Invicti Standard

FIXES

• Fixed an InvalidOperationException thrown when application is forced to close during computer shutdown
• Fixed the clipboard format of Knowledgebase URL Rewrite List item
• Fixed a race condition that causes an ArgumentOutOfRangeException when rate limiting option is used

IMPROVEMENTS

• Added proof generation and Get Shell support for Code Evaluation (ASP) vulnerability
• Added Retest support for several cookie vulnerabilities
• Moved the target URL to the first position on Site Profile Knowledgebase

FIXES

• Fixed the Retest All button also retests the issues on additional web sites too
• Fixed the popup hide issue on custom form authentication script dialog
• Fixed a few unexpected NullReferenceException issues
• Fixed the broken arrow key navigation on Sitemap and Issues panels
• Fixed the incorrect vulnerability count reported on Issues panel tree groups
• Fixed the representation of fixed vulnerability on Issues panel
• Fixed the incorrect duplicate export dialog shown when trying to import a scan from cloud
• Fixed the issue where Issues panel were not being refreshed when retest is finished
• Fixed the initial panel shown by changing it from Progress panel to Activity panel
• Fixed the process cannot access the file issue while updating VDB
• Fixed a bug in cookie handling code during form authentication
• Fixed the incorrect severity reported for Cookie not Marked as Secure vulnerability on some scans
• Fixed an ArgumentOutOfRangeException thrown on some long scans
• Fixed an InvalidOperationException thrown while closing the application
• Fixed the incorrect Filter menu state on Sitemap panel

NEW FEATURES

• Rewrote Sitemap and Issues trees which improves the performance and adds features like filtering, grouping, sorting and searching.
• Added vulnerability families feature where similar types of vulnerabilities are not reported separately
• Added support for Swagger 3 / OpenAPI link import
• Added support for 64-bit smart card drivers for authentication
• Added GitLab Send To integration
• Added Bitbucket Send To integration
• Added Unfuddle Send To integration
• Added Zapier Send To integration
• Added Azure DevOps Send To integration
• Added support for importing links from IOdocs file format
• Added automatic upload to Invicti Enterprise option
• Added copy to clipboard buttons to request and response viewers
• Added a new Knowledge Base item for Not Found pages
• Added a hex view for binary responses in reports
• Added options to switch Scan Profile, Scan Policy and Report Policy for the current scan
• Added Uncheck by Severity context menu item to the Report Policy editor
• Added ISO 27001 vulnerability classifications and report template
• Added raw value support for Send To custom fields
• Added option to report variations of vulnerabilities

NEW SECURITY CHECKS

• Added a new pattern for CherryPy Version Disclosure
• Added an LFI attack pattern for WEB-INF/web.xml
• Added Ruby Error Disclosure detection
• Added WP Engine Configuration File detection
• Added CherryPy Stack Trace Disclosure detection
• Added Intro.js out-of-date version detection
• Added Axios out-of-date version detection
• Added Fingerprintjs2 out-of-date version detection
• Added XRegExp out-of-date version detection
• Added DataTables out-of-date version detection
• Added Lazy.js out-of-date version detection
• Added FancyBox out-of-date version detection
• Added Underscore.js out-of-date version detection
• Added Lightbox out-of-date version detection
• Added JBoss application server out-of-date version detection
• Added SweetAlert2 out-of-date version detection
• Added Lodash out-of-date version detection
• Added Bluebird out-of-date version detection
• Added Polymer out-of-date version detection

IMPROVEMENT

• Separated the Scan Activity panel and Progress chart into their own dock panels below
• Added a button to the Reporting tab for creating new Custom Report Templates
• Improved Knowledge Base item updates to prevent unexpected scrolling to the top of the screen
• Ordered several Knowledge Base items alphabetically
• Concurrent Connection count of imported scans can be modified
• Changed default Issue type to Story in JIRA Send To integration
• Changed CallerId field to optional in ServiceNow Send To integration
• Added PHP extension attack for Nginx vulnerability to File Upload engine
• Added File Upload patterns for Nginx parsing vulnerability
• Added settings to File Upload engine for configuring upload folders
• Added errorlog.axd detection support
• Improved elmah.axd detection
• The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
• Improved SSTI PHP Smarty attack detection
• Retest All can now be started when the scan is paused
• Improved the Swagger link importer to handle additional properties with integer and string value types
• Improved the Expect-CT engine by only reporting a vulnerability once for each host
• Improved RSA key confirmation by handling OpenPGP format
• Added a Statistics tab to the HTTP response viewer
• Increased the HSTS Not Enabled vulnerability severity from Information to Low
• Improved HTTP 407 proxy authentication error handling
• Improved missing license handling for non-interactive Windows sessions
• Controlled scan is now cancelled when a new scan is imported
• Added classifications to the HSTS Not Enabled vulnerability
• Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
• Improved the user experience of suggestions in the Scan Policy Optimizer when navigating back and forward in the wizard
• New certificate imported for Client Certificate Authentication is automatically selected
• Improved JSON request/response viewer performance for large documents
• Spaces in URLs of vulnerabilities are encoded in the vulnerability viewer
• Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
• Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
• Updated HTTP response data of vulnerabilities after retest
• Scan Policy Optimizer now respects the security engine and pattern selections of the base policy
• Improved JSON format detection
• Replaced Unicode replacement characters with question marks in responses
• Added a Scan Policy option to attack cookies
• Improved element click DOM simulation for various element types
• SRI Not Implemented will no longer be reported for localhost URLs
• Improved ASP.NET error message detection
• Added descriptions to PCI categories in the PCI Compliance Report
• Improved Boolean SQL Injection detection
• Improved the Blind Command Injection attack patterns
• Improved the representation of Report Template compilation errors
• Removed the dependency of Object Model Installer for using TFS Send To integration
• Improved the language used in Retest and Controlled Scan results
• Focused policies are now set to the currently used ones in Scan Policy Editor and Report Policy Editor
• Misconfigured X-Frame-Options Header is now reported separately
• Improved source code disclosure checks to prevent reporting JavaScript template pages
• The link to a created Issue is now displayed on the status bar after sending a vulnerability to an integration
• Status code, status description and content length information have been added to the Slowest Pages knowledge base node
• Retest activities are marked on the Scan Activity panel
• Added the list of failed vulnerabilities to retest results dialog
• Improved WADL document parsing by ignoring DTDs
• Improved Open Redirect DOM based confirmation performance
• Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
• Cookie vulnerabilities report where the cookie is set from
• Improved the multi-line representation of LFI Exploitation data
• Removed the redundant scan save confirmation dialog displayed when closing the app
• Improved Swagger Document Format detection
• Options dialog now remembers its location and size
• File upload engine now detects new links in the response after the file is uploaded

FIXES

• Fixed double URL encoding problem in various Report Templates
• Fixed parsing issue that occurs when the upload folder contains a slash
• Fixed the issue where authentication does not work when retesting
• Fixed an exception thrown prior to scan when the language is set to Korean
• Fixed the incorrect license holder name displayed on application title
• Fixed a controlled scan issue where it fails if the connection check response status code is not 200 (OK)
• Fixed Jira send to custom field values by HTML encoding them
• Fixed double HTML encoding problem in TFS Send To template
• Fixed the issue where the connection error is displayed during a controlled scan when the response status code is not 200 (OK)
• Fixed a NullReferenceException thrown when a link label is clicked in a dialog
• Fixed display of Post Scan ribbon group’s caption text
• Fixed the issue where the Swagger importer generates an invalid JSON request body
• Fixed the ArgumentException thrown while performing Heartbleed security checks
• Fixed visibility of fixed vulnerabilities in Report Templates
• Fixed the issue where the wrong version was identified for Drupal
• Fixed the UriFormatException thrown during SSRF (Hawk) URI validation
• Fixed a disallowed HTTP method issue where some methods were still being allowed
• Fixed a typo in the CSP Not Implemented vulnerability details
• Fixed the issue where SRI Not Implemented URLs were not properly highlighted in the source code
• Fixed an InvalidCastException thrown while loading the panel layout
• Fixed a Form Authentication issue that occured on some React-based websites
• Fixed the issue where the old scan’s activities continued even when another scan was imported while performing a Retest All
• Fixed a NullReferenceException thrown in Retest
• Fixed signature detection for links found via the crawler
• Fixed an issue in CSP engine where it reported an incorrect vulnerability
• Fixed an URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
• Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
• Fixed the incorrect Retest Fail dialog in the InternalServerError vulnerability
• Fixed the URL decoding issue when the URL was copied in the Issues panel
• Fixed the comments that were injected via Invicti attacks reported in the Knowledge Base Comment node
• Fixed duplicate parsing source field values reported for IFrame vulnerabilities
• Fixed a corrupted PDF report
• Fixed an issue where Apache MultiViews could not be detected in the target server
• Fixed the incorrect Cookie Expire Date set during Form Authentication
• Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
• Fixed a Content-Type parsing issue in Form Authentication
• Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
• Fixed the NullReferenceException thrown by the Request Builder if there were no scans open
• Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
• Fixed an Out of Memory issue that occurred while trying to view a large document

IMPROVEMENT

• Improves licensing diagnostics mode

FIXES

• Fixed parsing issue in Swagger Importer that occurs while importing Swagger files in YAML format
• Fixed an issue that causes Invicti to fail to add certain pages to the sitemap when using the Manual Crawling

FIXES

• Fixed the issues on computers where FIPS compliancy is required
• Fixed the incorrect button positions on Website Checker dialog displayed during license activation

IMPROVEMENT

• Improved the list of resources discovered by the resource finder.

FIXES

• Fixed an issue that caused legacy trial license activation failure.
• Fixed a FormatException thrown when a scan was started using a trial license.
• Fixed an issue where when frame vulnerabilities were detected via DOM, it was not possible to locate the source code.
• Fixed an XPathException caused by an input node with special characters.
• Fixed an exception thrown by the report policy editor when an unbalanced parenthesis was entered into the vulnerability type search box.
• Fixed a NullReferenceException thrown by the DOM parser component.
• Fixed the problem where manually crawled pages were not updated in the Sitemap.

NEW FEATURES

• Added Bulk Export to Cloud feature
• Added Scan Speed graph
• Added Send To integration support for ServiceNow
• Added custom field support for Send To fields
• Added an encoder for JavaScript fromCharCode format
• Added Go to Identification Page button to Go to Parent link of current selected link
• Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

• Added Out of Band Server Side Template Injection security checks
• Added signature detection check for Caddy web server
• Added signature detection check for aah go server
• Added signature detection check for JBoss application server
• Added CakePHP framework detection
• Added CakePHP version disclosure detection
• Added CakePHP out-of-date version detection
• Added CakePHP Stack Trace Disclosure
• Added CakePHP default page detection
• Added Out of Date checks for CKEditor 5

IMPROVEMENTS

• Updated the licensing model
• Updated .NET Framework version requirement to 4.7.2.
• Improved the user interface by reducing the number of borders between panels
• Added more information to the window where Cloud integration is conducted
• Improved the design of vulnerability details
• Added a link to Cloud scan URL when a scan is exported to the Cloud
• Improved the list of resources found by the Resources Finder
• Added a button to start an incremental scan for a scan listed on File>Import>Local Scans
• Added Hawk configuration validation to the Scan Optimizer
• The state of vulnerability nodes are updated across the Sitemap and Issues trees when ignored or included in scan
• All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into single vulnerability
• Dialog locations and sizes are remembered each time you reopen Invicti
• Added Request Method column to the Vulnerabilities List CSV report
• Added vulnerability severity to email Send To action template
• Added URL validation to Target URL textbox in the Start a New Scan dialog
• Updated Vulnerabilities List CSV report template to display attack parameter only
• Added fine grained options to Resource Finder step of Scan Policy Optimization wizard
• A Summary dialog is displayed after the Controlled Scan informing users about whether new vulnerabilities have been found
• Added cookie analyzer checks for cookies added using JavaScript
• Added keyboard navigation support to navigation bar control in the Start a New Scan dialog
• Variation count is included in the total vulnerability count in Detailed Scan Report
• Improved LFI Exploitation panel usability
• Added tokenized deletion using Ctrl + Backspace to Target URL text box
• Variation count included in the total count in report templates
• Improved the error message displayed when the retest fails if Form Authentication fails
• Added Link Count to the Scan Summary dashboard
• Added not found Link Count to the Scan Summary dashboard
• Controlled scan shows the detected vulnerability count on parameters after it’s finished
• Improved the error message displayed when an incorrect command line argument is supplied
• Added Label field for JIRA Send To actions
• Added Tags field for Manuscript (FogBugz) Send To actions
• Added WorkItem Tags field for TFS Send To actions
• Added Disable Resource Finder button to the Scan Policy Editor
• Added a Max Fail limit to Retest All so it does not abort after one retest has failed
• Ignored vulnerabilities are excluded from Retest All
• Improved SQL Injection proof data by stripping HTML tags
• Controlled scan can be started for vulnerabilities that have no parameters
• Vulnerabilities confirmed at the end of the Scan are retested separately in Retest All
• Added Late Confirmation activity into Controlled Scans so the Scan progress can be observed
• Added Copy and Copy Value context menu items to Headers’ request and response viewers
• Improved automatic Form Authentication by performing several additional attempts when the Submit button is disabled
• Improved CSRF token detection in cookie values
• Improved the error details displayed when link import fails

FIXES

• Fixed the incorrect Content-Type header sent during Form Authentication requests
• Fixed the vulnerability viewer display issue when a vulnerability node on Sitemap is reselected.
• Fixed the incorrect badge drawn on the ribbon’s Quick Access Toolbar buttons
• Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were also blocking the other HTTP methods
• Fixed the URL encoding issue for vulnerabilities which are sent to Manuscript (FogBugz)
• Fixed several usability issues on the Short File Names exploitation panel
• Fixed the error where the ExpectCT header was reported as an interesting header
• Fixed the Multiple File Open Dialog high DPI issues
• Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
• Fixed the incorrect number on the Detailed Scan report template’s instance column
• Fixed patterns that weren’t enabled when Security Checks were enabled with the Check All command
• Fixed the issue that the Controlled Scan won’t start on a link node
• Fixed high DPI issues on Scan Policy Optimizer wizard
• Fixed the issue that the style of child nodes was not updated when the vulnerability was ignored
• Fixed the issues that a confirmed Permanent XSS vulnerability was not added to the Confirmed group on the Issues tree
• Fixed the report templates that included ignored vulnerabilities in statistics
• Fixed the incorrect response displayed for SSRF vulnerabilities when the request was redirected to another page
• Fixed several dock panel issues
• Fixed a NullReferenceException thrown when setting a custom user agent on a Scan Policy
• Fixed the Critical Vulnerability Count in report templates
• Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
• Fixed a highlighting issue for vulnerabilities that display multiple responses
• Fixed an incorrect possible LFI vulnerability when the response was redirected
• Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
• Fixed an issue where some Sitemap nodes were not added to the tree until a New Scan was started
• Fixed the broken case sensitivity check for crawled links
• Fixed a smartcard driver issue that occured when the path contained space characters
• Fixed a FormatException that occurred while parsing cookies
• Fixed several incorrect Source Code Disclosure reports
• Fixed the issue where cookies that were set by JavaScript were not highlighted
• Fixed a JsonReaderException that occured while trying to parse a Swagger document
• Fixed an ObjectDisposedException thrown when a tooltip was closing
• Fixed an ArgumentOutOfRangeException thrown while generating reports
• Fixed a case sensitivity issue on the Sitemap tree where two nodes with same name but different cases were not added to the tree
• Fixed a double HTML encoding problem in the generated exploit template
• Fixed adding multiple empty rows to Additional Website settings
• Fixed parsing URLs with encoded chars
• Fixed the problem where scans could not be resumed when paused during the Recrawling phase
• Fixed hanging Open Redirect checks caused by binary responses
• Fixed double HTML encoding problem in the URL in the Detailed scan report template
• Fixed the DOM parser so that the Exclude by CSS Selector setting is saved and displayed correctly in the custom preset
• Fixed redundant Encode use in the report templates that caused double HTML encoding
• Fixed InvalidOperationException thrown when using Manual Crawling
• Fixes the error where the custom driver selection dialog was opening twice in the Import Smart Card Certificate dialog
• Fixed incorrect count of Proof List knowledge base
• Fixed the issue where XSS via RFI could not be detected with a certain payload
• Fixed the issue where the Scan skipped to the attacking phase after the Crawling phase was skipped when the Scan started in Crawl & Wait mode
• Fixed the issue where a Swagger YAML file could not be imported
• Fixed the usability issues of JavaScript preset selection on Scan Policies where entered values could not be deleted
• Fixed the vulnerabilities remaining from the previous scan on sitemap when an incremental scan has been started.
• Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie’s HttpOnly flag
• Fixed the issue where the late confirmed vulnerability was not added to the Sitemap
• Fixed the error where the activity time was not being updated during the extra confirmation phase

FIXES

• Fixed an ArgumentException caused by an incorrect URL entered on Start New Scan dialog.
• Fixed an XmlException thrown while trying to restore UI layout.
• Fixed missing cookies on form authentication when they are set from JavaScript context.
• Fixed an ArgumentException thrown on Start New Scan dialog for Korean systems.
• Fixed the ArgumentOutOfRangeException that occurs when creating reports through CLI.
• Fixed CORS security check retest issue where old response data were being used.
• Fixed a UriFormatException caused by an incorrect cloud integration server URL.
• Fixes an ArgumentOutOfRangeException that occurs when a URL with backslash is entered on Start New Scan dialog.

UPDATE

• Updated the Reporting API documentation.

FIXES

• Fixed a DirectoryNotFoundException thrown while trying to restore layout.
• Fixed an InvalidOperationException thrown while performing confirmation at the end of a scan.
• Fixed a highlighting related exception when there are no matches in the source code.
• Fixed an ArgumentNullException caused by an empty form authentication persona list when the scan is imported from cloud.

FIXES

• Fixed an issue where custom report policies could not be updated to the latest version of security check templates.
• Fixed incorrect time and duration information of cloud scans.
• Fixed empty request/response issue for scans exported to cloud.
• Fixed the issue that the controlled scan won’t start for selected links on sitemap.

IMPROVEMENTS

• Improved confirmation on time-based attacks.

FIXES

• Fixed the percent encoding issue on Detailed Scan Report.
• Fixed the stale custom report template buttons which were removed from the disk.
• Fixed the InvalidOperationException caused by Expect CT IP endpoint highlighting.
• Fixed a NullReferenceException while generating sitemap tree.
• Fixed the incorrect numbers reported on vulnerability summary table of Detailed Scan Report.
• Fixed the selection issue on scan policy user agent settings.
• Fixed the FormatException when HTTP rate limits are set on a scan policy.

FIXES

• Fixed an issue where old scan files fail to import.
• Fixed Short File Names Exploiter by disabling it when other vulnerability types are selected.
• Fixed disabled UI where Cloud is not reachable.
• Fixed blocked UI during VDB update check.
• Fixed copying URL Rewrite rules in knowledgebase by copying RegExp patterns with place holder patterns.
• Fixed opening Scan Summary Dashboard when clicked root node from sitemap tree.
• Fixed hiding backstage when export file dialog is canceled.
• Fixed an incorrect encoded space character on Detailed Scan Report.
• Fixed overlapping icons of optimized scan policies on Start a New Scan Dialog.