fixed a Report Policy issue where a vulnerability hidden from a scan was still not being displayed when a report is generated using the Default Report Policy.
• Fixed scope related bugs in SRI checks.

NEW FEATURES

• Scanning of RESTful web services.
• Report Policies to customize the scan results and reports
• “Heuristic Rule Detection” support while using custom URL rewrite rules.
• Added an option to disable logout detection for form authentication.
• Added ASP.NET Web Application project import support.

NEW SECURITY CHECKS

• Added Samesite cookie attribute check.
• Added Reverse Tabnabbing check.
• Added Subresource Integrity (SRI) Not Implemented check.
• Added Subresource Integrity (SRI) Hash Invalid check.

IMPROVEMENTS

• Various memory usage improvements to handle large web sites.
• Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
• Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
• Improved coverage of LFI engine.
• Added name completion for profile save as dialog.
• Updated missing localized text for Korean translation.

FIXES

• Fixed the issue of form authentication remembers the cookies from the previous scan while using the same Invicti instance for a new scan.
• Fixed the incorrect progress bar while performing a controlled scan.
• Fixed the issue of DOM Based XSS security checks enabled status were not being logged.
• Fixed the “Cross-site Scripting via Remote File Inclusion” vulnerability was not being confirmed issue.
• Fixed JIRA Send To action issue where the port number of the JIRA service were being ignored.
• Fixed the synchronization issue on JavaScript Scan Policy section where UI elements are left enabled even though “Analyze JavaScript / AJAX” option is not checked.
• Fixed the NullReferenceException thrown when scan is paused and resumed during performing form authentication.
• Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
• Fixed the broken layout of input controls on basic authentication dialog shown during form authentication.
• Fixed the error reporting issue occurs when log file collection and/or compression fails.
• Fixed the HTTP Archive Importer issue where POST method was parsed as GET when postData is empty.
• Fixed the ObjectDisposedException thrown on form authentication verification dialog.
• Fixed a bug where GWT parameter cannot be detected which contains a Base64 encoded value.
• Fixed a time span parsing bug in Knowledge base report templates.
• Fixed an issue where some vulnerabilities are treated as fixed while retesting.
• Fixed an issue where XSS proof URL was missing alert function call.
• Fixed a typo on “Base Tag Hijacking” vulnerability template.
• Fixed the broken “Generate Debug Info” function of JavaScript simulation feature.

IMPROVEMENTS

• Added PCI DSS 3.2 vulnerability ratings
• Update the PCI Compliance report template with the details of PCI DSS version 3.2

NEW SECURITY CHECK

• Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)

NEW FEATURES

• Added ModSecurity WAF rule generation feature.

NEW SECURITY CHECKS

• Detection of SQLite Database files.
• Detection of Microsoft Outlook Personal Folders File (.pst) files.
• Detection of DS_Store files.
• Detection of SVN files, supporting the latest version of SVN.

IMPROVEMENTS

• Improved LFI “Long attack – boot.ini” attack.
• Added Internet Explorer 10, 11 and Microsoft Edge browser user agent values.
• Improved the performance of the scan session auto saves.
• Improved link importing to better handle relative URLs.
• Improved the “MIME Types” knowledge base list by ordering items alphabetically.
• Added “Extract static resources” option to JavaScript scan policy settings.
• Improved coverage of XML External Entity engine.

FIXES

• Fixed an attacking issue that occurs when retesting a vulnerability in an incremental scan.
• Fixed a link parsing issue in the text parser where links were incorrectly split.
• Fixed a form authentication “Override Target URL with authenticated page” issue which caused a wrong URL to be identified as the “Target URL”.
• Fixed a highlighting issue where the URL for “Insecure Frame (External)” vulnerability is partially highlighted.
• Fixed an incorrect “Source Code Disclosure” vulnerability report when the response contained an ASP.NET event validation code sample.
• Fixed an ObjectDisposedException which occured while trying to close the Authentication Verification dialog.
• Fixed a broken link in XSS vulnerability templates.

FIXES

• Fixed an exception that happens when reordering form values.
• Fixed the hidden URL text box on custom URL rewrite settings.
• Fixed the clipped automatic update notification label.

NEW FEATURES

• Added Proof of Concept generation for the CSRF vulnerability.
• Added Parameter-Based Navigation settings to better crawl and attack parameters that are used for website navigation.
• Added a new crawling option in the Scan Policy that allows users to add new extensions for the crawler to parse.

NEW SECURITY TESTS

• Added Missing X-XSS-Protection Header vulnerability check.
• Added Video.js JavaScript library detection.
• Added Critical Form Send to HTTP vulnerability check.
• Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

IMPROVEMENTS

• Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid  multiple scanning of the same or similar parameters.
• Added license load option to Help menu.
• Improved “Not Found Analyzer” to better handle binary responses and long strings.
• Changed the default settings of JIRA Send to Action for better out of the box support.
• Added a link to the proof URL for XSS vulnerabilities.
• Added link generation to Text Parser for all select element options.
• Improved the DOM parser to skip redirect responses.
• Added an option to allow the user to move the Invicti data directory to a different location.
• Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
• Added support for modifying asynchronous JavaScript executions in order to increase DOM Parser coverage.
• Improved relative link parsing on JavaScript files.
• Improved the coverage of file upload security checks.
• Improved the coverage of XSS security checks.

FIXES

• Fixed an issue where LFI attack patterns are reported as internal path disclosure.
• Fixed the incorrect raw response representing SSL connections.
• Fixed an issue where forms containing ignored parameters are not reported as CSRF vulnerability.
• Fixed a case where dynamically generated HTML option elements’ change event were not being triggered.
• Fixed cross-domain document access errors on DOM parser and XSS scanner.
• Fixed an issue where a JSON request’s method was incorrectly recognized as POST rather than GET.
• Fixed a retest issue where a vulnerability is reported as fixed incorrectly.
• Fixed form values target setting to use Name as the default value when a Target is not selected.
• Fixed an issue related with JavaScript “Load Preset Values” combo where selecting a preset value may revert the combo value to “(Custom)”.
• Fixed a file extension parsing issue related with File Extension List knowledgebase item.
• Fixed a hang issue occurs while performing JavaScript library checks.
• Fixed a custom form authentication API issue where “ns” namespace was conflicting with a global variable on target web site (authentication API has been moved to “invicti” namespace preserving the “ns” backward compatibility)
• Fixed a DOM Parser and XSS scanner bug that incorrectly follows redirects.
• Fixed misplaced certainty label on vulnerability details for trial editions.
• Fixed an ObjectDisposedException occurs on trial edition when you press escape key several times during application load.
• Fixed a resource deployment issue occurs on Invicti installations with custom application data path.
• Fixed a form values issue where empty form values should not set any default values for parameters.
• Fixed an issue where trying to set Connection request header fails.

IMPROVEMENTS

• Increased severity of “Insecure Transportation Security Protocol Supported (SSLv2)” vulnerability to “Important”
• Added support for adding several more request headers including the “Host” header

FIXES

• Fixed a bug related to VDB update process where a computer with no internet access may not get newer VDB updates even when it is updated using the offline installer