18 Mar 2015
Read the blog post for more details about this version
NEW WEB SECURITY TESTS
-
Scanning of parameters in URLs
-
Nginx web server Out-of-date version check
-
Perl possible source code disclosure
-
Python possible source code disclosure
-
Ruby possible source code disclosure
-
Java possible source code disclosure
-
Nginx Web Server identification
-
Apache Web Server identification
-
Java stack trace disclosure
NEW FEATURES
-
Chrome based web browser engine for DOM parsing
-
URL rewrite rules configuration wizard to scan parameters in URLs
-
“Ignore Vulnerability from Scan” option to exclude vulnerabilities from reports
IMPROVEMENTS
-
Improved the correctness and coverage of Remote Code Execution via Local File Inclusion vulnerabilities
-
Improved cross-site scripting vulnerability confirmation patterns
-
Added support for viewing JSON arrays in document roots in request/response viewers
-
Added support for Microsoft Office ACCDB database file detection
-
Improved DOM parser to exclude non-HTML files
-
Improved PHP Source Code Disclosure vulnerability detection
-
Improved Nginx Version Disclosure vulnerability template
-
Improved IIS 8 Default Page detection
-
Improved Email List knowledgebase report to include generic email addresses
-
Improved Configure Form Authentication wizard by replacing embedded record browser with a Chrome based browser
-
Improved the form authentication configuration wizard to handle cases where Basic/NTLM/Digest is used in conjunction with Form Authentication
-
Added a cross-site scripting attack pattern which constructs a valid XHTML in order to trigger the XSS
-
Added double encoded attack groups in order to reduce local file inclusion vulnerability confirmation requests
-
Added status bar label which displays current VDB version and VDB version update notifications
-
Added login activity indicator to Scan Summary Dashboard
-
Added a new knowledgebase out-of-scope reason for links which exceed maximum depth
-
Updated external references in cross-site scripting vulnerability templates
-
Improved DOM parser by providing current cookies and referer to DOM/JavaScript context
-
Added several new DOM events to simulate including keyboard events
-
Improved the parsing of “Anti-CSRF token field names” setting by trimming each individual token name pattern
-
Added support for simulating DOM events inside HTML frames/iframes
-
Consolidated XSS exploitation function name (invicti()) throughout all the areas reported
-
Removed redundant semicolon followed by waitfor delay statements from time based SQLi attack patterns to bypass more blacklistings
-
Changed default user-agent string to mimic a Chrome based browser
-
Improved LFI extraction file list to extract files from target system according to detected OS
-
Removed outdated PCI 1.2 classifications
BUG FIXES
-
Fixed indentation problem of bullets in knowledgebase reports
-
Fixed path disclosure reports in MooTools JavaScript file
-
Fixed KeyNotFoundException occurs when a node from Sitemap tree is clicked
-
Fixed NullReferenceException thrown from Boolean SQL Injection Engine
-
Fixed an issue in WebDav Engine where an extra parameter is added when requesting with Options method
-
Fixed a bug where LFI exploitation does not work for double encoded paths
-
Fixed a bug in Export file dialog where .nss extension isn’t appended if file name ends with a known file extension
-
Fixed a bug in Configure Form Authentication wizard where the number of scripts loaded shows incorrectly
-
Fixed a bug which occurs while retesting with CSRF engine
-
Fixed a bug where retest does not work after loading a saved scan session
-
Fixed a bug where Invicti reports out of date PHP even though PHP is up to date
-
Fixed a UI hang where Invicti tries to display a binary response in Browser View tab
-
Fixed an ArgumentNullException thrown when clicking Heartbleed vulnerability
-
Fixed a bug where Invicti makes requests to DTD URIs in XML documents
-
Fixed a bug in Scan Policy settings dialog where list of user agents are duplicated
-
Fixed a typo in ViewState MAC Not Enabled vulnerability template
-
Fixed a bug in auto updater where the updater doesn’t honour the AutoPilot and Silent command line switches
-
Fixed XSS exploit generation code to handle cases where input name is “submit”
-
Fixed a bug that prevents invicti.exe process from closing if you try to close Invicti immediately after starting a new scan
-
Fixed a UI hang happens when the highlighted text is huge in response source code
-
Fixed issues with decoded HTML attribute values in text parser
-
Fixed session cookie path issues according to how they are implemented in modern browsers
-
Fixed scan stuck at re-crawling issue for imported scan sessions
-
Fixed highlighting issues for possible XSS vulnerabilities
-
Fixed a crash due to empty/missing URL value for form authentication macro requests
-
Fixed a NullReferenceException in Open Redirect Engine which occurs if redirect response is missing Location header
-
Fixed an error in authentication macro sequence player happens when the request URI is wrong or missing
18 Mar 2015
Read the blog post for more details about this version
NEW FEATURE
-
New option available to specify the type of parameter when configuring URL rewrite rules, e.g. numeric, date, alphanumeric
IMPROVEMENTS
-
Improved the performance of the DOM Parser
-
Improved the performance of the DOM cross-site scripting scanner
-
Optimized DOM XSS Scanner to avoid scanning pages with same source code
-
Changed the default HTTP User agent string of built-in policies to Chrome web browser User agent string
-
Improved selected element simulation for select HTML elements
-
Added new patterns for Open Redirect engine
BUG FIXES
-
Fixed a bug in WSDL parser which prevents web service detection if XML comments are present before the definitions tag
-
Fixed a bug in WSDL parser which prevents web service detection if an external schema request gets a 404 not found response
-
Fixed a bug that occurs when custom URL rewrite rules do not match the URL with injected attack pattern and request is not performed
-
Fixed a configure form authentication wizard problem where the web browser does not load the page if the target site uses client certificates
-
Fixed a crash in configure form authentication wizard that occurs when HTML source code contains an object element with data: URL scheme is requested
-
Fixed a bug in DOM Parser where events are not simulated for elements inside frames
-
Fixed a cookie parsing bug where a malformed cookie was causing an empty HTTP response
18 Mar 2015
NEW WEB SECURITY TEST
-
Added Bash Command Injection Vulnerability (Shellshock Bug) check.
NEW FEATURE
-
Added exploitation support for Remote Code Evaluation and Command Injection engines.
FIX
-
Fixed a bug in WSDL parser that crashes application when a type is recursively referenced.
18 Mar 2015
NEW WEB SECURITY TEST
BUG FIXES
-
Fixed a specific issue where generic email addresses were not being reported.
-
Fixed form authentication configuration wizard problem where it couldn’t handle pages with popups.
-
Fixed an issue where Invicti was crashing when the application is closed during report generation.
-
Fixed a crash which occurs on systems where Trebuchet MS font is missing
-
Fixed 2 Heartbleed engine bugs.
09 Mar 2015
BUG FIXES
-
Fixed a bug in custom URL rewrite detection where encoded URL paths are not matched with the provided patterns.
- Fixed a bug that occurs while displaying details of an XSS vulnerability discovered on a redirected page.
09 Mar 2015
BUG FIXES
-
Fixed a critical bug which crashes DOM Parser and DOM XSS processes on Windows 8.1 systems with KB3000850 update installed
-
Fixed a bug in recrawler where the current concurrent connection count isn’t honored
-
Fixed a bug in multipart/form-data parser to read parameter names with semicolons correctly
-
Fixed a bug in multipart/form-data parser to recognize the request body even if there are no parameters present
-
Fixed a bug where a form with multipart/form-data encoding type is incorrectly parsed with a POST method rather than a GET
-
Fixed an issue with DOM Parser to better simulate radio/check boxes with click event handlers attached
-
Fixed an issue with HTTP request parser to recognize the correct HTTP method with POST requests containing an empty request body
-
Fixed an issue where Content-Length header is not set to 0 with empty request bodies
-
Fixed an issue where some requests discovered using DOM Parser with POST HTTP method are recognized as GET requests
-
Fixed an issue with ASP.NET View State response viewer to show the View State data on cases where id attribute of input tag is missing
- Fixed an ASP.NET View State parser issue occurs while reading .NET 1.x View States