v23.7.0.41392 - 19 Jul 2023
This release includes new improvements and fixes. We improved logout detection for OAuth2 websites, and implemented several fixes.
Features
- Added Diana.jl support for GraphQL Library Detection
- Added Hot Chocolate support for GraphQL Library Detection
- Added Zero Day Vulnerability for MOVEit Software
Improvements
- Improved logout detection for OAuth2 authenticated websites
- Improved detection of IT Hit WebDav Server .Net versions
- Improved Internal Path Disclosure detection
- Improved Remediation Advice for Autocomplete Enabled vulnerability
- Improved detection logic for LFI vulnerability
- Improved identification and version disclosure for PopperJS, CanvasJS, and Next.js
- Improved WAF Detection for F5 BIG IP
Fixes
- Fixed issue with scans stopping with the Find & Follow New Links option enabled
- Fixed issue with agent compression of chromium and node files
- Fixed InvalidCastException with REST API
- Fixed ArgumentNullException with Custom Security Checks
- Fixed BLR cannot fill address fields
- Fixed adding some MongoDB vulnerabilities to Knowledge Base report
- Fixed scans unauthenticated after successful authentication verification
- Fixed rare stuck scan issue
- Fixed false positive due to TLS v1.3 not enabled
- Fixed ArgumentNullException during scan launch
- Fixed Authentication Verifier fails creating a new scan while another scan is running
- Fixed GraphQL import OutOfMemoryException
v23.6.0.40861 - 07 Jun 2023
This release includes new security checks, improvements, and fixes. We added security checks for public Docker files, MongoDB, and WordPress. We improved the wordlist for forced browsing and signature detection patterns. We also fixed some bugs.
New security checks
- Added the check for Boolean-based MongoDB injection.
- Added the check for MongoDB Operator Injector.
- Implemented the XML external entity check for IAST.
- Added the ISO/IEC27001:2022 Classification.
- Added the report template and attack pattern to the Out-of-band RCE.
- Added passive check for Lua.
- Added a security check to detect public Docker files.
- Implemented a new engine to identify WordPress themes and Plugins.
- Added new security checks for SAML.
- Added security check for IT Hit WebDAV Server .Net Version Disclosure.
- Added security check for MS Exchange Version Disclosure.
- Added new payloads for Command Injection.
- Added support for PopperJS.
- Added support for CanvasJS.
- Added new security check for the SQLite Database Detection.
- Added new payloads for Header Injection.
- Added new security check for Spring Boot Actuator Detection.
- Added security check for NodeJS Stack Trace Disclosure.
- Added security check for SailsJS and ActionHero Identified.
- Added security check for JetBrains .idea Detected.
- Added security check for GraphQL Stack Trace Disclosure.
- Added security checks for Javascript Libraries.
- Added security checks for Web Application Fingerprinter Engine.
- Added new security checks for WordPress Hello Elementor Theme Detection.
- Added new security checks for WordPress Twenty Twenty-Three Theme Detection.
- Added new security checks for WordPress Twenty Twenty-Two Theme Detection.
- Added new security checks for WordPress Astra Theme Detection.
- Added new security checks for WordPress Twenty Twenty-One Theme Detection.
- Added new security checks for WordPress Twenty Twenty Theme Detection.
- Added new security checks for WordPress OceanWP Theme Detection.
- Added new security checks for WordPress Twenty Seventeen Theme Detection.
- Added new security checks for WordPress Kadence Theme Detection.
- Added new security checks for WordPress Twenty-Sixteen Theme Detection.
- Added new security checks for WordPress Twenty Nineteen Theme Detection.
- Added new security checks for WordPress PopularFX Theme Detection.
- Added new security checks for WordPress GeneratePress Theme Detection.
- Added new security checks for WordPress Inspiro Theme Detection.
- Added new security checks for WordPress Go Theme Detection.
- Added new security checks for WordPress Smash Balloon Social Photo Feed Plugin Detection.
- Added new security checks for WordPress Contact Form 7 Plugin Detection.
- Added new security checks for WordPress Yoast SEO Plugin Detection.
- Added new security checks for WordPress Elementor Website Builder Plugin Detection.
- Added new security checks for WordPress Classic Editor Plugin Detection.
- Added new security checks for WordPress Akismet Spam Protection Plugin Detection.
- Added new security checks for WordPress WooCommerce Plugin Detection.
- Added new security checks for WordPress Contact Form by WPForms Plugin Detection.
- Added new security checks for WordPress Really Simple SSL Plugin Detection.
- Added new security checks for WordPress Jetpack Plugin Detection.
- Added new security checks for WordPress All-in-One WP Migration Plugin Detection.
- Added new security checks for WordPress Wordfence Security Plugin Detection.
- Added new security checks for WordPress Yoast Duplicate Post Plugin Detection.
- Added new security checks for WordPress WordPress Importer Plugin Detection.
- Added new security checks for WordPress LiteSpeed Cache Plugin Detection.
- Added new security checks for WordPress UpdraftPlus WordPress Backup Plugin Plugin Detection.
- Added new security check for EZProxy Identified.
Improvements
- Updated the Signature Detection pattern.
- Improved the wordlist for Forced Browsing checks.
- Changed the Session Cookie not marked as Secure severity from High to Medium.
- Improved the task queue by optimizing code.
- Improved Drupal and Joomla detection.
- Improved the Next.js version detection.
- Improved Django debug mode enabled.
- Updated the SSL/TLS report template.
Fixes
- Fixed the navigational error by ignoring initial requests other than the document-type resources.
- Fixed an issue about HTTP Status codes on the crawler performance in the Knowledge Base Report.
- Fixed the importing GraphQL introspection issue.
- Fixed the weak Nonce detection in Content Security Policy.
v23.5.0.40516 - 11 May 2023
This release includes new security checks, improvements, and fixes. We added security checks for MongoDB and sensitive data exposure. We improved the text parser and GraphQL Introspection query. We also fixed some bugs.
New security checks
- Added new security check for LDAP injection for IAST.
- Added new security check for MongoDB injection.
- Added new security check for Server-side Template Injection for IAST.
- Added new security check for XPath injection for IAST.
- Implemented security check for Sensitive Data Exposure.
Improvements
- Improved the text parser to check URI before parsing.
- Added the Response Receiver information event to remove waiting time for requests.
- Improved the GraphQL Introspection query.
Fixes
- Fixed an issue that caused a bad CSRF token when confirming Cross-site Scripting.
- Fixed an issue that caused an argument null exception when the browser context was closed.
- Fixed the issue that is filling out the login form on the logout page during the login verification.
- Fixed the issue of changing the order of API parameters while importing the JSON file.
- Fixed the dark template issue that displayed the What’s New section in the light template.
- Fixed the vulnerability signature types for Cloudflare and Cdnjs.
v23.4.0 - 24 Apr 2023
This release includes new security checks, improvements, and fixes. We added new checks for GraphQL and support for nested objects for GraphQL attacks. We changed the brand logo and improved the WSDL file importing. We also fixed some bugs.
Version information: 23.4.0.40376
New security checks
- Added new patterns for GrapQL attack usage.
- Added new attack pattern to CommandInjection.xml.
- Implemented Bootstrap Libraries Detection.
- Added Out-of-Date vulnerability for mod_ssl.
- Added a report template and vulnerability type for Spring Framework Identified.
- Added JavaMelody Interface Detected Signature.
- Changed WAF Identification Signature for F5 Big IP.
- Added the support for Nested objects for GraphQL attacks.
Improvements
- Updated Invicti Standard with new brand logo.
- Added external schema import to solve a WSDL file importing another WSDL file.
- Removed the interactive login button from the verifier dialog.
- Added the Retest All Subitems in the Sitemap to prevent non-retestable issues from being retested.
- Added a null check for HAR files imported.
- Improved the cookie importing process in order for cookies to be compatible with RFC.
- Updated IAST NuGet PHP package.
- Updated StaticDetection.xml & StaticResourceFinder.xml.
- Added service worker request support for authentication, login simulation, and crawling.
Fixes
- Fixed an issue that caused high memory usage while collecting form values.
- Fixed the untrusted certificate error for internal proxies.
- Fixed the issue that caused the change in the date and time format during the Postman file importing.
- Fixed the Linux agents problem that failed to work in the FIPS-enabled environment.
- Fixed the untrusted certificate error for internal proxies.
- Fixed the “Catastrophic Backtracking” in Whoops Debugging detection.
v23.3.0 - 16 Mar 2023
This release includes security checks, improvements, and fixes. We added a range of new security checks to help identify vulnerabilities. We improved security checks and also fixed some bugs.
Version information: 23.3.0.39944
New security checks
- Added package.json Configuration File attack pattern.
- Added new File Upload Injection pattern.
- Added SSRF (Equinix) vulnerability.
- Added Swagger user interface Out-of-Date vulnerability.
- Added a file upload injection pattern.
- Added StackPath CDN Identified vulnerability.
- Added Insecure Usage of Version 1 GUID vulnerability.
- Added JBoss Web Console JMX Invoker check.
- Added Windows Server check.
- Added Windows CE check.
- Added Cloudflare Identified, Cloudflare Bot Management, Cloudflare Browser Insights, and cdnjs checks.
- Added Varnish Version Disclosure vulnerability check.
- Added Stack Trace Disclosure (Apache Shiro) vulnerability check.
- Added Java Servlet Ouf-of-Date vulnerability check.
- Added AEM Detected vulnerability check.
- Added CDN Detected(JsDelivr) vulnerability check.
Improvements
- Improved the scan compression algorithm to lower the size of the scan data.
- Improved WS_FTP Log vulnerability test pattern.
- Improved X-XSS-Protection Header Issue vulnerability template.
- Improved MySQL Database Error Message attack pattern.
- Improved XML External Entity Injection vulnerability test pattern.
- Improved Forced Browsing List.
- Added CWE classification for Insecure HTTP Usage.
- Added GraphQL Attack Usage to existing test patterns by default.
Fixes
- Fixed an issue that may cause out-of-memory when cloning callbacks of the browser.
- Fixed the update issue in the Proof node in the Knowledge Base panel.
v23.2.0 - 22 Feb 2023
This release includes security checks, improvements, and fixes. We added checks for JWT. We improved JWT security checks and the business logic recorder. We also fixed some bugs.
Version information: 23.2.0.39705
New security checks
- Added JWT Forgery through Kid by using static files.
- Added the JSON Web Tokens detected check.
Improvements
- Improved the default browser settings to be reflected in the business logic recorder (BLR).
- Improved the JWT Finder Regex in the JWT engine.
- Extended excluded header names with new headers.
- Updated JWT Forgery check condition.
- Improved the JSON Web Tokens’ vulnerability detection logic.
- Added the link scope check for the user-controllable cookie vulnerability.
Fixes
- Fixed an issue that caused unhandled exceptions when there is no service endpoint definition in the WSDL file.
- Fixed “file in use error” while archiving scan logs.
- Fixed the OAuth 2.0 authentication problem caused by the failure to get code information and certification validation in out-of-scope links.
- Fixed missing cookies for the JSON Web Tokens attack requests.
- Fixed the vulnerability family issue that caused the Hawk not to detect issues.
- Fixed the vulnerability serialization issue that caused the out-of-memory error.
v23.1.0 - 17 Jan 2023
This release includes improvements and fixes. We fixed issues with TLS, authentications, and IPv6.
Improvements
- Added control for login and logout during vulnerability retest.
- Added auto responder for images to escape the onerror issue.
Fixes
- Fixed an issue that overrode TLS settings available in the scan policy when the Ignore SSL Certificate Errors is set to True in the Appsetting.json file.
- Fixed a bug that throws a null reference exception at the authentication.
- Fixed missing CSP 3 Directive.
- Fixed an issue about 3-legged OAuth which cause failed authentication at scan.
- Fixed the scheduled scans not being exported issue to Invicti Enterprise.
- Fixed an issue about header encoding that cause false positive CSP reporting.
- Fixed the bug on the Interactive Login page where the Ok and Pause buttons are not available.
- Fixed case sensitivity when checking HTTP headers for JSON Web Tokens.
- Fixed the IPv6 registered website resolution issue thrown before scanning.
- Improved the vulnerability database updating process to enable it to use a proxy.
- Fixed a bug that prevents the scanner from attacking to login and logout pages.
- Fixed the bug in which OAuth2 settings were not transferred properly from the web application to the agent.
v22.12.0 - 07 Dec 2022
This release includes improvements and fixes. We improved the failed requests error message. We also fixed some bugs.
Improvements
- Added an explanation for the failed requests error.
- Added name variable support for Passive and Singular Custom Security Checks.
Fixes
- Fixed WSDL parse issue for non-defined object types.
- Fixed the deserialization problem when importing the scan session.
- Fixed the CSP analyzer Regex enumeration problem.
- Fixed the null reference exception on HTTP Requester.
v22.11.0 - 09 Nov 2022
This release includes new security check, improvements, and fixes. We added a security check for Text4Shell and improved the importing link. We also fixed some bugs.
New security check
- Added the Text4Shell (CVE-2022-42889) check.
Improvements
- Updated the embedded Chromium browser.
- Improved the importing link to parse the complex example value for RAML.
- Added the support for browser flag.
- Improved the scan failure messages on the issue page.
- Added the URL decode to scanned and crawled URL list reports.
Fixes
- Fixed the issue that deleted the customization folder in the agent’s folder after the update.
- Fixed the knowledge base report format to display information clearly.
v6.8.0.38168 - 13 Oct 2022
This release includes new features, new security checks, improvements, and fixes. We added an auto-GraphQL attack. We added MongoDB-related security checks. We improved the embedded browser and vulnerability detection in the JWT engine. We also fixed some bugs.
NEW FEATURES
- Added auto-GraphQL attack after endpoint is detected.
- Added request wait filter for request wait handler.
NEW SECURITY CHECKS
- Added MongoDB Time-based (Blind) Injection.
- Added SQLite Boolean SQL Injection.
- Added MongoDB Error-based Injection.
IMPROVEMENTS
- Updated the embedded browser.
- Updated the hardcoded scan policy for http://rest.testinvicti.com.
- Added the out-of-scope check for the target website content links.
- Updated the Check for VDB Update status and tooltip when users start the check for update.
- Updated Vulnerability Detection Logic in JWT engine.
- Updated Liferay portal signature and added a mapping for version conversion.
FIXES
- Fixed the web security issue for the origin header problem.
- Fixed the sitemap bug that caused missing information when imported.
- Fixed the bug that threw an error when exporting as SQL script.
- Fixed the bug that threw an error, as HTTP Requester deletes the whole body part of the request which contains the login credentials.
- Fixed multiple headers highlighting for the same value.
- Fixed highlighting CSP Directives in different header issues.
- Fixed duplicate bearer tokens for some requests.
- Fixed the out-of-memory bug at the browser manager.
- Fixed the null reference exception on the custom script screen.
- Fixed the connection time-out issue caused by the RegEx engine.
- Fixed an issue that resulted in false positive Cross-site Scripting (DOM-based).
- Fixed the retest issue that displays zero requests in the repetitive retests.
- Fixed the bug that shows the previous version of VDB.
- Fixed parsable false attack patterns place.
v6.7.1.37730 - 15 Sep 2022
IMPROVEMENTS Updated embedded Chromium browser.
IMPROVEMENTS
- Updated embedded Chromium browser.
v6.7.0.37625 - 31 Aug 2022
SECURITY CHECKS Added pattern for XSS via file upload SVG. IMPROVEMENTS Added the Cache By CSS Selector and Max Cache Elements to the scan policies. Added the GraphQL endpoints and libraries to the Knowledge Base. Updated the Jira tooltip for the access token or password field. Removed the target URL health check that lets the …
SECURITY CHECKS
- Added pattern for XSS via file upload SVG.
IMPROVEMENTS
- Added the Cache By CSS Selector and Max Cache Elements to the scan policies.
- Added the GraphQL endpoints and libraries to the Knowledge Base.
- Updated the Jira tooltip for the access token or password field.
- Removed the target URL health check that lets the scan continue despite getting error messages such as 403.
- Improved the raw scan file expired information message.
- Improved the scan profile test coverage.
- Updated regex for Stack Trace Disclosure (Java) – Java.Lang Exceptions.
- Improved the JSON Web Tokens secret list.
- Improved the re-login process when the logout is detected.
FIXES
- Fixed the retest issue.
- Fixed the null reference error thrown during the late confirmation.
- Fixed an issue of using the disposed objects.
- Fixed the exception error when cloning the report policy.
- Fixed the broken links on the report policy.
- Fixed mistaken NIST and DISA classifications.
- Fixed a bug that threw the database locked error when Invicti is restarted after a scan.
- Fixed an issue where a JavaScript Setting option blocks inputs for the single-page applications to be reported in the Web Pages with Inputs node.
- Fixed a bug that caused the scan session failure when the scan is paused and resumed.
- Fixed failed scans where the Target URL is IPv6 and starting with ::1
- Fixed the Postman collection parsing by removing / in front of the query in the URL.
- Fixed the Shark validation issue that threw exceptions while validating.
- Fixed the issue with proxy settings, so Invicti prioritizes the settings in the scan policy.
- Fixed NodeJS RCE-OOB security check.