22 Nov 2019
NEW FEATURES Added a scan search feature which is accessible from the CTRL+K shortcut that allows searching for anything in the scan Added a configuration wizard for GitLab Send To Action Added a Web Application Firewall tab to the Options dialog Added AWS WAF integration Added Cloudflare WAF integration Added SecureSphere WAF integration Added an …
NEW FEATURES
- Added a scan search feature which is accessible from the CTRL+K shortcut that allows searching for anything in the scan
- Added a configuration wizard for GitLab Send To Action
- Added a Web Application Firewall tab to the Options dialog
- Added AWS WAF integration
- Added Cloudflare WAF integration
- Added SecureSphere WAF integration
- Added an Auto WAF Rule tab to the Scan Policy Editor dialog
- Added a Send To Tasks dialog to display the Send To Action and WAF Rule task’s status
- Added a configuration wizard for “rest.testsparker.com” into the Start a New Website or Web Service Scan dialog
- Added a What’s New panel to the right hand side of the Welcome Dashboard, which shows the latest blog posts
- Added OTP support to the Form Authentication tab in the Start a New Website or Web Services Scan dialog
- Added “localhost.invicti” host resolution support to allow remote connections to localhost
NEW SECURITY CHECKS
- Added a new Security Check – HTTP Parameter Pollution (HPP)
- Added a new Security Check – BREACH Attack Detection
- Added Out-of-Date checks for Ext JS
- Added Oracle Cloud and Packet Cloud SSRF attack patterns
IMPROVEMENTS
- Improved progress bar estimation by populating engine runtimes instead of request count
- Improved the Scan Performance node by including engine runtimes in the Knowledge Base
- The Download buttons in the Local File Inclusion Exploitation panel are renamed to Get
- Improved statistical information in the scan reports
- Improved Custom 404 settings in the Knowledge ase report
- Improved the Knowledge Base check icon
- Improved the display of OAuth2 Authentication information on reports
- Added Culture Info to error reporting information
- Renamed the F5 Big-IP ASM WAF Rules button in the Reporting tab
- Added an Apply button to the Options window, so the dialog stays open until the Save button is clicked
- Improved the Custom Field Editor dialog to validate custom field values before saving them
- Improved the I/O Docs Importer to support the latest version
- Improved the Jira Send To Action to support a new Security Level field
- Updated Trello Send To Action wizard to hide inactive boards
- Improved the Crawler and Attacker to identify links separately according to their Accept header. (application/json and application/xml are commonly used in Rest APIs. Invicti can identify and attack for both mime types.)
- Improved the OpenAPI (Swagger) parser to import links more than once according to their Accept header
- Updated the AdNetworks file which is used by Invicti to block ad networks
- Improved the Update Available dialog UI
- Improved the Report Policy Editor UI.
- Improved Apache Struts attack patterns by randomizing the attack payloads
- Improved the Custom Scripting API docs
- Improved parsing the JavaScript code written inside HTML element attributes
- Improved the Crawler to detect links with application/xml and application/json headers commonly used in REST APIs, so Invicti can attack each link separately
- Improved Progress panel’s Request per Second setting, to that its value can be viewed by clicking its label
- Added the ability to parse OAuth2 access token response headers to get the access token value
FIXES
- Fixed an issue that caused very long URLs to become invisible in the vulnerability report
- Fixed an issue that caused the Target Website or Web Service URL dropdown list’s delete button to become invisible in the Start a New Website or Web Service Scan dialog
- Fixed a false-positive report of a Windows Username Disclosure in the vulnerability report issue
- Fixed the problem where the Windows Username Disclosure attack pattern did not match invalid file characters
- Fixed the problem where a null Scan Profile name was displaying when opening a scan file
- Fixed an issue where headers were duplicating when imported from a Swagger file.
- Fixed the license expiration to occur a day after the license Expiration date
- Fixed an issue that caused a Collection Modified exception when restarting Invicti after changing the storage directory
- Fixed an issue where the HTTP Request / Response panel did not open when the Sitemap root node was selected
- Fixed an issue in the Request Builder where the changes in the Raw request tab were not being saved
- Fixed an issue that caused the name of the vulnerability to be blank in the Report Policy Editor dialog
- Fixed a High dpi issue in the Update Available dialog
- Fixed an issue that caused the Context button to overlay information counts in the File menu
- Fixed the URI format exception that occured on the SSRF configuration screen
- Fixed an issue that caused the tab key not to work in the Request Builder
- Fixed an issue where encoded characters and new line characters appeared in the exploit responses in JSON format
- Fixed an issue where the application name was captured as the version in the Java Servlet Version Disclosure pattern
- Fixed an issue where some console commands were reported as proofs of exploit even though they had not been executed in the code evaluation
- Fixed an issue where the Report Policy Editor dialog was showing html encoded values in the grid view and in the Edit dialog
- Fixed an issue where report template changes were lost when the Cancel button clicked while searching in the Report Policy Editor dialog
- Fixed an issue where the Dom Parser occasionally made requests to excluded or out of scope URLs
- Fixed an issue where relative links found during a DOM simulation were sometimes not added to the link pool
- Fixed a request timeout default value tooltip that was displaying in the HTTP Request settings
- Fixed property names in the Redmine Send To Actions fields
- Fixed an issue that caused the vulnerability URL to change when running a custom script on a vulnerability originally detected also by using a custom script
- Fixed an issue that caused the UI to freeze when activating or deactivating licenses
- Fixed an issue that caused the UI to freeze when verifying OAUTH settings
- Disabled layout customization in the Manual Authentication and Test Credential screens
- Fixed an issue that caused the scan manager to request a login URL in the OAuth2 Authentication settings when the Web Cache Deception security check group was disabled
- Fixed an issue that caused late UI loading when the Scan Profile contained too many Imported Links
- Fixed JSON and XML request identifiers to detect the type properly when content contains whitespace characters
- Handled communication errors that occured while testing credentials
- Fixed the log for corrupted variation information
- Fixed a NullReferenceException that was occasionally thrown in the Additional Websites tab in the Start a New Website or Web Service Scan dialog
- Fixed a performance issue caused when the number of the Sitemap nodes increases
- Fixed the Regex Pattern of SQLite error message patterns
- Updated the Remedy sections of some vulnerability report templates.
- Fixed the internal proxy localhost’s handling when adding the loopback override to the system’s {roxy settings
- Fixed misleading logout detection warnings shown during the retest of cookie vulnerabilities
- Fixed an issue that caused the system to crash when sorting the Sitemap
- Improved ApacheStruts to report where it would be possible for the attack to succeed at least one time
- Fixed a NRE in the Signature Detection
- Fixed the issue where some proofs were duplicated in the Knowledge Base
- Fixed extensive CPU usage on cloud instances and virtual machines
- Fixed a Set-Cookie response header parsing issue that occured where empty name/value pairs were skipped and cookie attributes were incorrectly parsed as name/value pairs
- Fixed the ArgumentNullException error that occured when a null parameter value was sent to the Request Builder
- Fixed the Knowledge ase’s Out of Scope Links resource problem
- Fixed I1 item’s title in the Vulnerability Editor dialog, available from the Report Policy dialog to display as ‘No Message’
- Fixed the Asana Send To Action field, as an identifier field has changed in the Asana API
- Fixed the issue where Raw and Builder tabs were not synchronized in the HTTP Request Builder
- Fixed an incorrect localization issue that occurred while displaying custom field values of vulnerabilities
- Fixed an issue that caused the Issues and Sitemap panels to open before opening a scan session
- Fixed a problem where the Search box background color changed when there were no results
- Users are now allowed to enter custom HTTP methods in the Request Builder panel when the Raw request body is enabled
- Fixed an ArgumentNullException that was thrown when trying to refresh the OAuth2 access token after resuming an imported scan
- Fixed a couple of alignment problems in reports
- Fixed the last file name cache problem
- Fixed the Request response word wrap and border problem solved.
- Removed capitalization from titles in reports
- Fixed an issue where the AutoComplete Enabled Vulnerability was being falsely reported if input fields included a new password option
- Fixed a NullReferenceException that was thrown when the headers were null in the Webhook Send To Action
01 Nov 2019
FIXES Fixed a NullReferenceException that was occasionally thrown during authentication verification Fixed a NullReferenceException that was occasionally thrown when a sitemap link was selected Fixed wrong tooltips that were shown on footer severity icons Fixed an application lock when the UI language was changed during a scan Fixed chunked encoding handling in the internal proxy …
FIXES
- Fixed a NullReferenceException that was occasionally thrown during authentication verification
- Fixed a NullReferenceException that was occasionally thrown when a sitemap link was selected
- Fixed wrong tooltips that were shown on footer severity icons
- Fixed an application lock when the UI language was changed during a scan
- Fixed chunked encoding handling in the internal proxy
- Fixed a deadlock that was occasionally happening during policy optimization
25 Oct 2019
FIXES Fixed an issue where the number of authentications was miscalculated in the Performance Report Fixed an ObjectDisposedException that was occasionally thrown during passive analysis Fixed an issue where passive analysis of XHR requests was causing a negative effect on scan times Fixed an issue where the Dom Parser was occasionally making requests to excluded …
FIXES
- Fixed an issue where the number of authentications was miscalculated in the Performance Report
- Fixed an ObjectDisposedException that was occasionally thrown during passive analysis
- Fixed an issue where passive analysis of XHR requests was causing a negative effect on scan times
- Fixed an issue where the Dom Parser was occasionally making requests to excluded or out of scope URLs.
- Fixed an issue where relative links found during DOM simulation were sometimes not added to the link pool
- Fixed a NullReferenceException that was occasionally thrown by the Request Builder
- Fixed a design problem that was causing empty areas in PDF reports
- Fixed an issue where a wrong update button image was shown when Invicti was run for the first time after an update
- Fixed a NullReferenceException that was thrown during Bulk Export operations
- Fixed an issue where the tooltips of Advanced Settings were not properly displayed
- Fixed the date controls in the Schedule Scan Dialog for high DPI screens
- Fixed an issue where the Known Vulnerabilities section in the Out-of-Date Version vulnerabilities was being duplicated
- Fixed a NullReferenceException that was thrown when the Target Url and the Basic Authentication Authority were different
17 Oct 2019
IMPROVEMENTS Added support for parsing Swagger files with comments Added crawling support for hash based, routed websites Added deprecated usage report for TLS 1.1 The size of the HTML reports has been significantly decreased FIXES Authentication tokens are now shared among the hosts of the scan target and the additional websites Fixed an issue where …
IMPROVEMENTS
- Added support for parsing Swagger files with comments
- Added crawling support for hash based, routed websites
- Added deprecated usage report for TLS 1.1
- The size of the HTML reports has been significantly decreased
FIXES
- Authentication tokens are now shared among the hosts of the scan target and the additional websites
- Fixed an issue where the vulnerabilities from the previous scan were sometimes added into the new scan when Custom Scripts were used
- Fixed the logical operation stack field duplication that was occurring in log files
- Fixed a formatting issue in the vulnerability report templates
- Fixed an issue in the SQL Injection (Out of Band) engine where vulnerabilities were occasionally missed due to request timeouts
- Fixed an issue where discovered application or database versions were not shown in the Site Profile if a Version Disclosure vulnerability had already been reported
- Fixed a NullReferenceException that was thrown when the response was null in the Web Cache Deception engine
11 Oct 2019
IMPROVEMENTS Added Authentication mode and Scheduled Scan information to new reports Added Include and Exclude pattern difference information to new reports FIXES Fixed an issue where local scans got lost when the Invicti root directory was changed Fixed an issue where the Dark theme was not applied in the Comparison Report dialog Fixed an issue where …
IMPROVEMENTS
- Added Authentication mode and Scheduled Scan information to new reports
- Added Include and Exclude pattern difference information to new reports
FIXES
- Fixed an issue where local scans got lost when the Invicti root directory was changed
- Fixed an issue where the Dark theme was not applied in the Comparison Report dialog
- Fixed an issue where true responses could not be processed correctly because of the ’00’ suffix
- Fixed the cookie parser by removing the whitespace and disallowed character checks for cookie names
- Fixed typos in the HSTS warning and error template
- Fixed a NullReferenceException that was thrown during Authentication verification
- Fixed a NullReferenceException that was thrown while the scan is moving from one phase to the next
- Fixed a NullReferenceException that was thrown when a new root node was being added to the Sitemap
- Fixed an issue where headers were duplicated in the Swagger importer
- Fixed an issue where 201 (Created) responses occasionally caused incorrect redirects during Form Authentication and DOM simulation
- Fixed an issue where the Update button icon was not changing when the download started
- Fixed the problem where PDF reports did not generate when exporting reports on a network share path
- Fixed the problem where it was not possible to change the default logo to a custom logo on new reports
- Fixed the Summary information alignment on PDF reports
- Fixed the problem of empty response information in XML reports
- Fixed various localization problems in reports
30 Sep 2019
FIXES Fixed duplicate report templates when updated from an older version Fixed Axway XXE payload injected to the wrong position Fixed the incorrect Edition displayed on About dialog Fixed several dark theme issues for messages displayed when an invalid value set to an option Fixed IIS capitalization problem in the Site Profile Knowledge Base
FIXES
- Fixed duplicate report templates when updated from an older version
- Fixed Axway XXE payload injected to the wrong position
- Fixed the incorrect Edition displayed on About dialog
- Fixed several dark theme issues for messages displayed when an invalid value set to an option
- Fixed IIS capitalization problem in the Site Profile Knowledge Base
30 Sep 2019
NEW FEATURES Added the ability to create custom Security Checks via a Scripting feature Added a new authentication, Manual Authentication, which allows you to import and replay your pre-recorded requests Added custom Vulnerability creation support to the Report Policy Editor Added a new 3-Legged Token flow type for OAuth2 authentication Added Microsoft Teams Send To …
NEW FEATURES
- Added the ability to create custom Security Checks via a Scripting feature
- Added a new authentication, Manual Authentication, which allows you to import and replay your pre-recorded requests
- Added custom Vulnerability creation support to the Report Policy Editor
- Added a new 3-Legged Token flow type for OAuth2 authentication
- Added Microsoft Teams Send To integration
- Added Webhook Send To Integration
- Added Clubhouse Send To Integration
- Added Trello Send To Integration and configuration wizard
- Added Asana Send To Integration and configuration wizard
- Added a configuration wizard to the Jira Send To Action
- Added a Configuration Wizard to the Redmine Send To Action
- Added an option to the Save Report dialog for including and excluding Unconfirmed vulnerabilities
- Added an option to configure the file upload folder that the File Upload Engine attacks to find uploaded files
- Added information about SSL implementation in the Target Website to the Site Profile node in the Knowledge Base
- Added support for importing authentication settings from Postman files
- Added support for importing pre-request scripts from Postman files
- Added an ‘Enable or Disable logging recurring parameter detection’ option to the Advanced tab in the Options dialog
- Added a Delete button to the ‘Start a New Website or Web Service Scan’ dialog to enable the deletion of the current profile
- Added support for importing multiple IO/docs files from a zip file
NEW SECURITY CHECKS
- Added Web Cache Deception engine to the list of Security Checks
- Added a new XXE pattern for detecting the Axway SecureTransport 5.x XXE vulnerability
- Added new attack patterns for DOM based XSS
- Added new attack patterns for Remote Code Execution in Ruby
- Added new attack patterns for Out-of-band Remote Code Execution in Ruby
- Added new attack patterns for Remote Code Execution in Python
- Added new attack patterns for Open Redirect security check
- Added an email validation bypass payload for XSS
- Added a header injection XSS pattern
- Added a security check to determine whether an http website has implemented SSL/TLS
- Added a security check for File Content Disclosure in Ruby on Rails via exploiting Accept header
- Added mutation XSS patterns
- Fixed the SSRF confirmation problem
- Added Apple’s App-Site Association file detection
- Added exploitation support for File Content Disclosure in Ruby On Rails, CVE-2019-5418
- Added new LFI attack patterns for the access.log file
- Added support for exploiting JSONP endpoints with the format parameter in Ruby On Rails
- Added support for detecting Python remote code execution
- Added RFC compatible SSRF IPv6 patterns
- Improved the Apache Struts (CVE-2013-2251) attack pattern
- Added PHP Injection fixed one time Referrer attack
- Updated the attack value of the PHP Injection fixed one time attack pattern to use short notation instead of the print function
- Improved the regex pattern of the WebLogic version disclosure pattern
- Added a PoC pattern for Apache Struts (CVE-2013-2251)
- Added out-of-date checks for the Slick JavaScript library
- Added out-of-date checks for the ScrollReveal JavaScript library
- Added out-of-date checks for the MathJax JavaScript library.
- Added out-of-date checks for the Rickshaw JavaScript library
- Added out-of-date checks for the Highcharts JavaScript library
- Added out-of-date checks for the Snap.svg JavaScript library
- Added out-of-date checks for the Flickity JavaScript library
- Added out-of-date checks for the D3.js JavaScript library
- Added out-of-date checks for the Google Charts JavaScript library
- Added out-of-date checks for the Hiawatha and Cherokee server
- Added out-of-date checks for the Oracle WebLogic server
- Added out-of-date check for IIS
- Added version disclosure detection for the Hiawatha Server
- Added version disclosure detection for the Cherokee Server
- Added source code disclosure checks for Java Servlets
- Added source code disclosure checks for Java Server Pages
- Added new source code disclosure patterns for Java
- Added detection for .htaccess file Identified
- Added detection for Opensearch.xml files
- Added detection for SQLite error messages
- Added detection for security.txt files
- Added detection for swagger.json files
- Added detection for OpenSearch files
IMPROVEMENTS
- Redesigned all HTML reports
- Updated browser engine to Chromium v70
- Added support for array parameters in GET and POST requests
- Security Check Groups are now arranged into sub-groups in the Scan Policy Editor dialog
- Moved the vulnerability severity level, Best Practice, so that it takes precedence over the Information level
- Implemented scrolling to the bottom of the page after each DOM simulation completes
- Added support for generating HTML element code from select elements in the Form Authentication Custom Script Editor dialog
- Added the ability to search for Invicti Enterprise scans using the Target URL
- Changed the Password field to Token in the Jira Send To Actions integration
- Added scrollbar annotations to the Sitemap to indicate vulnerability locations
- Added Vulnerability Export Options to the Schedule Scan dialog
- Improved the accuracy of the scan progress calculation displayed in the Progress panel
- Added Postman variable support to the Postman Importer
- Added an option to the Advanced tab of the Options dialog to configure the maximum number of variations that will be reported
- Improved the Site Profile node in the Knowledge Base to display Database name and username information
- Improved the Site Profile node in the Knowledge Base to information about whether the exploited Database user has admin privileges
- Moved the Accept header’s related options to the Custom Headers panel
- Improved the error message displayed when an invalid Swagger file is imported
- Added an improvement to the application’s ‘remember last opened folders’ feature
- Optimized the size of late confirmation files to improve disk space consumption
- Added a new Invicti Assistant check to handle an excessive amount of application logs
- Added an application level notification to remind the user to restart the scan after profile or policy switch operations
- Updated the Ruby on Rails File Content Disclosure (CVE-2019-5418) vulnerability template
- Added generated proof data to the RoR File Content Disclosure report
- Improved the Proof list in the Knowledge Base to display multiple proofs with different values for the same website
- Improved the MimeType list to display request mime types
- Improved the display format of the redirect URL in the Open Redirect (DOM based) vulnerability
- Improved the Weak Ciphers Enabled vulnerability description
- Added zone.js support to the DOM simulation
- Removed Jira (Legacy) Send To Actions integration
- Changed the Unfuddle Send To Action’s create issue method’s request body data format from XML to JSON
- Updated the progress message displayed when multiple vulnerabilities are being sent via the Send To Action
- Improved TFS and Azure Send To Action to send issue details according to the Work Item type, and the Repro Steps field is set for bugs, while the Description field is set for issues or features
- Added a code block view to the Report Template viewer
- Added an information message to be displayed when closing Invicti if a Send To Action task is still executing
- Added custom field support to the ServiceNow Send To Action
- Added a message to be displayed if the Send To Actions settings have been configured incorrectly
- Updated the Remedy section of the Insecure Transportation Security Protocol Supported (SSLv2) vulnerability template
- Added a RAML option to the Enter Links/HTTP Requests dialog
- Optimized attack patterns environments to enable the Scan Policy Optimizer to produce more optimized policies
- Added a log to display when a vulnerability is discarded due to the Vulnerability Families feature
- Added an update to the progress warning on application closing
- Improved the calculation of attack possibilities of DNS-based SSRF attacks to prevent unnecessary attacks
- Included Ruby and Python RCE vulnerabilities in the vulnerability family
- Added a web server field to the access.log patterns for optimization
- Included SSRF vulnerabilities in the vulnerability family
- Improved the XSS vulnerability report to be more explicit about the data shown
- Added ‘Do not expect challenge (Basic Authentication)’ option to Form Authentication logout detection
- Updated the Impact sections of all Cross-site Scripting vulnerability templates
- Added ISO27001 information to the Vulnerabilities List (Detailed) XML report
- Added an injection prefix to the attack parameter and value name in the vulnerability templates when the vulnerability has an injection request and response
- Moved Code Execution via SSTI vulnerabilities to the Code Evaluation family
- Added highlighting to Stored XSS
- Improved User Agent settings in the Scan Policy editor
- Added missing environment information for attack patterns
- Increased the Start New Scan dialog’s default height to prevent showing the inner scroll bars
- Added logs for URL Rewrite settings
- Added logs for Form Authentication settings
- Added a warning message to be displayed a used Scan Policy is deleted
- Added the attack pattern name to the debug header information
- Updated the Remedy sections of all Cross-site Scripting vulnerability templates
- Added command search capability to the application’s main menu
- Improved the Update Available dialog
- Improved the X-Frame-Options header check to report misconfiguration when two different settings are used at the same time
- Improved parsing in nested JSON OAuth2 token responses
- Added missing HIPAA classifications to Out-of-Date vulnerability templates.
- Added an explanation to the Controlled Scan Summary popup about vulnerability families
- Improved the Swagger parser to read multipart/form-data mime types
- Improved system registry related Remedy sections in the vulnerability templates
- Added drag and drop capability to URL Rewrite settings
- Added verification to Authentication settings
- Added an additional External Reference to the IIS Out of Date vulnerability template
- Added a default initial directory to Imported Links and the scan Import dialog box
- Updated the Save Report dialog UI
- Updated broken reference links in the Report Policy
- Added validation that checks empty Header Authentication settings
- Set the default folder of the Open File dialog to Invicti Scans during the importing of a scan
FIXES
- Fixed an ObjectDisposedException that was thrown when activities were cancelled in the Activity Panel
- Fixed the capitalization of server-side applications in the Site Profile
- Fixed an issue where all Proofs were not listed in the Knowledge Base node
- Fixed an exception that occurred when updating the Proof data in the Site Profile
- Fixed an issue in the exploitation of the Code Evaluation vulnerability where a wrong proof was generated.
- Fixed an issue where the Proof Of Exploit title was displayed on the vulnerability template when there was no proof
- Fixed a double encoding issue in the Generate Exploit template for XSS
- Fixed an encoding issue in the confirmation phase of PHP wrapper-based LFI attacks
- Fixed incorrect behavior in the Internal Proxy
- Fixed VDB update requests that don’t use the upstream proxy issue
- Fixed a Code Evaluation pattern that attacks URL Rewrite parameters
- Fixed an issue where similar kinds of SQL Injection vulnerabilities were being reported in the same URL Rewrite parameter
- Fixed an issue where the value of the Accept-Language header of the Imported Links were overwritten during a scan
- Fixed an issue where the Cache-Control header was added by default to Imported Links
- Fixed an issue causing Report Policy Editor to fail while saving new template references.
- Fixed duplicate template references in the Default Report Policy
- Fixed the problem of the Progress dialog not displaying while importing links from CSV files
- Fixed an issue that occured when the re-crawling phase was skipped
- Fixed the Suggested Action for the Best Practice severity in the report templates
- Fixed the problem of the progress not being updated in the Link Importer
- Fixed the problem of the progress not being displayed correctly while importing links from an Invicti session file
- Fixed the Remedy and External References links in the Vulnerability Viewer so that they open in the default browser
- Fixed a problem where the value of the User-Agent header was overwritten for imported link requests
- Fixed an issue where Invicti was attacking the HTTP endpoint of a URL instead of attacking the HTTPS protocol
- Fixed various typos in the vulnerability templates
- Fixed several Cookie related issues by updating Cookie parsing and storage according to the latest RFC 6265
- Fixed an issue in the Sitemap where it was displaying 404 pages
- Fixed the attack payload of the Function – End Comment – Double Quote – Encoded pattern
- Fixed the issue where the header values of the Imported Links were not prioritized over header policy settings
- Fixed an issue where the Base64 payload was not being encoded properly during the confirmation of PHP wrapper-based attacks
- Fixed a CVSS scores rendering issue in the Vulnerability panel
- Fixed the issue where the plus character was not encoded in PHP cookie attacks
- Fixed the Double Encoding problem in the Static Resource Finder attacks
- Fixed the URL Encode problem in the Static Resource Finder attacks
- Fixed an issue where variations were not shown in the report when a vulnerability was ignored
- Prevented the attacker from attacking the Sitemap.xml file
- Fixed an issue where Resource Finder requests were not carried out when the server returned a 403 Forbidden error
- Fixed a NullReferenceException that was thrown during the execution of the late confirmation phase
- Fixed the Double Encoding problem in PHP Wrapper Confirmation attacks
- Fixed the problem where the request was loaded to the request builder following injection and identification requests
- Fixed a problem in the filtered Issues panel that prevented vulnerabilities from being ignored
- Fixed an issue where the Force Pause button icon and label were overlying each other
- Fixed the custom field names in the Version Disclosure templates
- Fixed the problem where an AppDomainUnloadedException was sometimes thrown when the Custom dialog was closing
- Fixed an ObjectDisposedException that was sometimes thrown when Invicti was closing
- Fixed the escaping of forward slashes in custom scripts
- Fixed the Not operand issue in the Sitemap filter function
- Fixed an issue where the favicon of the scanned website was not updated in the Sitemap
- Fixed the problem where the attack payload was not properly encoded during the Code Execution check
- Fixed an issue where a vulnerability that was found in a different parameter on the same link was discarded due to Vulnerability Families
- Fixed an issue that caused vulnerabilities that came from static resources to be added to the wrong parent in the Sitemap
- Fixed the Proof generation for the Ruby Remote Code Execution vulnerability
- Fixed a bug in the XSS vulnerability confirmation
- Fixed the empty message displayed in the Sitemap where the filtered view did not display any data on loading
- Fixed the localization issue on scans that occured when the application language was modified
- Fixed inconsistent reporting of DNS-based SSRF
- Fixed the format of the confirmation attack payload in XSS to be hex-based
- Fixed the XSS exploitation template to handle injection request
- Fixed the CSS selector generation inside iframes in the Custom Script dialog
- Fixed the XSS confirmation that failing with a Base64 payload
- Fixed an exception that was thrown by displaying a warning message when a read-only Scan Policy file is used
- Fixed the issue where the responses of Full URL attacks were not parsed for links
- Fixed an issue where the Too Many Logouts error messages were displayed even when Form Authentication was disabled
- Fixed the problem where invalid Send To Action settings were removed from the Options dialog
- Fixed the problem where the Hawk test results were cleared during Scan Policy optimization
- Fixed an issue where Invicti was mistakenly making requests to Excluded URLs even when they were JS or CSS files
- Fixed an issue where Ignored Parameters were not ignored while analyzing recurring parameters
- Fixed the incorrect Sitemap root node size for high DPI screens
- Fixed a bug in the XSS vulnerability confirmation where the name of the triggered JS function was incorrect
- Fixed an issue with code generation in the Custom Script dialog while the IDs of input elements contained username or password literals
- Fixed a NullReferenceException that was thrown from the Internal Proxy
- Fixed the problem of light toolbars displayed when the Dark Theme was configured
- Fixed the argument exception in the File menu
- Fixed the grammar error in the Trial License error message
- Fixed auto start problem that occurred following installation
- Fixed the inconsistent state of the Start a New Website or Web Service Scan dialog where an unauthorized Scan Policy file exists
- Removed the ‘ps aux’ command from exploitation process
- Fixed an issue where the Invicti UI tabs were occasionally throwing exceptions
- Fixed a NullReferenceException that was caused during the handling of XHR requests in DOM simulation
- Fixed a comparison error that occured when the Sitemap panel attempted to order its nodes
- Fixed an issue that occurred with the Exclude This Branch From Attack option that caused missing operations during authenticated scans
- Fixed the problem where previous session data was cleared during Form Authentication
- Fixed the problem of an empty file name in the LFI proof data
- Fixed the issue where the cloud settings dialog was displayed repeatedly on the Scan Import screen
- Fixed the Sitemap and Issues panel’s button paddings
- Fixed an issue where the error logs in the Swagger importer were displayed twice
- Fixed an issue in the Request Builder where the request method changed to POST while a PATH request was being edited
- Fixed an issue where cookies that were set in a JavaScript context were not being captured properly
- Fixed an issue where Invicti was occasionally conducting requests with stale cookie values
- Fixed the resetting of the Activity Viewer’s column sizes layout reset
- Fixed a persistence issue in the Invicti Assistant notifications
- Fixed the customization menu displayed in the Auto Send to Settings panel.
- Fixed an issue where the attack payload was not carried out for some URL Rewrite attacks
- Fixed an Insecure HTTP use reported on a redirected response
- Fixed the activation of the Progress Panel displayed after the resumption of a scan
- Fixed an issue where the Authorization header was duplicated when it was provided via Imported Links
- Fixed the column sizes in the Request Builder
- Fixed a bug that occurred while parsing the favicon image source of the Target Website.
- Fixed the issue where the default Content-Type was treated as text/html when no Content-Type was specified
- Fixed an issue that caused the Exclude by CSS Selector field to be cleared in the JavaScript section of the Scan Policy Editor dialog when loading preset values
- Fixed the grouped node’s count in the Sitemap panel
- Fix the attack value that was not implemented correctly in RFI confirmation attacks
- Fixed the issue where the request identifier could not be detected due to invalid characters in the JSON value
- Fixed the GET icon that was displayed for POST requests in the Issues panel
- Fixed an issue where a confirmed vulnerability was removed because of Vulnerability Family checks
- Fixed an issue where an eval block was treated as a non-executable block in XSS confirmation
- Fixed an issue where some links were treated as the same when parameter-based navigation was configured
- Made the Progress panel’s percentage label more precise
- Fixed some character encoding problems in the Request Builder
- Fixed an exception that occurred when updating the Site Profile node in the Knowledge Base panel
- Updated the Send To Action template files in order to render vulnerability fields properly
- Fixed the grouped node filter issue in the Sitemap panel
- Fixed several stability issues with the browser engine
- Fixed a NullReferenceException in the Content Security Policy engine
- Fixed some Korean text
- Fixed the problem where the JavaScript settings tab scrollbar was not displaying properly in the Scan Policy Editor
- Fixed an issue where the Content-Type header was not always set properly for POST requests
- Fixed the Knowledge Base Viewer search issue where adding a space and clearing caused a loss of styles in the report
- Fixed a validation error in the Swagger Importer
- Fixed the bug where the XXE engine made a confirmation attack using the same payload
- Fixed an issue that caused a NullReferenceException to be thrown when a filter was applied on the Sitemap
- Fixed the problem where an obsolete column was deleted during migration of an old Report policy
- Fixed a typo in the WASC classification link
- Fixed the issue where the database username was being added incompletely to the Site Profile node of the Knowledge Base
- Fixed an issue where obsolete vulnerability types were listed in the Report Policy Editor
- Fixed setting OAuth2 label to unmodified state while using the default Scan Profile
- Fixed the problem where the user-agent was not set for requests when the user agent was forced in the Scan Policy Editor
- Fixed the issue where Request Builder columns were not resized correctly in high DPI environments
- Fixed the default height of the Browser View panel which caused inconsistent scrollbar behaviour
- Fixed the digit color in the HTTP Request/Response panel
- Fixed an issue that caused a NullReferenceException to be thrown when accessing the Identification node in the sSitemap
- Fixed an issue that prevented the Cookie Analyzer Engine settings from being reset
- Fixed a JavaScript exception from being thrown during the simulation of React websites
- Fixed an issue that caused the Target URL to also be scanned when a scan was configured for Imported Links only
- Fixed an issue that allowed duplicate headers in the Scan Policy Editor
- Fixed an issue where removed vulnerability types were still listed in the Vulnerability ProfileEditor dialog
- Fixed the precedence values of Possible SSRF vulnerabilities
- Fixed the signature pattern of the IIS Version Disclosure template
- Fixed the culture-specific date format used in the Vulnerability List Report templates
- Fixed the custom report’s duplicate name extension problem
- Fixed an issue that caused vulnerabilities to be reported on 404 pages
- Fixed an issue that allowed invalid characters to be entered in the Target Website or Web Service URL field
- Fixed a KeyNotFoundException that was sometimes thrown when a request’s Content-Type was not set
- Fixed an issue concerning the auto-complete behaviour of the SQL Injection panel
- Fixed the issue where proof generation did not work correctly for redirected URLs in Boolean SQL Injection engine
- Fixed an issue where the SSL Checker engine stopped working when. the user unchecked the ‘Do not differentiate HTTP and HTTPS protocols’ option in the Scope settings
- Fixed the problem where the SQL injection exploitation continued indefinitely
- Fixed the padding of dialogs where users are using the application within high DPI screens
- Fixed the default width of the Activity Viewer’s columns
- Fixed an issue where some engines were not working in Controlled Scan because some attacks are skipped due to Vulnerability Families
- Fixed an issue that prevented the Custom 404 Analyzer from detecting 404 pages
- Fixed an issue where the Invicti Assistant-generated Scan Policy file name was exceeding the length limit
- Fixed an Internal Proxy error caused by the PATCH method
- Fixed a NullReferenceException that was causing the Controlled Scan to continue indefinitely
- Fixed a confirmation bug in the SQL engine
- Fixed the problem caused when users were importing links with the authentication header by overriding the existing OAuth2 token
- Fixed an issue that caused an update error when multiple Invicti Standard instances were opened
- Fixed an issue where the selected policy showed Default Security Checks after restarting the scan via the Invicti Assistant
- Fixed an issue in the CSRF engine where non-hidden inputs could be treated as anti CSRF tokens
- Fixed a duplicate link creation issue in the Report Policy editor when you update and save the remedy section
- Fixed the problem that occured while sending hidden vulnerabilities via the Auto Send To feature
- Fixed the failure of the Auto Send To feature that occured when the Send To Action values had been changed
- Fixed the width of Activity Viewer columns for high DPI screens
- Fixed the setting of the OAuth2 token name while using a fixed token type
- Fixed the setting of the OAuth2 token to override empty authentication headers while importing links
- Fixed an issue where empty headers were added to requests imported from Postman
- Fixed the problem of the hanging progress bar that occurred during scanning
- Fixed an issue where a request with an empty body was treated as a JSON request
- Fixed an issue where an XSS vulnerability was reported inside of non-executable HTML tags
- Fixed an issue where the scan folder was deleted after deleting a scan from the Local Scans folder
- Fixed a NullReferenceException that was thrown when running a Controlled Scan after importing a scan file
- Fixed a bug where a Link not Selected error was shown, even though it was selected in the Controlled Scan panel
- Fixed an issue where Invicti was missing passive vulnerability checks for endpoints that occured as XmlHttpRequests
- Fixed a bug where Controlled Scans could not be started for the selected nodes
- Fixed an issue that caused an ArgumentException to be thrown when activating a license
- Fixed the button height in the Controlled Scan panel to remove an empty area
- Fixed the problem where the OAuth2 refresh token timer stopped after a scan was finished
- Fixed an issue that caused the PathTooLongException when checking effective scope at start new scan dialog.
- Fixed the newline in the Regex Pattern of SVN disclosures
- Fixed an issue where the URL Rewrite settings panel was not highlighted when a setting had been changed
- Fixed the issue where the Controlled Scan was stuck when the scan state had been paused
- Fixed the status of the taskbar icon following the end of a Retest scan
- Resource Finder activities will now be stopped faster when the scan is paused
- Fixed a bug that occurred during the parsing of the refresh token of Implicit OAuth2 flow’s response
- Fixed the problem where it was impossible to get a new OAuth2 token if refresh token was not set
- Fixed the problem that occurred when navigating the Sitemap and Knowledge Base nodes with the keyboard
- Disabled the Save option in the Default profile in the Start New Website or Web Service Scan dialog
- Fixed a bug that occurred when setting the Scan Profile before testing OAuth2 credentials
- Fixed an issue where no warnings were displayed when Basic/NTLM authentication settings were left empty
- Fixed the Vulnerability Severity Level order in the Report Policy Editor’s context menu
- Fixed the Best Practice severity level’s caption in the Report Policy Editor’s context menu
- Fixed the Vulnerability Severity Level’s order in the profile list in the Report Policy Editor dialog
- Fixed an ArgumentNullException that was thrown when the F9 key was pressed
- Fixed an issue that caused an invalid file name error in the ave Report dialog
- Fixed the issue where a Base64 value could not be decoded due to an invalid length in the Encoder panel
- Fixed the proxy authentication problem in manual crawling when a custom proxy is configured
- Fixed an issue to prevent the ampersand character from being encoded in an XML attack
- Fixed the Azure DevOps Send To Action to enable it to send vulnerabilities to the TFS
- Fixed an issue where the attack parameter was not shown for some vulnerabilities in the Detailed Scan Report
- Fixed an issue where redundant logs were written for enforced Basic Authentication setting
- Fixed the issue where auto-complete enabled was not reported when there was only one password input
- Fixed the issue where auto-complete was treated as enabled when the attribute value was ‘new-password’
- Fixed the problem where multiple OAuth2 refresh token requests were sent while refreshing tokens
- Fixed the stale activities still remaining on the list at the end of the scan
- Fixed the broken order function of External References in the Report Policy Editor
- Fixed an unhandled UnauthorizedAccessException that was occasionally thrown while closing the Form Authentication Custom Script dialog
- Fixed the issue where some special XML chars were encoded when the parameter was already encoded
09 Jul 2019
FIXES Fixed a bug where HTTPS endpoints might not be crawled properly upon a navigation action during DOM simulation Fixed a bug with Manual Crawl mode where the execution might stop after the initial crawling phase ends Fixed an issue where form authentication might fail to execute in some React websites Fixed an issue where …
FIXES
- Fixed a bug where HTTPS endpoints might not be crawled properly upon a navigation action during DOM simulation
- Fixed a bug with Manual Crawl mode where the execution might stop after the initial crawling phase ends
- Fixed an issue where form authentication might fail to execute in some React websites
- Fixed an issue where the process may crash due to a NullReferenceException
02 Jul 2019
IMPROVEMENT Improved stability of scan by dynamically adjusting the thread count according to system resources FIXES Fixed high CPU usage caused by connectivity issues that were occurring during a scan Fixed the issue where Referrer Policy Not Implemented was being reported for redirect responses Fixed the issue where CSP Not Implemented was being reported for …
IMPROVEMENT
- Improved stability of scan by dynamically adjusting the thread count according to system resources
FIXES
- Fixed high CPU usage caused by connectivity issues that were occurring during a scan
- Fixed the issue where Referrer Policy Not Implemented was being reported for redirect responses
- Fixed the issue where CSP Not Implemented was being reported for redirect responses
- Fixed the issue where Missing X-XSS Protection was being reported for redirect responses
- Fixed the issue where Missing X-Frame-Options Header was being reported for redirect responses
- Fixed a bug where cookies were reported as not secure in authenticated scans
- Fixed an automatic Logout Detection issue during form authentication verification, where the login required URL was requested with an HTTP POST method
- Fixed clearing internal web browser’s cache while executing authentication process
- Fixed the broken Crawled and Scanned URLs List (JSON) Report Templates
- Fixed the incorrect error message that was displayed while generating a Comparison Report with no selected scan files
- Fixed the Browser View that stayed open when a non-HTML response was selected
- Fixed the incorrect severity colors on Comparison Reports
- Fixed an issue where some of the toolbar items were not displayed on the Sitemap and Issues panels
- Fixed the broken ModSecurity WAF Rules Report Template
- Fixed a time based security check issue occurs when the target web server is not accessible
- Fixed the bug on issues panel where the number of vulnerabilities displayed next to severity group node was incorrect
- Fixed the incorrect send to icon size on high DPI screens
- Fixed an issue where browser viewer could not show content when content type of request was text/html
- Fixed an issue where React controlled fields may not be updated during Form Authentication
- Fixed an issue where Invicti Enterprise options are displayed while trying to import a scan file on back stage view
- Fixed a bug on issue panel where group node was shown as ignored when child node is ignored
- Fixed an issue on sitemap tree where number of nodes are reported incorrect when it is grouped
- Fixed an InvalidCastException thrown while browsing a response
15 May 2019
IMPROVEMENT Improved Source Code Disclosure (ColdFusion) attack pattern FIXES Fixed multiple logout detection popups being unnecessarily shown Fixed an issue that was causing Scheduled Scans to run slower than regular scans Fixed an issue where redundant scan folders are created when scans are auto saved Fixed a performance issue caused in scans with excessive amount …
IMPROVEMENT
- Improved Source Code Disclosure (ColdFusion) attack pattern
FIXES
- Fixed multiple logout detection popups being unnecessarily shown
- Fixed an issue that was causing Scheduled Scans to run slower than regular scans
- Fixed an issue where redundant scan folders are created when scans are auto saved
- Fixed a performance issue caused in scans with excessive amount captured links
- Fixed a NullReferenceException thrown by Expect CT security checks
- Fixed an ArgumentNullException thrown by Expect CT security checks
- Fixed a NullReferenceException thrown by Sitemap tree
- Fixed the broken paddings on RFI knowledgebase proof representation of tasklist command
08 May 2019
FIXES Fixed an InvalidOperationException thrown from several operations during scan Fixed the incorrect favicon rendered on Sitemap tree
FIXES
- Fixed an InvalidOperationException thrown from several operations during scan
- Fixed the incorrect favicon rendered on Sitemap tree
08 May 2019
FIX Fixed a NullReferenceException thrown when a vulnerability variation is ignored from Issues tree
FIX
- Fixed a NullReferenceException thrown when a vulnerability variation is ignored from Issues tree