Invicti Standard

FIXES

• Fixed an exception that happens when reordering form values.
• Fixed the hidden URL text box on custom URL rewrite settings.
• Fixed the clipped automatic update notification label.

NEW FEATURES

• Added Proof of Concept generation for the CSRF vulnerability.
• Added Parameter-Based Navigation settings to better crawl and attack parameters that are used for website navigation.
• Added a new crawling option in the Scan Policy that allows users to add new extensions for the crawler to parse.

NEW SECURITY TESTS

• Added Missing X-XSS-Protection Header vulnerability check.
• Added Video.js JavaScript library detection.
• Added Critical Form Send to HTTP vulnerability check.
• Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

IMPROVEMENTS

• Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid  multiple scanning of the same or similar parameters.
• Added license load option to Help menu.
• Improved “Not Found Analyzer” to better handle binary responses and long strings.
• Changed the default settings of JIRA Send to Action for better out of the box support.
• Added a link to the proof URL for XSS vulnerabilities.
• Added link generation to Text Parser for all select element options.
• Improved the DOM parser to skip redirect responses.
• Added an option to allow the user to move the Invicti data directory to a different location.
• Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
• Added support for modifying asynchronous JavaScript executions in order to increase DOM Parser coverage.
• Improved relative link parsing on JavaScript files.
• Improved the coverage of file upload security checks.
• Improved the coverage of XSS security checks.

FIXES

• Fixed an issue where LFI attack patterns are reported as internal path disclosure.
• Fixed the incorrect raw response representing SSL connections.
• Fixed an issue where forms containing ignored parameters are not reported as CSRF vulnerability.
• Fixed a case where dynamically generated HTML option elements’ change event were not being triggered.
• Fixed cross-domain document access errors on DOM parser and XSS scanner.
• Fixed an issue where a JSON request’s method was incorrectly recognized as POST rather than GET.
• Fixed a retest issue where a vulnerability is reported as fixed incorrectly.
• Fixed form values target setting to use Name as the default value when a Target is not selected.
• Fixed an issue related with JavaScript “Load Preset Values” combo where selecting a preset value may revert the combo value to “(Custom)”.
• Fixed a file extension parsing issue related with File Extension List knowledgebase item.
• Fixed a hang issue occurs while performing JavaScript library checks.
• Fixed a custom form authentication API issue where “ns” namespace was conflicting with a global variable on target web site (authentication API has been moved to “invicti” namespace preserving the “ns” backward compatibility)
• Fixed a DOM Parser and XSS scanner bug that incorrectly follows redirects.
• Fixed misplaced certainty label on vulnerability details for trial editions.
• Fixed an ObjectDisposedException occurs on trial edition when you press escape key several times during application load.
• Fixed a resource deployment issue occurs on Invicti installations with custom application data path.
• Fixed a form values issue where empty form values should not set any default values for parameters.
• Fixed an issue where trying to set Connection request header fails.

IMPROVEMENTS

• Increased severity of “Insecure Transportation Security Protocol Supported (SSLv2)” vulnerability to “Important”
• Added support for adding several more request headers including the “Host” header

FIXES

• Fixed a bug related to VDB update process where a computer with no internet access may not get newer VDB updates even when it is updated using the offline installer

SECURITY CHECKS

• Added “HSTS (HTTP Strict Transport Security) Not Enabled” security checks
• Added various checks being reported with “HTTP Strict Transport Security (HSTS) Errors and Warnings”
• Added version checks for OpenCart web application

IMPROVEMENTS

• Improved JavaScript/DOM simulation and DOM XSS attacks
• Added “Form Values” support for JavaScript/DOM simulation and DOM XSS attacks
• Rewritten HSTS security checks
• Added evidence information to vulnerabilities list XML report
• Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
• Added the file name information for the local file inclusion evidence
• Added support for specifying client certificate authentication certificate for manual crawling
• Added source code to vulnerability details for “Source Code Disclosure” vulnerabilities
• Added “Custom Not Found Analysis” activities to UI
• Improved “Open in Browser” for XSS vulnerabilities and produced a vulnerable link with alert function
• Improved Heuristic URL Rewrite implementation to detect more patterns and increase crawling efficiency
• Improved the performance of DOM simulation by aggressively caching external requests
• Improved the performance of DOM simulation by caching web page responses
• Improved the performance of DOM simulation by blocking requests to known ad networks
• Improved minlength and maxlength support for form inputs that sets a value with an appropriate length
• Added support for matching inputs by label and placeholder texts on form values
• Improved the vulnerability description on out-of-date cases where identified version is the latest version
• Added database version, name and user proof for SQL injection vulnerabilities
• Improved the loading performance of Start New Scan dialog
• Added support for reordering form values to denote precedence
• Optimized the attacks with multiple parameters to reduce the number of attacks
• Added “Identified Source Code” section for “Source Code Disclosure” vulnerabilities

FIXES

• Fixed an out of disk space issue which occurs while writing logs
• Fixed the “scan will be paused” warning for a scan that is already paused
• Fixed the toggle state of proxy toolbar button on cases when the operation is canceled
• Fixed an issue which fails reading cookies on form authentication verification for cases where Set-Cookie response header is empty
• Fixed an issue on sitemap tree where the results were still populating even though scan pauses after crawling
• Fixed the issued requests which gets a timeout do not display any details on “HTTP Request / Response” tab
• Fixed an issue with client certificate authentication where the client certificate may be sent to external hosts while making HTTP requests
• Fixed cases where Invicti was making requests to addresses that are generated by its own attacks
• Fixed an issue where crawling activity is not shown on the UI when the crawling activity is retried
• Fixed elapsed time stops when the current scan is exported
• Fixed an issue with JavaScript library version detection where wrong version is reported if the path to JavaScript file contains digits
• Fixed missing AJAX requests on knowledgebase while doing manual crawling
• Fixed the issue of unsigned eowp.exe shipped with installer
• Fixed an ArgumentOutOfRangeException occurs on schedule dialog when a report template with an incorrect file name exists
• Fixed the stacked severity bar chart on “Detailed Scan Report” gets split and overflows to the second page
• Fixed HSTS engine where an http:// request may cause to loose current session cookie
• Fixed an issue where extracted links by TextParser in a JavaScript file should be relative to the main document
• Fixed the issues of delegated events not simulated if added to the DOM after load time
• Fixed the issue where hidden resource requests made by Invicti are displayed on out of scope knowledgebase
• Fixed the issue with automatic SSL protocol fallback which attempts the fallback even if the current security protocol is same with the fallback value
• Fixed the issue of “Strict-Transport-Security” is being reported as “Interesting Header”
• Fixed some Korean vulnerability templates which are wrong formatted
• Fixed the broken HIPAA classification link

Improvements

• Added “DROWN Attack” reporting

Fixes

• Fixed an issue that causes auto update process to hang after restarting Invicti for the update

Bug Fixes

• Fixed an issue with form authentication verification dialog where you may get a blank web page on left
• Fixed a cookie parsing issue where Invicti may fail to read some cookies on HTTP responses

IMPROVEMENTS

• Improved support for Single Page Applications (SPA) by rewritting the DOM parser
• Improved DOM Parser and DOM XSS performance
• Added icons to scan policy combo box to denote optimized platforms for policies
• Improved Korean language support
• Attached proof for the blind SQLi vulnerabilities
• Added “Proofs” knowledge base nodes
• Removed out of scope links from URL rewrite report
• Added HTTP response status code 308 to list of redirect status codes
• Added link to TFS API download page for Send To extension
• Added Crawling and Scan Performance knowledge base nodes
• Eliminated web application fingerprinter’s meta tag requests by re-using crawled link response
• Improved performance of the email disclosure detection pattern significantly
• Added automatic exploitation for Boolean and Blind SQL Injection vulnerabilities
• Added .svg to default set of ignored extensions
• Removed DOM XSS security checks from default built-in policy
• Added a new built-in scan policy that includes DOM XSS security checks
• Added a new scan policy setting section for JavaScript related settings
• Removed outdated PCI 2.0, PCI 3.0 and OWASP Top Ten 2010 classifications and report templates

Bug Fixes

• Fixed a NullReferenceException which could occur while editing a custom policy
• Fixed a bug occurs when a proof is empty
• Fixed the horizontal scroll bar that is shown while adding a new URL rewrite parameter
• Fixed an issue with comparison report where two reports were showing the same date even if the latter one has been retested
• Fixed a FileNotFoundException occurs while caching DOM requests
• Fixed a ThreadInterruptedException thrown by DOM XSS scanner while trying to close application
• Fixed an UnauthorizedAccessException occurs while cleaning the scan temporary directory
• Fixed the explanation text for Entered Path and Below scope
• Fixed the SSL/TLS fall back code to cover more HTTPS web sites
• Fixed a CannotUnloadAppDomainException occurs while trying to close form authentication verifier dialog
• Fixed an out of date JavaScript library version issue where identified version was bigger than Invicti’s latest version
• Fixed the slow performance issue which occurs when “Automatically Detect Settings” proxy setting is enabled
• Fixed the broken proceed button on trial popup dialog
• Fixed an out of date JavaScript library version issue where version value cannot be captured
• Fixed an issue with OWASP reports where vulnerabilities in same category were not being grouped together
• Fixed a not found detection issue where redirect analysis fails on redirect cases
• Fixed a broken compatibility issue which occurs while loading scan files exported with previous versions

FIXES

• Fixed a NullReferenceException which could occur while editing a custom policy
• Fixed a bug occurs when a proof is empty

FEATURES

• Added Windows 10 support
• Added the Scan Policy Optimizer
• Added automatic configuration of URL rewrite rules
• Added automated evidence collection to several confirmed vulnerabilities
• Added Korean language option for application user interface (currently in beta)
• Added support for detecting outdated versions of several popular JavaScript client-side libraries
• Added HIPAA compliance report template
• Added syntax highlighting for HTTP response viewer for responses like XML, JavaScript, CSS, etc.
• Added syntax highlighting for HTTP request viewer for request bodies like XML, JSON, etc.
• Added sessionStorage and localStorage support
• Added send to Team Foundation Server (TFS) and GitHub feature
• Added URL Rewrite knowledgebase node to list the URL patterns that have been discovered
• Added SSL knowledgebase node that shows several SSL related configurations on target web server
• Added CSS knowledgebase node
• Added Slowest Pages knowledgebase node
• Added no challenge option for basic authentication

NEW SECURITY CHECKS

• Added Windows Short File Name security checks
• Added several new backup file checks
• Added web.config pattern for LFI checks
• Added boot.ini pattern for LFI checks
• Added a signature which checks against a passive backdoor affecting vBulletin 4.x and 5.x versions
• Added a signature which checks against an error message generated by regexp function at MySQL database
• Added DAws web backdoor check
• Added MOF Web Shell backdoor check
• Added RoR database configuration file detection
• Added RoR version disclosure detection
• Added RoR out-of-date version detection
• Added RoR Stack Trace Disclosure
• Added RubyGems version disclosure detection
• Added RubyGems out-of-date version detection
• Added Ruby out-of-date version detection
• Added Python out-of-date version detection
• Added Perl out-of-date version detection
• Added RoR Development Mode Enabled detection
• Added Django version disclosure detection
• Added Django out-of-date version detection
• Added Django Development Mode Enabled detection
• Added PHPLiteAdmin detection
• Added phpMoAdmin detection
• Added DbNinja detection
• Added WeakNet Post-Exploitation PHP Execution Shell (WPES) detection
• Added Adminer detection
• Added Microsoft IIS Log File detection
• Added Laravel Configuration File detection
• Added Laravel Debug Mode Enabled detection
• Added Laravel Stack Trace Disclosure
• Added S/FTP Config File detection

IMPROVEMENTS

• Several performance improvements to reduce memory usage
• Improved credit card detection to eliminate false positives
• HTTP cookie handling code written from scratch to conform with the latest RFCs which modern browsers also follow
• SSL cipher support check code has been rewritten to support more cipher suites
• SSL checks are now made for target URLs even when protocol is HTTP
• Improved logging code to decrease the performance overhead
• Updated embedded chrome based browser engine to version 41
• Improved logging when an error occurs if Invicti was started from command line with arguments
• Added more ignored parameters for ASP.NET web applications
• Improved JIRA send to action to support both old and new versions
• Added activity details for singular security checks (SSL, Heartbleed, etc.) on scan summary dashboard
• Improved authentication verifier to include keywords from alt and title attributes
• Improved scan policy versioning where new security checks are automatically included or excluded by default on existing scan policies
• Improved out-of-date vulnerability reporting on XML vulnerability list report to include references and affected versions elements
• Improved LFI pattern that matches win.ini files
• Improved XSS coverage by adding an attack pattern for email inputs which require an @ character
• Improved cookie vulnerability details to show all cookies that are not marked as Secure or HttpOnly
• Added descriptions for advanced settings
• Improved out-of-date vulnerability templates by including severity information of vulnerabilities for that version of software
• Improved out-of-date vulnerability reporting by increasing the severity of the vulnerability if that version of software contains an important vulnerability
• Increased static resource finder limit from 75 to 100
• Added several text parser settings to advanced settings
• Improved Ruby version disclosure detection
• Improved SQL injection vulnerability template by adding remedy information for more development environments
• Improved common directory checks by adding more known directory names
• Updated default user agent
• Improved the default Anti-CSRF token name list
• Improved database error messages vulnerability detection for Informix
• Added new XSS attack pattern for title tag in which JavaScript execution is not possible
• Improved XHTML attacks to check against XSS vulnerabilities
• Missing Content-Type vulnerability is not reported when status code returns 304
• Optimized confirmation of Boolean SQLi
• Added exploitation for Remote Code Evaluation via ASP vulnerability
• Revamped DOM based XSS vulnerability detail with a table showing XPath column
• Changed SQLi attack patterns specific to MSSQL database with shorter ones
• Improved SQLi attack pattern which causes a vulnerability in LIMIT clauses specific to MySQL database
• DOM simulation is turned off for hidden input types which causes a false-positive confirmed XSS vulnerability
• Improved the “Name” form value pattern to match more inputs
• Improved confirmation of Expression Language Injection vulnerability
• Improved Frame Injection vulnerability details
• Added .phtml extension to detect code execution via file upload
• Improved blind SQL injection detection on some INNER JOIN cases
• Improved external references section of “Remote Code Evaluation (PHP)” vulnerability
• Added retest support for several vulnerability types
• Improved import link user interface
• Improved CSRF engine
• Displaying installer links for cases where auto update fails or auto updating is not possible
• Improved Apache Tomcat detection patterns
• Improved the message on “Reset to Defaults” dialog
• Added severity column for Vulnerabilities List (CSV) report template
• Increased the number of sensitive comments reported
• Added exploitation support for “RCE via Perl” vulnerability
• Added project selection to FogBugz send to action
• Improved text parser improvements
• Added the total number of attack counts per parameter for current scan policy to scan policy editor dialog
• Added the passive engine names which are currently running to scan summary dashboard
• Added separate checks in scan policy for each supported web app fingerprint application

FIXES

• Fixed Extensive Security Checks policy to enable DOM simulation for open redirection
• Fixed Extensive Security Checks policy to enable Prepend Original Value for XSS security tests
• Fixed authentication verifier to omit empty keywords for keyword based authentication
• Fixed authentication verifier to omit keywords longer than 200 characters for keyword based authentication
• Fixed authentication verifier to omit keywords containing null bytes for keyword based authentication
• Fixed URL rewrite analysis to respect case sensitivity settings
• Fixed a form authentication issue which image submit elements were not clicked
• Fixed send to extension context menu which does not focus Extensions section when Options dialog is opened
• Fixed a form authentication verification issue which may crash when username and/or password is empty
• Fixed a manual crawling issue when proxy was left open when you start a regular scan after a manual crawling
• Fixed custom reporting sample code on user manual to match the latest reporting API
• Fixed an issue occurs when the HTTP response body starts with unicode BOM
• Fixed Open Redirect security checks where it should not perform DOM based checks if DOM checks are turned off
• Fixed fiddler logging where form authentication requests were not being captured
• Fixed static resource finder where it was not following a redirect if only the protocol portion of an URL changes
• Fixed Start a New Scan dialog where Schedule Scan dialog was always shown when you first try to schedule a scan
• Fixed DOM simulation hangs if a rogue JavaScript call enters an endless loop
• Fixed slow XSS highlights on some responses
• Fixed disk space detection on cases when there are no space left on disk where Invicti documents folder resides
• Fixed the issue on Start a New Scan dialog where some check box values were not restored correctly
• Fixed a bug where Full-Url LFI attack which is specific to Ruby-on-Rails applications could not be confirmed
• Fixed a bug where XSS vulnerability could not be confirmed when injection occurs in the middle of a CSS style
• Fixed a bug where generated XSS exploit did not work due to incorrect encoding
• Fixed a bug where a false-positive file upload vulnerability was reported
• Fixed a bug where maximum amount of hard fails was preventing next scan making HTTP requests
• Fixed “Missing Content-Type” reporting issue where redirected responses should not be reported
• Fixed Set-Cookie response headers being merged issue on response viewers
• Fixed an issue where send failures were not being handled while making HTTP requests
• Fixed credit card reporting issue where the value specified in default form values section should not be reported
• Fixed the trimmed parameter name issue on controlled scan pane
• Fixed ignore vulnerability issue function where it was not working for comparison reports
• Fixed documentation for nginx vulnerability template that tells how to fix the issue
• Fixed HSTS support for form authentication HTTP requests
• Fixed a bug which prevents attacking from resuming when an existing session is imported
• Fixed the issue of HttpRequests.saz file being truncated when a scan is resumed after import
• Fixed fiddler log file saving issue where chunked response bodies were not being saved correctly
• Fixed a URI parsing issue where non-HTTP(S) protocols are ignored
• Fixed a DOM XSS scanner issue that crashes Invicti when a long URL is parsed
• Fixed a bug where an attribute based attack could not be confirmed as XSS
• Fixed a bug where an injection with “javascript:” protocol for XSS attacks occurs after a new line
• Fixed a bug where exploitation goes into loop and causes an unresponsive UI for error based SQLi
• Fixed a bug where redirection happens relatively and reported as Open Redirect vulnerability
• Fixed an issue where importing links to an existing profile with imported links was failing
• Fixed generated report name issue where and extra .htm extension is added to report file if run from command line
• Fixed an unhandled ArgumentException raised from permanent XSS detection
• Fixed the issue that Invicti hangs with a confirmation dialog upon scan completion when started with /auto command line parameter
• Fixed an issue where a Groovy RCE is reported as Perl RCE
• Fixed an issue where a scan started with Scan Imported Links option were attacking to links those are not imported
• Fixed an issue where retest request is started with the attacked value and causes a vulnerability creation in a different injection point
• Fixed a WSDL parsing issue where reference parameters were not handled
• Fixed a WSDL parsing issue where XML types were not handled
• Fixed a visual bug where “Security Check Groups” description text was clipped
• Fixed a bug where illegal characters were causing invalid XML reports
• Fixed an issue where RCE Perl exploitation could not be performed due to incorrect encoding
• Fixed an issue with auto complete input reporting where highlighting was not correct
• Fixed an issue with web app fingerprinting where pausing the scan was not pausing it
• Fixed an issue that occurs during form authentication with an HSTS site that performs redirects to an URL with http protocol
• Fixed a form authentication configuration issue where both keyword based and redirect based logout detection pattern could be configured
• Fixed a bug where the hash is reported incorrectly in a DOM based XSS vulnerability
• Fixed the misleading content in basic authentication over clear text vulnerability

IMPROVEMENTS

• Increased the DomParserLoadUrlTimeout and DomParserSimulationTimeout values to handle unresponsive request cases
• DomParserLoadUrlTimeout and DomParserSimulationTimeout are now modifiable through the scanner’s advanced settings
• Added Override Target URL with authenticated page form authentication option to support web sites which require dynamic Target URLs generated post-authentication (scanner will authenticate prior to accessing target URL)
• Improved resource finder checks for websites which have custom 404 pages
• Increased the default value of Maximum 404 Signature setting to be store more signatures
• Improved timeout calculation for vulnerability checks which require late confirmation

FIXES

• Fixed DOM simulation issue where all delegated events on an elements were not being called
• Fixed a Heartbleed security check issue where it was causing the crawling phase to be stalled

Engines & Exploitation

• Experimental Second Order SQL Injection support added. Doesn’t support confirmation or exploitation yet.
• Confirmation added to Permanent Cross-site Scripting Engine
• SQL Injection Error based confirmation added for PostgreSQL, MySQL and Oracle.
• SQL Injection Engine was missing string based SQL Injection vulnerabilities in LIKE clauses when crawler can’t find the correct search string. This issue is fixed and works regardless of the found default string.
• URI Based Cross-site Scripting Confirmation added
• URI Based issues were reported more than once, this problem fixed
• LFI Engine and exploitation works better now. Several minor bugs addressed.
• Many possible SQL Injections issues removed as we are now sure they are not vulnerable
• XSS Confirmation now bypasses more blacklists
• Content-Type based XSS detection added and ratings changed
• Email disclosure check improved
• Minor bugs addressed in Unix and Windows Internal Path Disclosure issues. Windows Internal Path Disclosure improved.

Proxy

• Proxy settings moved to global settings
• Now you can see the active proxy settings in the status bar
• Invicti now support NTLM, Basic, Digest, Kerberos and Negotiation Authentication for Proxy

GUI

• New Community menu added for easier access to Invicti Blog and Request a Feature
• All message boxes use the correct theme now
• Attack Possibility in the dashboard is now more accurate
• Some typos and missing tooltips addressed

Form Authentication

• Several minor bugs addressed and features improved
• Now it’s possible to use use Form Authentication even when the website requires NTLM, Basic, Digest, Kerberos and Negotiation Authentication as well
• Now it’s possible to use Form Authentication even when server uses an invalid SSL certificate

Parsers

• Text parser works better now

Installer

• Installer simplified
• Extra checks added for .NET Framework 3.5 SP1 check and installation

Other Fixes & Improvements

• Extra runtime checking and error handling added for .NET Framework 3.5 SP1 and SQL Server CE dependencies
• Static and Backup tests weren’t working when Invicti launched from CLI in auto-pilot mode
• LFI Panel crashes fixed
• Full HTTP Response added XML Reports
• XML reports doesn’t show attack parameter anymore if the vulnerability identified passively such as Server Version Disclosure
• Several other minor bug fixes and improvements