Changelogs

Invicti Standard

RSS Feed

28 Jan 2016

IMPROVEMENTS Improved support for Single Page Applications (SPA) by rewritting the DOM parser Improved DOM Parser and DOM XSS performance Added icons to scan policy combo box to denote optimized platforms for policies Improved Korean language support Attached proof for the blind SQLi vulnerabilities Added “Proofs” knowledge base nodes Removed out of scope links from …

IMPROVEMENTS

  • Improved support for Single Page Applications (SPA) by rewritting the DOM parser
  • Improved DOM Parser and DOM XSS performance
  • Added icons to scan policy combo box to denote optimized platforms for policies
  • Improved Korean language support
  • Attached proof for the blind SQLi vulnerabilities
  • Added “Proofs” knowledge base nodes
  • Removed out of scope links from URL rewrite report
  • Added HTTP response status code 308 to list of redirect status codes
  • Added link to TFS API download page for Send To extension
  • Added Crawling and Scan Performance knowledge base nodes
  • Eliminated web application fingerprinter’s meta tag requests by re-using crawled link response
  • Improved performance of the email disclosure detection pattern significantly
  • Added automatic exploitation for Boolean and Blind SQL Injection vulnerabilities
  • Added .svg to default set of ignored extensions
  • Removed DOM XSS security checks from default built-in policy
  • Added a new built-in scan policy that includes DOM XSS security checks
  • Added a new scan policy setting section for JavaScript related settings
  • Removed outdated PCI 2.0, PCI 3.0 and OWASP Top Ten 2010 classifications and report templates

Bug Fixes

  • Fixed a NullReferenceException which could occur while editing a custom policy
  • Fixed a bug occurs when a proof is empty
  • Fixed the horizontal scroll bar that is shown while adding a new URL rewrite parameter
  • Fixed an issue with comparison report where two reports were showing the same date even if the latter one has been retested
  • Fixed a FileNotFoundException occurs while caching DOM requests
  • Fixed a ThreadInterruptedException thrown by DOM XSS scanner while trying to close application
  • Fixed an UnauthorizedAccessException occurs while cleaning the scan temporary directory
  • Fixed the explanation text for Entered Path and Below scope
  • Fixed the SSL/TLS fall back code to cover more HTTPS web sites
  • Fixed a CannotUnloadAppDomainException occurs while trying to close form authentication verifier dialog
  • Fixed an out of date JavaScript library version issue where identified version was bigger than Invicti’s latest version
  • Fixed the slow performance issue which occurs when “Automatically Detect Settings” proxy setting is enabled
  • Fixed the broken proceed button on trial popup dialog
  • Fixed an out of date JavaScript library version issue where version value cannot be captured
  • Fixed an issue with OWASP reports where vulnerabilities in same category were not being grouped together
  • Fixed a not found detection issue where redirect analysis fails on redirect cases
  • Fixed a broken compatibility issue which occurs while loading scan files exported with previous versions

28 Dec 2015

FIXES Fixed a NullReferenceException which could occur while editing a custom policy Fixed a bug occurs when a proof is empty

FIXES

  • Fixed a NullReferenceException which could occur while editing a custom policy
  • Fixed a bug occurs when a proof is empty

18 Dec 2015

FEATURES Added Windows 10 support Added the Scan Policy Optimizer Added automatic configuration of URL rewrite rules Added automated evidence collection to several confirmed vulnerabilities Added Korean language option for application user interface (currently in beta) Added support for detecting outdated versions of several popular JavaScript client-side libraries Added HIPAA compliance report template Added syntax …

FEATURES

NEW SECURITY CHECKS

  • Added Windows Short File Name security checks
  • Added several new backup file checks
  • Added web.config pattern for LFI checks
  • Added boot.ini pattern for LFI checks
  • Added a signature which checks against a passive backdoor affecting vBulletin 4.x and 5.x versions
  • Added a signature which checks against an error message generated by regexp function at MySQL database
  • Added DAws web backdoor check
  • Added MOF Web Shell backdoor check
  • Added RoR database configuration file detection
  • Added RoR version disclosure detection
  • Added RoR out-of-date version detection
  • Added RoR Stack Trace Disclosure
  • Added RubyGems version disclosure detection
  • Added RubyGems out-of-date version detection
  • Added Ruby out-of-date version detection
  • Added Python out-of-date version detection
  • Added Perl out-of-date version detection
  • Added RoR Development Mode Enabled detection
  • Added Django version disclosure detection
  • Added Django out-of-date version detection
  • Added Django Development Mode Enabled detection
  • Added PHPLiteAdmin detection
  • Added phpMoAdmin detection
  • Added DbNinja detection
  • Added WeakNet Post-Exploitation PHP Execution Shell (WPES) detection
  • Added Adminer detection
  • Added Microsoft IIS Log File detection
  • Added Laravel Configuration File detection
  • Added Laravel Debug Mode Enabled detection
  • Added Laravel Stack Trace Disclosure
  • Added S/FTP Config File detection

IMPROVEMENTS

  • Several performance improvements to reduce memory usage
  • Improved credit card detection to eliminate false positives
  • HTTP cookie handling code written from scratch to conform with the latest RFCs which modern browsers also follow
  • SSL cipher support check code has been rewritten to support more cipher suites
  • SSL checks are now made for target URLs even when protocol is HTTP
  • Improved logging code to decrease the performance overhead
  • Updated embedded chrome based browser engine to version 41
  • Improved logging when an error occurs if Invicti was started from command line with arguments
  • Added more ignored parameters for ASP.NET web applications
  • Improved JIRA send to action to support both old and new versions
  • Added activity details for singular security checks (SSL, Heartbleed, etc.) on scan summary dashboard
  • Improved authentication verifier to include keywords from alt and title attributes
  • Improved scan policy versioning where new security checks are automatically included or excluded by default on existing scan policies
  • Improved out-of-date vulnerability reporting on XML vulnerability list report to include references and affected versions elements
  • Improved LFI pattern that matches win.ini files
  • Improved XSS coverage by adding an attack pattern for email inputs which require an @ character
  • Improved cookie vulnerability details to show all cookies that are not marked as Secure or HttpOnly
  • Added descriptions for advanced settings
  • Improved out-of-date vulnerability templates by including severity information of vulnerabilities for that version of software
  • Improved out-of-date vulnerability reporting by increasing the severity of the vulnerability if that version of software contains an important vulnerability
  • Increased static resource finder limit from 75 to 100
  • Added several text parser settings to advanced settings
  • Improved Ruby version disclosure detection
  • Improved SQL injection vulnerability template by adding remedy information for more development environments
  • Improved common directory checks by adding more known directory names
  • Updated default user agent
  • Improved the default Anti-CSRF token name list
  • Improved database error messages vulnerability detection for Informix
  • Added new XSS attack pattern for title tag in which JavaScript execution is not possible
  • Improved XHTML attacks to check against XSS vulnerabilities
  • Missing Content-Type vulnerability is not reported when status code returns 304
  • Optimized confirmation of Boolean SQLi
  • Added exploitation for Remote Code Evaluation via ASP vulnerability
  • Revamped DOM based XSS vulnerability detail with a table showing XPath column
  • Changed SQLi attack patterns specific to MSSQL database with shorter ones
  • Improved SQLi attack pattern which causes a vulnerability in LIMIT clauses specific to MySQL database
  • DOM simulation is turned off for hidden input types which causes a false-positive confirmed XSS vulnerability
  • Improved the “Name” form value pattern to match more inputs
  • Improved confirmation of Expression Language Injection vulnerability
  • Improved Frame Injection vulnerability details
  • Added .phtml extension to detect code execution via file upload
  • Improved blind SQL injection detection on some INNER JOIN cases
  • Improved external references section of “Remote Code Evaluation (PHP)” vulnerability
  • Added retest support for several vulnerability types
  • Improved import link user interface
  • Improved CSRF engine
  • Displaying installer links for cases where auto update fails or auto updating is not possible
  • Improved Apache Tomcat detection patterns
  • Improved the message on “Reset to Defaults” dialog
  • Added severity column for Vulnerabilities List (CSV) report template
  • Increased the number of sensitive comments reported
  • Added exploitation support for “RCE via Perl” vulnerability
  • Added project selection to FogBugz send to action
  • Improved text parser improvements
  • Added the total number of attack counts per parameter for current scan policy to scan policy editor dialog
  • Added the passive engine names which are currently running to scan summary dashboard
  • Added separate checks in scan policy for each supported web app fingerprint application

FIXES

  • Fixed Extensive Security Checks policy to enable DOM simulation for open redirection
  • Fixed Extensive Security Checks policy to enable Prepend Original Value for XSS security tests
  • Fixed authentication verifier to omit empty keywords for keyword based authentication
  • Fixed authentication verifier to omit keywords longer than 200 characters for keyword based authentication
  • Fixed authentication verifier to omit keywords containing null bytes for keyword based authentication
  • Fixed URL rewrite analysis to respect case sensitivity settings
  • Fixed a form authentication issue which image submit elements were not clicked
  • Fixed send to extension context menu which does not focus Extensions section when Options dialog is opened
  • Fixed a form authentication verification issue which may crash when username and/or password is empty
  • Fixed a manual crawling issue when proxy was left open when you start a regular scan after a manual crawling
  • Fixed custom reporting sample code on user manual to match the latest reporting API
  • Fixed an issue occurs when the HTTP response body starts with unicode BOM
  • Fixed Open Redirect security checks where it should not perform DOM based checks if DOM checks are turned off
  • Fixed fiddler logging where form authentication requests were not being captured
  • Fixed static resource finder where it was not following a redirect if only the protocol portion of an URL changes
  • Fixed Start a New Scan dialog where Schedule Scan dialog was always shown when you first try to schedule a scan
  • Fixed DOM simulation hangs if a rogue JavaScript call enters an endless loop
  • Fixed slow XSS highlights on some responses
  • Fixed disk space detection on cases when there are no space left on disk where Invicti documents folder resides
  • Fixed the issue on Start a New Scan dialog where some check box values were not restored correctly
  • Fixed a bug where Full-Url LFI attack which is specific to Ruby-on-Rails applications could not be confirmed
  • Fixed a bug where XSS vulnerability could not be confirmed when injection occurs in the middle of a CSS style
  • Fixed a bug where generated XSS exploit did not work due to incorrect encoding
  • Fixed a bug where a false-positive file upload vulnerability was reported
  • Fixed a bug where maximum amount of hard fails was preventing next scan making HTTP requests
  • Fixed “Missing Content-Type” reporting issue where redirected responses should not be reported
  • Fixed Set-Cookie response headers being merged issue on response viewers
  • Fixed an issue where send failures were not being handled while making HTTP requests
  • Fixed credit card reporting issue where the value specified in default form values section should not be reported
  • Fixed the trimmed parameter name issue on controlled scan pane
  • Fixed ignore vulnerability issue function where it was not working for comparison reports
  • Fixed documentation for nginx vulnerability template that tells how to fix the issue
  • Fixed HSTS support for form authentication HTTP requests
  • Fixed a bug which prevents attacking from resuming when an existing session is imported
  • Fixed the issue of HttpRequests.saz file being truncated when a scan is resumed after import
  • Fixed fiddler log file saving issue where chunked response bodies were not being saved correctly
  • Fixed a URI parsing issue where non-HTTP(S) protocols are ignored
  • Fixed a DOM XSS scanner issue that crashes Invicti when a long URL is parsed
  • Fixed a bug where an attribute based attack could not be confirmed as XSS
  • Fixed a bug where an injection with “javascript:” protocol for XSS attacks occurs after a new line
  • Fixed a bug where exploitation goes into loop and causes an unresponsive UI for error based SQLi
  • Fixed a bug where redirection happens relatively and reported as Open Redirect vulnerability
  • Fixed an issue where importing links to an existing profile with imported links was failing
  • Fixed generated report name issue where and extra .htm extension is added to report file if run from command line
  • Fixed an unhandled ArgumentException raised from permanent XSS detection
  • Fixed the issue that Invicti hangs with a confirmation dialog upon scan completion when started with /auto command line parameter
  • Fixed an issue where a Groovy RCE is reported as Perl RCE
  • Fixed an issue where a scan started with Scan Imported Links option were attacking to links those are not imported
  • Fixed an issue where retest request is started with the attacked value and causes a vulnerability creation in a different injection point
  • Fixed a WSDL parsing issue where reference parameters were not handled
  • Fixed a WSDL parsing issue where XML types were not handled
  • Fixed a visual bug where “Security Check Groups” description text was clipped
  • Fixed a bug where illegal characters were causing invalid XML reports
  • Fixed an issue where RCE Perl exploitation could not be performed due to incorrect encoding
  • Fixed an issue with auto complete input reporting where highlighting was not correct
  • Fixed an issue with web app fingerprinting where pausing the scan was not pausing it
  • Fixed an issue that occurs during form authentication with an HSTS site that performs redirects to an URL with http protocol
  • Fixed a form authentication configuration issue where both keyword based and redirect based logout detection pattern could be configured
  • Fixed a bug where the hash is reported incorrectly in a DOM based XSS vulnerability
  • Fixed the misleading content in basic authentication over clear text vulnerability

26 Jun 2015

IMPROVEMENTS Increased the DomParserLoadUrlTimeout and DomParserSimulationTimeout values to handle unresponsive request cases DomParserLoadUrlTimeout and DomParserSimulationTimeout are now modifiable through the scanner’s advanced settings Added Override Target URL with authenticated page form authentication option to support web sites which require dynamic Target URLs generated post-authentication (scanner will authenticate prior to accessing target URL) Improved resource finder …

IMPROVEMENTS

  • Increased the DomParserLoadUrlTimeout and DomParserSimulationTimeout values to handle unresponsive request cases
  • DomParserLoadUrlTimeout and DomParserSimulationTimeout are now modifiable through the scanner’s advanced settings
  • Added Override Target URL with authenticated page form authentication option to support web sites which require dynamic Target URLs generated post-authentication (scanner will authenticate prior to accessing target URL)
  • Improved resource finder checks for websites which have custom 404 pages
  • Increased the default value of Maximum 404 Signature setting to be store more signatures
  • Improved timeout calculation for vulnerability checks which require late confirmation

FIXES

  • Fixed DOM simulation issue where all delegated events on an elements were not being called
  • Fixed a Heartbleed security check issue where it was causing the crawling phase to be stalled

18 May 2015

Engines & Exploitation Experimental Second Order SQL Injection support added. Doesn’t support confirmation or exploitation yet. Confirmation added to Permanent Cross-site Scripting Engine SQL Injection Error based confirmation added for PostgreSQL, MySQL and Oracle. SQL Injection Engine was missing string based SQL Injection vulnerabilities in LIKE clauses when crawler can’t find the correct search string. This issue …

Engines & Exploitation

  • Experimental Second Order SQL Injection support added. Doesn’t support confirmation or exploitation yet.
  • Confirmation added to Permanent Cross-site Scripting Engine
  • SQL Injection Error based confirmation added for PostgreSQL, MySQL and Oracle.
  • SQL Injection Engine was missing string based SQL Injection vulnerabilities in LIKE clauses when crawler can’t find the correct search string. This issue is fixed and works regardless of the found default string.
  • URI Based Cross-site Scripting Confirmation added
  • URI Based issues were reported more than once, this problem fixed
  • LFI Engine and exploitation works better now. Several minor bugs addressed.
  • Many possible SQL Injections issues removed as we are now sure they are not vulnerable
  • XSS Confirmation now bypasses more blacklists
  • Content-Type based XSS detection added and ratings changed
  • Email disclosure check improved
  • Minor bugs addressed in Unix and Windows Internal Path Disclosure issues. Windows Internal Path Disclosure improved.

Proxy

  • Proxy settings moved to global settings
  • Now you can see the active proxy settings in the status bar
  • Invicti now support NTLM, Basic, Digest, Kerberos and Negotiation Authentication for Proxy

GUI

  • New Community menu added for easier access to Invicti Blog and Request a Feature
  • All message boxes use the correct theme now
  • Attack Possibility in the dashboard is now more accurate
  • Some typos and missing tooltips addressed

Form Authentication

  • Several minor bugs addressed and features improved
  • Now it’s possible to use use Form Authentication even when the website requires NTLM, Basic, Digest, Kerberos and Negotiation Authentication as well
  • Now it’s possible to use Form Authentication even when server uses an invalid SSL certificate

Parsers

  • Text parser works better now

Installer

  • Installer simplified
  • Extra checks added for .NET Framework 3.5 SP1 check and installation

Other Fixes & Improvements

  • Extra runtime checking and error handling added for .NET Framework 3.5 SP1 and SQL Server CE dependencies
  • Static and Backup tests weren’t working when Invicti launched from CLI in auto-pilot mode
  • LFI Panel crashes fixed
  • Full HTTP Response added XML Reports
  • XML reports doesn’t show attack parameter anymore if the vulnerability identified passively such as Server Version Disclosure
  • Several other minor bug fixes and improvements

18 May 2015

NEW SECURITY TESTS Form Hijacking Security Checks added Base Tag Hijacking Security Checks added IMPROVEMENTS Added several new backup file checks to improve the coverage Improved the number of combinations that Common Directory checks find Added support for using digits in custom URL rewrite parameter names Added new XSS attack patterns to detect a full …

NEW SECURITY TESTS

  • Form Hijacking Security Checks added
  • Base Tag Hijacking Security Checks added

IMPROVEMENTS

  • Added several new backup file checks to improve the coverage
  • Improved the number of combinations that Common Directory checks find
  • Added support for using digits in custom URL rewrite parameter names
  • Added new XSS attack patterns to detect a full URL vulnerability and remote XSS attacks
  • Added HTTP POST method support for Open Redirection security tests
  • Improved resource finder behavior by falling back to GET requests when HEAD requests are failing
  • Improved detection of XSS vulnerabilities in CSS blocks
  • Improved vulnerability template for Open Redirection vulnerabilities
  • Increased coverage by finding LFI vulnerabilities exposed to file:// protocol
  • Set default maximum vulnerability report limit to 1000 for active engines
  • Improved detection of Remote Code Execution and DoS in HTTP.sys vulnerability

FIXES

  • Fixed a race condition issue which occurs while adding new links on DOM simulation
  • Fixed an InvalidOperationException issue which occurs while trying to apply token parameter values
  • Fixed incorrect parsing of multiple response headers with same name on DOM simulation and DOM XSS attacks
  • Fixed a vulnerability template generation issue where temporary files were being kept on disk
  • Fixed installer to handle .NET framework versions released after 4.5.2
  • Fixed the incorrect description text for SQL Injection security test on scan policy editor dialog
  • Fixed “Maximum 404 Pages to Attack” scan policy option which was previously limiting the maximum page number to 10 no matter what set with this option

18 May 2015

NEW SECURITY CHECKS Added Remote Code Execution and DoS in HTTP.sys (CVE-2015-1635) security check IMPROVEMENTS Improved Auto Complete Enabled vulnerability report by highlighting input name on response viewer Improved Auto Complete Enabled vulnerability report by displaying all the matching input names Improved PCI reporting by adding PCI 3.1 data to vulnerabilities FIXES Fixed the wrong …

NEW SECURITY CHECKS

  • Added Remote Code Execution and DoS in HTTP.sys (CVE-2015-1635) security check

IMPROVEMENTS

  • Improved Auto Complete Enabled vulnerability report by highlighting input name on response viewer
  • Improved Auto Complete Enabled vulnerability report by displaying all the matching input names
  • Improved PCI reporting by adding PCI 3.1 data to vulnerabilities

FIXES

  • Fixed the wrong highlighting of selected row on custom URL rewrite rule editor while testing rules

18 May 2015

NEW SECURITY CHECKS Added RSA Private Key Detected vulnerability check IMPROVEMENTS Improved Credit Card Disclosure detection Reporting cookie name in “Cookie values used in Anti-CSRF token” issue Improved “Delegated event” simulation in DOM Parser Improved comment order in knowledgebase by displaying comments having sensitive keywords first Improved the wording at “ViewState is not Encrypted” vulnerability …

NEW SECURITY CHECKS

  • Added RSA Private Key Detected vulnerability check

IMPROVEMENTS

  • Improved Credit Card Disclosure detection
  • Reporting cookie name in “Cookie values used in Anti-CSRF token” issue
  • Improved “Delegated event” simulation in DOM Parser
  • Improved comment order in knowledgebase by displaying comments having sensitive keywords first
  • Improved the wording at “ViewState is not Encrypted” vulnerability report template
  • Improved DOM Parser and DOM XSS by providing the received response headers to JavaScript context
  • Improved Exclude/Include patterns to match parameter names and values in addition to the URL
  • Improved resource finder to accept HTTP 401 and 500 status codes when a hidden resource is discovered
  • Improved logging of regex timeout issues with additional parameter name and URL information
  • Improved reporting API documentation by including more types

FIXES

  • Fixed “Options Method Enabled” vulnerability reporting by adding status code checks
  • Fixed a NullReferenceException issue that occurs when Invicti is started using command line
  • Fixed an encoding issue for parameter names in multipart/form-data requests
  • Fixed an issue related to form authentication verification in which the Continue button is missing on the verification dialog if there is no configured persona
  • Fixed click simulation in custom form authentication scripting by preventing the extra click on elements
  • Fixed an SSL connection issue where the target web server demands only TLS 1.1 or TLS 1.2 protocols
  • Fixed custom data reporting in vulnerability templates by removing the extra space added to the values
  • Fixed custom data reporting in vulnerability templates to get rid of the bullet point if there is only a single custom data
  • Fixed an issue with “Out of Scope” links reported under knowledgebase where the links discovered in DOM Parser are not reported
  • Fixed a report template customization issue where modifying a report template while Invicti is running was causing it to fail during report generation
  • Fixed a multipart/form-data request issue where “filename” attribute was not submitted for file upload parameters
  • Fixed a dashboard issue where the progress bar is stuck on Crawl Only scans even though crawling finishes
  • Fixed a custom URL rewrite bug where rules with multiple numeric parameters were not being matched
  • Fixed custom URL rewrite test interface where only visible rows were being tested before

06 Apr 2015

IMPROVEMENTS Improved coverage of DOM based XSS engine Improved the search on raw response viewer Improved form authentication API click functions to mark/unmark checkbox elements Improved “Insecure transportation security protocol (SSLv3)” vulnerability template Added the page URL and the number of the page as a log to verification dialog while executing custom scripts Added the …

IMPROVEMENTS

  • Improved coverage of DOM based XSS engine
  • Improved the search on raw response viewer
  • Improved form authentication API click functions to mark/unmark checkbox elements
  • Improved “Insecure transportation security protocol (SSLv3)” vulnerability template
  • Added the page URL and the number of the page as a log to verification dialog while executing custom scripts
  • Added the number of custom script pages to the hint on verification dialog and the hint now has a tooltip that displays the custom script code
  • Improved DOM parser to handle both on and off states of checkbox elements
  • Improved the message on cases where File > Import fails due to old scan file format
  • Added TextParserRegexTimeout advanced setting to modify the timeout value of pattern matching in Text Parser
  • Added the request URL as a log to tell which request has a response that matches current logout pattern of form authentication
  • Improved memory handling to prevent Out-of-memory issues during long scans
  • Improved the pattern match logs to be issued once to prevent the clutter

FIXED

  • Fixed a crash that occurs during application close while trying to log a message to UI
  • Fixed report templates to include correct lower-case versions of image file names to display them correctly on case-sensitive OS file systems
  • Fixed a crash in form authentication verification where missing persona causes issues during logout detection
  • Fixed custom script execution in form authentication to skip execution of auto login script on pages where script is deliberately left blank
  • Fixed a few crashes that occur when the custom script window is closed while the page was loading
  • Fixed an issue with logout detection where invalid URLs could be accepted as overridden login required URL
  • Fixed creation of redundant DocumentsNetsparkerCredential folder on new installations
  • Fixed random missing developer tools pane on custom script window
  • Fixed a crash that happens when the form authentication verification dialog is closed during logout keyword detection
  • Fixed several memory issues where redundant object instances were not reclaimed
  • Fixed a memory issue where long parameter values causing large memory allocations
  • Fixed signature generation for URL Rewrite links

06 Apr 2015

BREAKING CHANGES Invicti 4 requires .NET 4.5.2 to run. You must have Windows Vista or Windows Server 2008 or above to install .NET 4.5.2 and use Invicti 4. Form authentication was redesigned and now it is much easier to configure and all automated. If you had login details configured using the previous wizard you need to reconfigure …

BREAKING CHANGES

  1. Invicti 4 requires .NET 4.5.2 to run. You must have Windows Vista or Windows Server 2008 or above to install .NET 4.5.2 and use Invicti 4.
  2. Form authentication was redesigned and now it is much easier to configure and all automated. If you had login details configured using the previous wizard you need to reconfigure them.
  3. The file format of profiles has changed from binary to XML. If you have custom profiles you have to recreate them.
  4. The default profiles shipped with Invicti have been removed. Please use the default Scan Policies instead.
  5. URL Rewrite settings have been moved from Scan Policy to profile settings. Therefore if you have Scan Policies with URL Rewrite configuration create a new custom Profile and configure the URL Rewrite settings in your custom profile.

Should you have any queries or encounter any problems do not hesitate to submit a ticket through our Help Center.

FEATURES

  • Redesigned the “Start a New Scan” dialog window – now it is even easier than before to configure new scans
  • New macro-less form authentication configuration (DOM Based Form Authentication that replaces HTTP Based Form Authentication)
  • Ability to automatically crawl and scan web applications built with Google Web Toolkit (GWT)
  • Added “Incremental Scanning” feature – perform an incremental scan over an existing scan that only attacks to new pages introduced since last scan
  • Added “Retest All” functionality to perform one-click retest on all vulnerabilities found
  • Added support for Remote File Inclusion (RFI) Exploitation
  • Added support for Remote Code Execution via LFI (PHP) Exploitation
  • Added new Executive Summary Report template
  • Added support for importing HTTP Archive (HAR) files

SECURITY CHECKS

Added new security checks in Invicti to identify the below vulnerabilities and security flaws:

  • Cross Frame Scripting vulnerability check
  • Missing Content-Type and X-Content-Type-Options header checks
  • Cross-Origin Resource Sharing check
  • Mixed Content check to detect if a mixed content is loaded over HTTP within an HTTPS page
  • XML External Entity (XXE) Engine
  • File Upload Engine
  • Detection of insecure JSONP endpoints susceptible to attacks like Rosetta Flash
  • Misconfigured Access-Control-Allow-Origin header
  • Credit Card Disclosure

IMPROVEMENTS

  • Improved DOM XSS attack patterns
  • Increased coverage for Open Redirection vulnerabilities
  • Improved Internal Path Disclosure detection patterns for Windows and *nix
  • Improved Connection String detection to cover more cases and run faster
  • Imported links are now displayed in a list on Start a New Scan Dialog and selected links can be removed
  • Internal Path Disclosure (*nix) checks have been improved by excluding paths found in JavaScript and CSS files
  • Improved sensitive keyword list for Comments Knowledge base item
  • Reporting cookie attributes like Secure, HttpOnly, etc. in Cookies Knowledge base item
  • Current user-agent string set in scan policy settings is now being used during DOM simulation and DOM XSS attacks
  • Improved attacking for URLs with multiple parameters by also attacking with empty parameter values
  • Improved wording for Auto Complete Enabled vulnerability template
  • Improved Open Redirect detection to include redirects performed by JavaScript code
  • Added an option to perform DOM simulation when necessary in Open Redirect engine
  • Reduced the number of requests made to detect Not Found pages
  • Included Static Resource Finder requests in activity pane
  • Improved CVS file detection pattern
  • Improved the error message displayed on start up to provide more details
  • Improved Retest feature to perform retests for singular engine vulnerabilities like ASP Debug Enabled, OpenSSL Heartbleed Vulnerability, etc.
  • Improved URL encoding to use %20 while encoding space character (Use UsePlusForSpaceEncoding to force encode spaces as plus signs)
  • Separated HTML5 engine checks in scan policy to provide granular selection chance
  • Improved Insecure Transportation Security Protocol Supported (SSLv3) vulnerability template wording
  • Added CWE classification values for SSLv2 and SSLv3 vulnerabilities
  • Added retest support for RoR RCE vulnerabilities
  • Added scan policy settings to ignore certain Content Type values
  • Improved Vulnerability List (XML) report template to include OWASP 2013 classifications for vulnerabilities
  • Improved user interface to display Browser View tab and hide Vulnerability tab when selected Sitemap node is not a vulnerability
  • Exposed Signature property for Vulnerability instances in Reporting API
  • Added classification information for Possible Reflected File Download vulnerability
  • Added timeout support for regex pattern execution to prevent hangs on exceptional responses (timeout value can be modified using SignatureRegexTimeout Advanced Setting)
  • Changed request timeout setting’s unit from milliseconds to seconds in the policy setting UI
  • Improved SSN detection
  • Improved link parsing in Text Parser
  • Added HTTP method and attack parameter names to activity pane
  • Improved LFI confirmation using web.config file
  • Added extra GET requests for the ones having non-GET HTTP methods
  • Added referer checks for DOM XSS
  • Improved binary detection for font requests
  • Added Nginx configuration information for HSTS Not Enabled vulnerability template
  • Improved GIT detected vulnerability template
  • Auto save message is now displaying the time scan is saved
  • Revised Interesting Headers list to filter some well-known headers
  • Added form name and action as custom field in CSRF engine
  • Improved the error message text shown when a PDF report cannot be overwritten
  • Added Save button to save changes on current profile
  • Added attack pattern to find an SQL injection vulnerability in MySQL limit clause (version >= 5)
  • Added attack pattern to find an LFI vulnerability in Rails (CVE-2014-0130)
  • Improved how disk full cases are handled during a scan
  • Improved the order of how vulnerabilities are listed in reports
  • Improved phpMyAdmin detection
  • Improved Stack Trace Disclosure (Java) detection

FIXES

  • Fixed Content-Type header parsing where any quotes should be removed from charset attribute
  • Fixed an encoding issue with an RFI attack pattern affecting Full Query String and Referer attacks
  • Fixed a hang occurs while performing SSL analyze on sites with some cipher suites
  • Fixed parameter encoding issue in Reverse Shell feature
  • Fixed a space character encoding issue in exploit generation
  • Fixed the generated code in exploits to include calls to alert function instead of invicti function
  • Fixed an encoding bug in RFI attacks to a URL with URL rewrite configuration
  • Fixed an issue that crashes Invicti if a Standard edition license contains an invalid URL
  • Fixed a crash in URL rewrite pattern which occurs when invalid regex patterns are entered
  • Fixed DOM parser simulation to select non-default values in select elements
  • Fixed retest to detect vulnerabilities requiring late confirmation (Blind Command Injection, Blind SQL Injection, etc.)
  • Fixed an issue where WebDav engine could not perform a retest correctly
  • Fixed a bug in email disclosure vulnerability where duplicate emails were being displayed
  • Fixed the tooltip on Add New client certificate button by correcting the supported file extension
  • Fixed the decoding issue with UTF-16 responses where text response is recognized as binary
  • Fixed duplicate confirmation issue during retest
  • Fixed the performance issue with Custom Cookies text box to handle large values
  • Fixed an issue with Tab key when the focus is on a list and does not move away to next control
  • Fixed a bug related with Excluded/Included Links where the values are getting back to default when all values are deleted
  • Fixed the Start Scan button text when Pause Scan After Crawling is checked
  • Fixed the configuration sample in Tomcat Directory Listing vulnerability template
  • Fixed an issue with importers where the HTTP methods like PUT, DELETE, etc. of requests are not preserved
  • Fixed an issue with cookie parsing where a Version = 1 cookie with an explicit domain which doesn’t start with a dot was being ignored
  • Fixed issues with Version = 1 cookies
  • Fixed an issue where confirmation is done with an incorrect signature in Expression Language Injection engine
  • Fixed a hang in Text Parser caused by a large base64 encoded image in page source code
  • Fixed a DOM XSS performance issue on pages using custom fonts
  • Fixed an issue of hanging requests in activity pane when a JSON/XML request fails for intrusive engines
  • Fixed trimmed activity duration in activity pane for large values
  • Fixed a StackOverflowException thrown by LFI exploitation
  • Fixed an issue with PDF report generation when the HTML report does not have a .htm file extension
  • Fixed a bug with Controlled Scan where the scan policy used during the scan should not prevent user to perform checks that are not in the policy
  • Fixed a bug in Detailed Scan Report where DOM XSS engine is not displayed as enabled
  • Fixed a bug occurs when Invicti tries to read the URL from clipboard and clipboard is open by another application
  • Fixed trimmed security test names in controlled scan
  • Fixed a bug where the max number of parameters to attack is not handled correctly
  • Fixed a bug in DOM simulation to provide correct target element when events are simulated
  • Fixed a bug in Scan Policy editor occurs by ignoring changes while clicking tabs on left
  • Fixed a cookie parsing bug occurs when port attribute value is not quoted
  • Fixed the refresh issue on Knowledgebase issues where the expand states are now preserved between refreshes
  • Fixed a cookie parsing bug where cookies were stopped being parsed in case of an empty Set-Cookie header
  • Fixed a scan file creation issue on systems where the Windows Documents folder is located on a network location
  • Fixed a log message issue reporting when Find Hidden Resources finishes
  • Fixed a high DPI text issue on Retest message dialog
  • Fixed a cookie parsing issue when Expires attribute contains a comma
  • Fixed a link parsing issue where parameters with empty names are added
  • Fixed a bug in Crawled URL List report where URLs discovered by Static Resource Finder are not listed
  • Fixed a bug in automated command line scans where interrupting and starting a new scan through UI asks for exit confirmation

18 Mar 2015

Read the blog post for more details about this version NEW FEATURES Encoder Custom Reporting API New Security Tests Confirmation for RCE Confirmation for CI via LFI.

Read the blog post for more details about this version

NEW FEATURES

  • Encoder

  • Custom Reporting API

  • New Security Tests

  • Confirmation for RCE

  • Confirmation for CI via LFI.