Invicti Standard

FIXES

• Fixed an ArgumentException caused by an incorrect URL entered on Start New Scan dialog.
• Fixed an XmlException thrown while trying to restore UI layout.
• Fixed missing cookies on form authentication when they are set from JavaScript context.
• Fixed an ArgumentException thrown on Start New Scan dialog for Korean systems.
• Fixed the ArgumentOutOfRangeException that occurs when creating reports through CLI.
• Fixed CORS security check retest issue where old response data were being used.
• Fixed a UriFormatException caused by an incorrect cloud integration server URL.
• Fixes an ArgumentOutOfRangeException that occurs when a URL with backslash is entered on Start New Scan dialog.

UPDATE

• Updated the Reporting API documentation.

FIXES

• Fixed a DirectoryNotFoundException thrown while trying to restore layout.
• Fixed an InvalidOperationException thrown while performing confirmation at the end of a scan.
• Fixed a highlighting related exception when there are no matches in the source code.
• Fixed an ArgumentNullException caused by an empty form authentication persona list when the scan is imported from cloud.

FIXES

• Fixed an issue where custom report policies could not be updated to the latest version of security check templates.
• Fixed incorrect time and duration information of cloud scans.
• Fixed empty request/response issue for scans exported to cloud.
• Fixed the issue that the controlled scan won’t start for selected links on sitemap.

IMPROVEMENTS

• Improved confirmation on time-based attacks.

FIXES

• Fixed the percent encoding issue on Detailed Scan Report.
• Fixed the stale custom report template buttons which were removed from the disk.
• Fixed the InvalidOperationException caused by Expect CT IP endpoint highlighting.
• Fixed a NullReferenceException while generating sitemap tree.
• Fixed the incorrect numbers reported on vulnerability summary table of Detailed Scan Report.
• Fixed the selection issue on scan policy user agent settings.
• Fixed the FormatException when HTTP rate limits are set on a scan policy.

FIXES

• Fixed an issue where old scan files fail to import.
• Fixed Short File Names Exploiter by disabling it when other vulnerability types are selected.
• Fixed disabled UI where Cloud is not reachable.
• Fixed blocked UI during VDB update check.
• Fixed copying URL Rewrite rules in knowledgebase by copying RegExp patterns with place holder patterns.
• Fixed opening Scan Summary Dashboard when clicked root node from sitemap tree.
• Fixed hiding backstage when export file dialog is canceled.
• Fixed an incorrect encoded space character on Detailed Scan Report.
• Fixed overlapping icons of optimized scan policies on Start a New Scan Dialog.

FEATURES

• Netsparker Enterprise integration: ability to import and export scans between the scanners.
• New user interface with new skin and improved usability.
• Smart Card authentication support.
• Attack Radar panel that shows detailed attacking progress of security checks.
• Added the OWASP 2017 Top Ten classifications report template.
• Added Server-Side Template Injection (SSTI) vulnerability checks.

SECURITY CHECKS

• Expect-CT security checks.
• Added various new web applications in the application version database.
• Added out of date checks for Hammer.JS, Phaser, Chart.js, Ramda, reveal.js, Fabric.js, Semantic UI, Leaflet, Foundation, three.js, PDF.js, Polymer.

IMPROVEMENTS

• Crawler can now parse multiple sitemaps in a robots.txt file.
• Improved the representation of POST, JSON and XML parameters on sitemap.
• Added support for opening links in all web browsers installed on the computer.
• Improved high DPI support.
• Improved sorting on Issues panel.
• New Extensions scan policy settings to specify which extensions should be crawled and attacked.
• Added activity status text for XSS and Open Redirect confirmation phases.
• Added target link address to status bar on vulnerability descriptions.
• Added “Import from Scan Session” option to populate form values based on an existing scan.
• Added support for parsing swagger documents in yaml format.
• Added Open Redirect and XSS confirmation timeout settings.
• Added support for parsing relative meta refresh URLs.
• Moved Knowledge base items to own panel.
• Improved the vulnerability summary section of Detailed Scan Report.
• Added “Copy to Clipboard” link to unmatched URL rewrite rules table within URL Rewrite knowledge base.
• Improved the usability of User Agent scan policy settings.
• Favicon of the target website shown to sitemap tree.
• Search capability in the Knowledge base details.
• Improved parsing of websites using React framework.
• Content-Security-Policy-Report-Only header is not reported as an interesting header.
• Added support for sending text to Encoder panel from other panels in the application.
• Added save report button to Knowledge base.
• Added “Ignore Authentication” option to Request builder.
• Added a hotkey to “Ignore from This Scan” menu.
• Added “Force User Agent” setting to force the selected User Agent value on scan policy.
• Added support for Postman v2.1 version.
• Scan logs in Logs panel are now saved along with scan file.
• Added an extra consistency check to ROBOT attacks.
• Added scan policy settings to include/exclude certain cookie names from Cookie security checks.
• Improved the “Interesting Header” list support.
• Added anti-CSRF token support for Blind SQL Injection exploitation.
• Removed BOM from JSON and XML report templates.
• Improved the numbers reported on dashboard.
• Added summary table to several reports.
• Variations are retested before starting an incremental scan.
• Improved JavaScript content check performance while detecting out of date checks.
• Added multi-thread support to Controlled Scan.
• Added anti-CSRF token support for tokens in request headers, meta tags, manual crawling and imported links.
• Added command line auto update option.
• Renamed FogBugz send to action to its new name Manuscript.
• Testing Send To actions now creates issues on target systems.
• GitHub Send to action now works with organization accounts and private repositories.
• Scan Policy and Report Policy editor dialogs remember their locations and sizes.
• Added support for handling HTTP 307 redirects.
• DS_STORE files are discovered and parsed.
• Improved MySQL double encoded string attacks.

FIXES

• Fixed scheduled scans to prevent incorrect settings to be saved.
• Fixed the overflow issue of “Maximum 404 Signatures” scan policy setting.
• Fixed the unsaved Disallowed HTTP Methods issue for scan profiles.
• Fixed some possible vulnerabilities missing [Possible] indicator in title.
• Fixed the exception that occurs when importing scan file because the path has invalid chars.
• Fixed an ArgumentOutOfRangeException occurs when the back button clicked on the Scan Policy Optimizer.
• Fixed the incorrect “Exclude Branch” icon.
• Fixed the missing Host header issue on Request Builder.
• Fixed the issue where header enabled and disabled states are not preserved in Postman v2 files.
• Fixed the issue where the selected vulnerability is not being recognized while performing a retest.
• Fixed the issue where all variations are removed from Issues panel if a parent vulnerability is removed.
• Fixed the issue where parent vulnerability is striked out in sitemap when a variation is fixed after retest.
• Fixed the issue where some vulnerabilities that are not fixed comes up as fixed after retest.
• Fixed highlighting problem for “Password Transmitted over HTTP” vulnerability.
• Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
• Fixed incorrect “[Possible] WS_FTP Log File Detected” vulnerability.
• Fixed the issue where a variation node is not added to the Issues panel.
• Fixed incorrect average speed calculation on Detailed Scan Report.
• Fixed some issues in Incremental Scan and Controlled Scan where some vulnerabilities are reported as fixed while they still exist.
• Fixed the issue where same post parameters appears twice in the request builder form.
• Fixed Hawk validation error by not following redirects.
• Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
• Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
• Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
• Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
• Fixed the SSL check hang on HTTP only hosts.
• Fixed LFI engine by not analyzing source code disclosure on binary responses.
• Fixed a validation issue for some Swagger documents.
• Fixed the issue where CSP keywords are not reported when used without single quotes.
• Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
• Fixed the issue where cookie header in raw request not added to the sqlmap command.
• Fixed the issue where crawler keeps trying to crawl target URL when clicked Retry if there is a connection failure.
• Fixed incorrect source code disclosures reported in binary responses.
• Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
• Fixed out of date version reporting behavior when no ordinal is found in version database.
• Fixed Lighttpd version disclosure detection signatures.
• Fixed a Swagger parsing issue.
• Fixed broken proxy chaining in manual crawl mode.

FIX

• Fixed a security vulnerability in form authentication verification.

IMPROVEMENTS

• Added support for importing Postman v2.1 files.
• Added certificate extension aliases support to Client Certificate Authentication.

FIXES

• Fixed certificates not listing in the client certificates dropdown list issue.
• Fixed Invicti Hawk validation issue.

IMPROVEMENTS

• Added a new report template – Detailed Vulnerabilities List in XML.
• Optimized ROBOT attack check performance.
• Improved React Controlled Field coverage in form authentication custom scripts.

FIXES

• Fixed the non-rendered web page on form authentication verification dialog, due to malformed Content-Type header.
• Fixed the disabled Retest menu item for vulnerabilities on Issues tree.

FIXES

• Fixed perhost certificate generation issue which renders manual crawling unusable.
• Fixed an ArgumentNullException thrown from DOM simulation.

NEW SECURITY CHECK

• Added security check for “The ROBOT Attack” vulnerability.

IMPROVEMENTS

• Improved performance of huge JavaScript file parsing.
• Improved custom form authentication scripting support for pages using React JavaScript framework.

NEW FEATURE

• Added JavaScript timeout settings for Open Redirect and XSS confirmation in Scan Policy.

IMPROVEMENT

• Improved the parsing of large JavaScript files.

FIXES

• Fixed the empty target URL text box on start new scan window on initial load.
• Fixed the hang issue caused by popup windows during form authentication.
• Fixed the exception that occurs when root directory node is excluded in sitemap.
• Fixed an exception thrown while shutting down the application.
• Fixed a NullReferenceException occurs while trying to parse compressed sitemap files.
• Fixed a serialization exception issue occurs while trying to load older scan files.
• Fixed the broken tooltip message on Custom Form Authentication Script dialog.
• Fixed the exception that occurs when importing scan file because the path has invalid chars.
• Fixed duplicate activities displayed while analyzing crawled pages.