11 May 2018
FEATURES Netsparker Enterprise integration: ability to import and export scans between the scanners. New user interface with new skin and improved usability. Smart Card authentication support. Attack Radar panel that shows detailed attacking progress of security checks. Added the OWASP 2017 Top Ten classifications report template. Added Server-Side Template Injection (SSTI) vulnerability checks. SECURITY CHECKS …
FEATURES
- Netsparker Enterprise integration: ability to import and export scans between the scanners.
- New user interface with new skin and improved usability.
- Smart Card authentication support.
- Attack Radar panel that shows detailed attacking progress of security checks.
- Added the OWASP 2017 Top Ten classifications report template.
- Added Server-Side Template Injection (SSTI) vulnerability checks.
SECURITY CHECKS
- Expect-CT security checks.
- Added various new web applications in the application version database.
- Added out of date checks for Hammer.JS, Phaser, Chart.js, Ramda, reveal.js, Fabric.js, Semantic UI, Leaflet, Foundation, three.js, PDF.js, Polymer.
IMPROVEMENTS
- Crawler can now parse multiple sitemaps in a robots.txt file.
- Improved the representation of POST, JSON and XML parameters on sitemap.
- Added support for opening links in all web browsers installed on the computer.
- Improved high DPI support.
- Improved sorting on Issues panel.
- New Extensions scan policy settings to specify which extensions should be crawled and attacked.
- Added activity status text for XSS and Open Redirect confirmation phases.
- Added target link address to status bar on vulnerability descriptions.
- Added “Import from Scan Session” option to populate form values based on an existing scan.
- Added support for parsing swagger documents in yaml format.
- Added Open Redirect and XSS confirmation timeout settings.
- Added support for parsing relative meta refresh URLs.
- Moved Knowledge base items to own panel.
- Improved the vulnerability summary section of Detailed Scan Report.
- Added “Copy to Clipboard” link to unmatched URL rewrite rules table within URL Rewrite knowledge base.
- Improved the usability of User Agent scan policy settings.
- Favicon of the target website shown to sitemap tree.
- Search capability in the Knowledge base details.
- Improved parsing of websites using React framework.
- Content-Security-Policy-Report-Only header is not reported as an interesting header.
- Added support for sending text to Encoder panel from other panels in the application.
- Added save report button to Knowledge base.
- Added “Ignore Authentication” option to Request builder.
- Added a hotkey to “Ignore from This Scan” menu.
- Added “Force User Agent” setting to force the selected User Agent value on scan policy.
- Added support for Postman v2.1 version.
- Scan logs in Logs panel are now saved along with scan file.
- Added an extra consistency check to ROBOT attacks.
- Added scan policy settings to include/exclude certain cookie names from Cookie security checks.
- Improved the “Interesting Header” list support.
- Added anti-CSRF token support for Blind SQL Injection exploitation.
- Removed BOM from JSON and XML report templates.
- Improved the numbers reported on dashboard.
- Added summary table to several reports.
- Variations are retested before starting an incremental scan.
- Improved JavaScript content check performance while detecting out of date checks.
- Added multi-thread support to Controlled Scan.
- Added anti-CSRF token support for tokens in request headers, meta tags, manual crawling and imported links.
- Added command line auto update option.
- Renamed FogBugz send to action to its new name Manuscript.
- Testing Send To actions now creates issues on target systems.
- GitHub Send to action now works with organization accounts and private repositories.
- Scan Policy and Report Policy editor dialogs remember their locations and sizes.
- Added support for handling HTTP 307 redirects.
- DS_STORE files are discovered and parsed.
- Improved MySQL double encoded string attacks.
FIXES
- Fixed scheduled scans to prevent incorrect settings to be saved.
- Fixed the overflow issue of “Maximum 404 Signatures” scan policy setting.
- Fixed the unsaved Disallowed HTTP Methods issue for scan profiles.
- Fixed some possible vulnerabilities missing [Possible] indicator in title.
- Fixed the exception that occurs when importing scan file because the path has invalid chars.
- Fixed an ArgumentOutOfRangeException occurs when the back button clicked on the Scan Policy Optimizer.
- Fixed the incorrect “Exclude Branch” icon.
- Fixed the missing Host header issue on Request Builder.
- Fixed the issue where header enabled and disabled states are not preserved in Postman v2 files.
- Fixed the issue where the selected vulnerability is not being recognized while performing a retest.
- Fixed the issue where all variations are removed from Issues panel if a parent vulnerability is removed.
- Fixed the issue where parent vulnerability is striked out in sitemap when a variation is fixed after retest.
- Fixed the issue where some vulnerabilities that are not fixed comes up as fixed after retest.
- Fixed highlighting problem for “Password Transmitted over HTTP” vulnerability.
- Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
- Fixed incorrect “[Possible] WS_FTP Log File Detected” vulnerability.
- Fixed the issue where a variation node is not added to the Issues panel.
- Fixed incorrect average speed calculation on Detailed Scan Report.
- Fixed some issues in Incremental Scan and Controlled Scan where some vulnerabilities are reported as fixed while they still exist.
- Fixed the issue where same post parameters appears twice in the request builder form.
- Fixed Hawk validation error by not following redirects.
- Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
- Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
- Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
- Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
- Fixed the SSL check hang on HTTP only hosts.
- Fixed LFI engine by not analyzing source code disclosure on binary responses.
- Fixed a validation issue for some Swagger documents.
- Fixed the issue where CSP keywords are not reported when used without single quotes.
- Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
- Fixed the issue where cookie header in raw request not added to the sqlmap command.
- Fixed the issue where crawler keeps trying to crawl target URL when clicked Retry if there is a connection failure.
- Fixed incorrect source code disclosures reported in binary responses.
- Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
- Fixed out of date version reporting behavior when no ordinal is found in version database.
- Fixed Lighttpd version disclosure detection signatures.
- Fixed a Swagger parsing issue.
- Fixed broken proxy chaining in manual crawl mode.
23 Apr 2018
FIX Fixed a security vulnerability in form authentication verification.
FIX
- Fixed a security vulnerability in form authentication verification.
08 Mar 2018
IMPROVEMENTS Added support for importing Postman v2.1 files. Added certificate extension aliases support to Client Certificate Authentication. FIXES Fixed certificates not listing in the client certificates dropdown list issue. Fixed Invicti Hawk validation issue.
IMPROVEMENTS
- Added support for importing Postman v2.1 files.
- Added certificate extension aliases support to Client Certificate Authentication.
FIXES
- Fixed certificates not listing in the client certificates dropdown list issue.
- Fixed Invicti Hawk validation issue.
02 Feb 2018
IMPROVEMENTS Added a new report template – Detailed Vulnerabilities List in XML. Optimized ROBOT attack check performance. Improved React Controlled Field coverage in form authentication custom scripts. FIXES Fixed the non-rendered web page on form authentication verification dialog, due to malformed Content-Type header. Fixed the disabled Retest menu item for vulnerabilities on Issues tree.
IMPROVEMENTS
- Added a new report template – Detailed Vulnerabilities List in XML.
- Optimized ROBOT attack check performance.
- Improved React Controlled Field coverage in form authentication custom scripts.
FIXES
- Fixed the non-rendered web page on form authentication verification dialog, due to malformed Content-Type header.
- Fixed the disabled Retest menu item for vulnerabilities on Issues tree.
28 Dec 2017
FIXES Fixed perhost certificate generation issue which renders manual crawling unusable. Fixed an ArgumentNullException thrown from DOM simulation.
FIXES
- Fixed perhost certificate generation issue which renders manual crawling unusable.
- Fixed an ArgumentNullException thrown from DOM simulation.
22 Dec 2017
NEW SECURITY CHECK Added security check for “The ROBOT Attack” vulnerability. IMPROVEMENTS Improved performance of huge JavaScript file parsing. Improved custom form authentication scripting support for pages using React JavaScript framework.
NEW SECURITY CHECK
- Added security check for “The ROBOT Attack” vulnerability.
IMPROVEMENTS
- Improved performance of huge JavaScript file parsing.
- Improved custom form authentication scripting support for pages using React JavaScript framework.
15 Dec 2017
NEW FEATURE Added JavaScript timeout settings for Open Redirect and XSS confirmation in Scan Policy. IMPROVEMENT Improved the parsing of large JavaScript files. FIXES Fixed the empty target URL text box on start new scan window on initial load. Fixed the hang issue caused by popup windows during form authentication. Fixed the exception that occurs …
NEW FEATURE
- Added JavaScript timeout settings for Open Redirect and XSS confirmation in Scan Policy.
IMPROVEMENT
- Improved the parsing of large JavaScript files.
FIXES
- Fixed the empty target URL text box on start new scan window on initial load.
- Fixed the hang issue caused by popup windows during form authentication.
- Fixed the exception that occurs when root directory node is excluded in sitemap.
- Fixed an exception thrown while shutting down the application.
- Fixed a NullReferenceException occurs while trying to parse compressed sitemap files.
- Fixed a serialization exception issue occurs while trying to load older scan files.
- Fixed the broken tooltip message on Custom Form Authentication Script dialog.
- Fixed the exception that occurs when importing scan file because the path has invalid chars.
- Fixed duplicate activities displayed while analyzing crawled pages.
24 Nov 2017
NEW FEATURES Users can now preconfigure local/session web storage data for a website. Added a new send to action to send e-mails. Added HTTP Header Authentication settings to add request HTTP Headers with authentication information. Added CSV file link importer. Parsing of form values from a specified URL. Added custom root certificate support for manual …
NEW FEATURES
- Users can now preconfigure local/session web storage data for a website.
- Added a new send to action to send e-mails.
- Added HTTP Header Authentication settings to add request HTTP Headers with authentication information.
- Added CSV file link importer.
- Parsing of form values from a specified URL.
- Added custom root certificate support for manual crawling.
- Added gzipped sitemap parsing support.
NEW SECURITY CHECKS
- Added reflected “Code Evaluation (Apache Struts 2)” security check (CVE-2017-12611).
- Added “Remote Code Execution in Apache Struts” security check. (CVE-2017-5638).
IMPROVEMENTS
- Renamed “Important” severity name to “High”.
- Updated external references for several vulnerabilities.
- Improved default Form Values settings.
- Improved scan stability and performance.
- Added Form Authentication performance data to Scan Performance knowledgebase node.
- Added “Run only when user is logged on” option to the scan scheduling.
- Added a warning before the scan starting if there are out of scope links in imported links.
- Improved Active Mixed Content vulnerability description.
- Improved DOM simulation for events attached to document object.
- Added “Alternates”, “Content-Location” and “Refresh” response header parsing.
- Removed “Disable IE ESC” requirement on Windows server operating systems.
- Improved Content Security Policy (CSP) engine performance by checking CSP Nonce value per directory.
- Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
- Added –batch argument to sqlmap payloads.
- Removed Markdown Injection XSS attack payloads.
- Filtered out irrelevant certificates generated by Invicti from client certificate selection dropdown on Client Certificate Authentication settings.
- Added highlighting for detected out of date JavaScript libraries.
- Added ALL parameter type option to the Ignored Parameters settings.
- Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
- Added an option to export only PDF reports without HTML.
- Added -nohtml argument to CLI to create only pdf reports.
- Updated the Accept header value for default scan policy.
- Added CSS exclusion selector supports frames and iframes.
- Added embedded space parsing for JavaScript code in HTML attribute values.
- Added scan start time information to the dashboard.
- Skip Phase button is disabled if the phase cannot be skipped.
- Added validation messages for invalid entries on start new scan dialog sections.
- Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
- Added highlight support for password transmitted over HTTP vulnerabilities.
- Email disclosure will not be reported for email address used in form authentication credentials.
- Added focus and blur event simulation for form authentication set value API calls.
- Uninstaller now checks for any running instances.
- Internal proxy now serves the certificate used through HTTP echo page.
- Added spell checker for Report Policy Editor.
- Added an error page if any internal proxy exception occurs.
- Added more information about the HTML form and input for vulnerabilities found on HTML forms.
- Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
- Extensions on the URLs are handled by the custom URL rewrite rule wizard.
- Added Parameter Value column to Vulnerabilities List CSV report.
- Added match by HTML element id for form values.
- Added “Ignore document events” to JavaScript settings to ignore triggering events attached to document object.
- Improved Windows Short Filename vulnerability details Remedy section.
- Improved scan policy security check filtering by supporting short names of security checks.
- Improved Burp file import dialog by removing the file extension filter.
- Improved table column widths on several reports.
- Updated default User-Agent HTTP request header string.
- URL Rewrite parameters are now represented as asterisks in sqlmap payloads.
FIXES
- Fixed the InvalidOperationException on application exit.
- Fixed CSRF vulnerability reporting on change password forms.
- Fixed Email Disclosure highlight issue where only the first email address is highlighted when there are multiple email addresses on the page.
- Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
- Fixed the incorrect progress bar value displayed when a scan is imported.
- Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
- Fixed up/down movement issue on Form Values when multiple rows are selected.
- Fixed various source code disclosure issues.
- Fixed an escaping issue with CSS exclusion selectors.
- Fixed the issue where the basic authentication credentials are not being sent on logout detection phase.
- Fixed a NullReferenceException when an invalid raw request is entered in request builder.
- Fixed HTTP Request Builder where it does not set request method to POST if the selected method is PUT.
- Fixed the issue where the response URL is displayed in the vulnerability details.
- Fixed the issue where some links were not excluded from scan from sitemap.
- Fixed enabled security check group with all security checks within are disabled.
- Fixed a random DOM simulation exception occurs when site creates popup windows.
- Fixed a RemotingException occurs on Form Authentication Verifier.
- Fixed a possible NullReferenceException on Form Authentication.
- Fixed the message dialog windows displayed by the 3rd party component on Form Authentication Verification.
- Fixed the broken form authentication custom script when the last line of the script is a single line comment.
- Fixed certificate search in store by subject name returns matches without exact subject names.
- Fixed ESC key handling on message dialogs.
- Fixed huge parameter value deserialization memory usage.
- Fixed an issue with Load New License occurs when the source and destination license files are same.
- Fixed the issue where the parsing source is set to Unspecified for links found by resource finder in reports.
- Fixed the incorrect sitemap representation of excluded nodes when a scan is imported.
- Fixed the wrong URLs added with only extension values.
- Fixed the logout detection portion of form authentication verification where it was not using the configured proxy.
- Fixed the message overflow issue in the out of scope link warning dialog.
- Fixed a NullReferenceException which may be thrown while importing a swagger file.
- Fixed the incorrect Skip Current Phase button state when scan phase is changed
- Fixed internal proxy throwing when certain browsers do not send the full URL with the initial request.
- Fixed an issue in which the form authentication is not being triggered on retest.
- Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
- Fixed a swagger file parsing issue where target URL should be used when host field is missing.
- Fixed swagger importer by ignoring any metadata properties.
- Fixed the empty request/response displayed for some sitemap nodes with 404 response.
- Fixed the autocomplete issue in Content-Type header in Request builder
- Fixed a NullReferenceException occurs during DOM simulation.
- Fixed the incorrect URLs parsed on attack responses.
- Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
- Fixed show/hide issue for Dashboard and Sitemap panels.
- Fixed the issue where Retest All button disappears after a Retest.
- Fixed the issue where the dollar sign in imported URL is encoded after scan.
- Fixed the empty request/response header issue for links discovered during attacking.
- Fixed ignore parameter issue for parameters containing special characters.
- Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
- Fixed missing vulnerabilities requiring late confirmation for incremental scans.
- Fixed a NullReferenceException may occur on iframe security checks.
- Fixed the exception that occurs while adding duplicate POST parameters with the same name in Request builder.
21 Nov 2017
NEW SECURITY CHECK Added more Command Injection and Blind Command Injection patterns for Windows systems.
NEW SECURITY CHECK
- Added more Command Injection and Blind Command Injection patterns for Windows systems.
11 Oct 2017
IMPROVEMENT Updated vulnerability database to latest version.
IMPROVEMENT
- Updated vulnerability database to latest version.
09 Oct 2017
FIX Fixed the incorrect percentage encoding on Detailed Scan Report template.
FIX
- Fixed the incorrect percentage encoding on Detailed Scan Report template.
06 Oct 2017
NEW SECURITY CHECK Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-12611). IMPROVEMENTS Improved the stability of DOM and JavaScript simulation. Improved report templates.
NEW SECURITY CHECK
- Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-12611).
IMPROVEMENTS
- Improved the stability of DOM and JavaScript simulation.
- Improved report templates.