v6.6.1 - 12 Aug 2022
IMPROVEMENTS Improved the Late-Confirmation Storage Mechanism to lower disc usage. Improved the Links/API definition to add links with a single click. Added the Block navigation on SPAs to built-in scan policies. Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3. …
IMPROVEMENTS
- Improved the Late-Confirmation Storage Mechanism to lower disc usage.
- Improved the Links/API definition to add links with a single click.
- Added the Block navigation on SPAs to built-in scan policies.
- Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.
FIXES
- Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
- Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
- Fixed the bug that throws null reference exception at the link pool.
- Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
- Fixed the bug that resulted in running many Chromium instances when a new scan is started.
- Fixed a null reference error when a new scan is started via the command line.
v6.6.1.36926 - 19 Jul 2022
IMPROVEMENTS Improved the Late-Confirmation Storage Mechanism to lower disc usage. Improved the Links/API definition to add links with a single click. Added the Block navigation on SPAs to built-in scan policies. Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3. …
IMPROVEMENTS
- Improved the Late-Confirmation Storage Mechanism to lower disc usage.
- Improved the Links/API definition to add links with a single click.
- Added the Block navigation on SPAs to built-in scan policies.
- Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.
FIXES
- Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
- Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
- Fixed the bug that throws null reference exception at the link pool.
- Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
- Fixed the bug that resulted in running many Chromium instances when a new scan is started.
- Fixed a null reference error when a new scan is started via the command line.
v6.6.0.36485 - 14 Jun 2022
NEW FEATURES Added GraphQL Libraries detection support. Added the Shark node to the Knowledge Base. Added Acunetix XML to URL Import. Added built-in DVWA policies to scan policies. IMPROVEMENTS Updated embedded Chromium browser. Added a new IAST vulnerability: Overly Long Session Timeout. Added new config vulnerabilities for the IAST Node.js sensor. Added new config vulnerabilities for …
NEW FEATURES
- Added GraphQL Libraries detection support.
- Added the Shark node to the Knowledge Base.
- Added Acunetix XML to URL Import.
- Added built-in DVWA policies to scan policies.
IMPROVEMENTS
- Updated embedded Chromium browser.
- Added a new IAST vulnerability: Overly Long Session Timeout.
- Added new config vulnerabilities for the IAST Node.js sensor.
- Added new config vulnerabilities for the IAST Java sensor.
- Added support for detecting SQL Injections on HSQLDB.
- Added support for detecting XSS through file upload.
- Updated DISA STIG Classifications.
- Updated Java and Node.js IAST sensors.
- Improved time-based blind SQLi detection checks.
- Improved the Content Security Policy Engine.
- Updated XSS via File Upload vulnerability template.
- Updated License Agreement on the Invicti Standard installer.
- Added Extract Resource default property to DOM simulation.
- Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
- Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
- Added vulnerabilityType filter to add VulnerabilityLookup table.
- Added the agent mode to the authentication request.
- Added a default behavior to scan the login page.
- Added an option to disable anti-CSRF token attacks.
- Added an option to block navigation on SPAs pages.
- Added a default behavior to disable TLS1.3
FIXES
- Fixed basic authorization over HTTP bug.
- Fixed SQL Injection Vulnerability Family Reporting Bug.
- Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
- Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
- Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
- Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
- Fixed a typo bug on GraphQL importing window.
- Fixed the report naming bug that occurs users create a custom report from a base report.
- Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
- Fixed a bug that updates all built-in scan policies instead of edited scan policy.
- Fixed a typo on Skip Crawling & Attacking pop-up.
- Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
- Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
- Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
- Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
- Fixed missing template section migration on report policy.
- Fixed a bug that throws an error when a report is submitted upon error.
- Fixed the LFI Exploiter null reference.
- Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
- Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
- Fixed a bug that occurs when users search the Target URL on the New Scan panel.
- Fixed typo in the timeout error message.
- Fixed a bug that prevents the WSDL files from being imported.
- Fixed reporting “SSL/TLS not implemented” when scanning only TLS 1.3 supported sites.
- Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
- Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.
REMOVAL
- Removed Expect-CT security check.
- Removed the End-of-Text characters in URL rewrite rules.
v6.5 - 29 Apr 2022
IMPROVEMENTS Updated embedded chromium browser Improved JWT confirmation to avoid false positives. FIXES Fixed an issue that passive vulnerabilities were reported as out-of-scope links. Fixed an issue that imports global servers as Swagger files. Fixed an issue where the OK button disappears during interactive login. Fixed an issue that adds interactive login buttons to iframes. …
IMPROVEMENTS
- Updated embedded chromium browser
- Improved JWT confirmation to avoid false positives.
FIXES
- Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
- Fixed an issue that imports global servers as Swagger files.
- Fixed an issue where the OK button disappears during interactive login.
- Fixed an issue that adds interactive login buttons to iframes.
- Fixed a null reference exception at the LFI exploit panel.
v6.4.3.35616 - 04 Apr 2022
NEW SECURITY CHECKS Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.
NEW SECURITY CHECKS
- Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.
v6.4.0.35166 - 08 Mar 2022
IMPROVEMENTS Netsparker Standard now Invicti Standard. Added a token matching rule when it is required to get the token from a website other than the target URL. Improved the GraphQL attacks to include non-string fields. FIXES Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities. Fixed a bug …
IMPROVEMENTS
- Netsparker Standard now Invicti Standard.
- Added a token matching rule when it is required to get the token from a website other than the target URL.
- Improved the GraphQL attacks to include non-string fields.
FIXES
- Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities.
- Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
- Fixed a null reference exception by adding a control whether the current scan policy is empty.
- Fixed a bug that the agent does not continue the scan after a pause.
- Fixed a bug that does not properly show all components detected by a software composition analysis after a retest.
v6.3.3.34686 - 14 Feb 2022
IMPROVEMENTS Implemented new Log4j attack patterns. Added the parameter types to exported reports for GraphQL. FIXES Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links. Fixed an issue that results in false positive Cross-site Scripting. Fixed an issue that prevents the scan policy migration when a …
IMPROVEMENTS
- Implemented new Log4j attack patterns.
- Added the parameter types to exported reports for GraphQL.
FIXES
- Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
- Fixed an issue that results in false positive Cross-site Scripting.
- Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
- Fixed an issue that the page counter goes to zero in the Recent Scans window.
- Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.
v6.3.2.34187 - 20 Jan 2022
IMPROVEMENTS Added the .deploy extension to Default Policy’s extension list. Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs. FIXES Fixed a null reference error issue when a user right-clicks the target on the Sitemap. Fixed the URL response error of the main …
IMPROVEMENTS
- Added the .deploy extension to Default Policy’s extension list.
- Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs.
FIXES
- Fixed a null reference error issue when a user right-clicks the target on the Sitemap.
- Fixed the URL response error of the main node when Override Target URL check is enabled.
- Fixed the Imported Links date and time value in the body that is cropped.
- Fixed an issue that opens the vulnerability panel instead of the HTTP Request and Response panel when the email node is selected in the Knowledge Base panel.
- Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
- Fixed an issue that tries to stop the scan when the What’s New tab is closed.
- Fixed an issue that Invicti Standard starts a retest for a vulnerability randomly.
- Fixed a payload for the GraphQL.
v6.3.1.33855 - 29 Dec 2021
FIXES Fixed a scan policy migration issue that causes selecting all the security checks.
FIXES
- Fixed a scan policy migration issue that causes selecting all the security checks.
v6.3.033782 - 23 Dec 2021
NEW FEATURES Added Software Composition Analysis (SCA) feature. Added OWASP Top 10 2021 classification and report. Added support for scanning GraphQL APIs. NEW SECURITY CHECKS Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira. Added Stack Trace Disclosure Signature for Java. Added Shopify Identified Security Check. IMPROVEMENTS Updated Invicti Standard .NET Framework version from 4.7.2 …
NEW FEATURES
- Added Software Composition Analysis (SCA) feature.
- Added OWASP Top 10 2021 classification and report.
- Added support for scanning GraphQL APIs.
NEW SECURITY CHECKS
- Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira.
- Added Stack Trace Disclosure Signature for Java.
- Added Shopify Identified Security Check.
IMPROVEMENTS
- Updated Invicti Standard .NET Framework version from 4.7.2 to 4.8.
- Allowed to enter hyphens for the proxy address on the Proxy Settings.
- Enabled that all child controlled scan parameters are listed in the Sitemap parent node.
- Changed classification for Cross-site Referrer Leakage and Breach in OWASP Top Ten 2021.
- Changed CryptographicException error log type.
- Added condition that when the max crawling link is reached, the DOM simulation stops.
- Updated Version Disclosure Signature for Apache Coyote.
- Added callback flag to prevent multi trigger of DOM parser view callback
- Improved the importing of RAML files includes other files.
- Added tags property to the Kenna Send to Action.
- Updated Freshservice integration not to send user agent header.
- Updated Version Disclosure Signature for Jolokia.
- Improved the Form Values to be entered into the relevant sections during the form authentication process in the React environment.
- Improved the login verification process by detecting page load properly.
FIXES
- Fixed an issue that created an incorrect issue link in Bitbucket Integration.
- Fixed an issue that occurred when the proxy information from the Proxy Auto-Configuration file cannot be transmitted in requests made by the browser.
- Fixed the null reference error (NRE) that occurred during importing the paused or canceled scan files.
- Fixed an issue that calculated total response time incorrectly.
- Fixed the bug related to Send To action of Kenna integration.
- Fixed the Jolokia version disclosure report to properly highlight the related lines.
- Fixed the OWASP classification links.
- Fixed an issue that does not show a vulnerability when sorted by the Vulnerability Type although it shows when sorted by Severity.
- Fixed the misleading tooltip in Scan Policy – Security Checks.
- Fixed the misaligned text on the PDF version of Executive Summary Report.
- Fixed an issue that Invicti Standard doesn’t show out-of-scope warning when out-of-scope link is imported.
- Fixed the inconsistent vulnerability count between reports and status bar.
- Fixed the manual authentication issue when links are imported from URL.
- Fixed the Sitemap multilevel group count.
- Fixed Scan Policy security check count.
- Fixed a naming issue that occurred when a new custom report name contains a dot.
- Fixed an issue while changing the Data Directory option on Storage tab.
- Fixed the issue that external references were not rendered correctly.
v6.2.1.33642 - 14 Dec 2021
NEW SECURITY CHECKS Added Out of Band Code Evaluation (Log4j – CVE-2021-44228) a.k.a. Log4Shell detection support.
NEW SECURITY CHECKS
- Added Out of Band Code Evaluation (Log4j – CVE-2021-44228) a.k.a. Log4Shell detection support.
v6.2 - 16 Nov 2021
NEW FEATURES Added Node.js sensor for Invicti Shark (IAST). Added OWASP API Top 10 classification and report template. NEW SECURITY CHECKS Added signature matching to Web app fingerprint checker. Added patterns for Base64 encoded DOM Cross-site Scripting. Added phpMyAdmin Version Disclosure security check. Added Atlassian Confluence Version disclosure and Out-of-date security checks. Added exclusion feature to JavaScript …
NEW FEATURES
- Added Node.js sensor for Invicti Shark (IAST).
- Added OWASP API Top 10 classification and report template.
NEW SECURITY CHECKS
- Added signature matching to Web app fingerprint checker.
- Added patterns for Base64 encoded DOM Cross-site Scripting.
- Added phpMyAdmin Version Disclosure security check.
- Added Atlassian Confluence Version disclosure and Out-of-date security checks.
- Added exclusion feature to JavaScript Library detection.
- Added PHP Version Detection via phpinfo() call.
- Added the Shopify Identified security check.
IMPROVEMENTS
- Added the Bridge URL and Shark token support for Invicti Shark (IAST).
- Added setting to configure Session Cookie Names.
- Updated CWE classification category orders for Out-of-date templates.
- Improved Cross-site Scripting attack pattern.
- Added support for exploiting local storage and session storage in the DOM XSS security checks.
- Added highlighting support for custom scripts.
- Added Web Application Firewall to the site profile.
- Changed the default ignored parameter comparison to case insensitive.
- Added ‘Is Encoded’ option to OAuth2 parameters.
- Added JWT Token pre-request script template.
- Added the CSP Not Implemented that will be reported as confirmed.
- Added the Subresource integrity not implemented that will be reported as confirmed.
FIXES
- Fixed the issue that Content-Type header missing was reported when there was no content in the response.
- Fixed the issue FP JWT was reported in a not found response.
- Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
- Marked weak TLS ciphers.
- Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
- Fixed FP WAF Identified.
- Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
- Fixed the issue source code disclosure is reported in binary responses.
- Fixed the issue fingerprint checker crashes when an applications file could not be found.
- Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
- Fixed the issue that some cipher suites are not reported as weak.
- Fixed the issue classification links were not rendered correctly when there are multiple values.
- Fixed the issue proof prefix was added when there were no more characters to be found.