Invicti Standard

New Security Checks

• Added detection methods for five more WordPress Templates
• Added detection of Fortinet vulnerabilities (CVE-2020-12812, CVE-2019-5591, CVE-2018-13379)

Improvements

• Updated CWE IDs for several vulnerabilities

Fixes

• Fixed an issue in the detection of the 'Improper XML parsing leads to Billion Laughs Attack' vulnerability
• Resolved an issue with the Business Logic Recorder

New Feature

• Enabled Korean language support

New Security Checks

• Added detection method for Angular
• Added a new security check for Oracle EBS RCE

Fixes

• Fixed a scan authentication issue and a crawling issue with Cloud Agents
• Fixed the HTTP 401 forbidden response form authentication error
• Fixed an issue with the detection method for wp-admin vulnerabilities
• Fixed an error that was occurring when generating knowledge base reports
• Updated the extraction algorithm for downloaded scan files from Invicti Enterprise
• Fixed a scan issue that was producing 413 error responses

Improvements

• Improved AWS Secret Key ID detection security checks
• Improved Google Cloud API Key detection security checks
• Updated remediation information for Angular JS related vulnerabilities
• Improved Boolean-Based MongoDB Injection detection method

Fixes

• Fixed a validation error when validating Shark settings
• Fixed an issue with duplicate custom user agents that was preventing scanning
• Fixed an issue where authentication would fail when started with an Authentication profile
• Fixed an issue that caused proxy usage for Chromium even when no proxy was selected from the scan policy settings

New features

• Provided a new encryption method of API Token for Agent/Verifier Agent
• Added a pre-request script to generate AWS Signature token

New security checks

• Added a new security check for TLS/SSL certificate key size too small issue
• Improved WP Config detection over backup files
• Added a new security check for CVE-2023-46805 / CVE-2024-21887
• Added detection for exposed WordPress configuration files
• Added a new Security Check that allows to report two vulnerabilities: TorchServe Management API Publicly Exposed and TorchServe Management API SSRF
• Command Injection in VMware Aria Operations for Networks can now be detected

Improvements

• Implemented enhancements: Highlighting and Verification of Response Status Codes
• Disabled the BREACH Security Engine
• Report template of Possible XSS is updated to cover mime sniffing
• Increased the default Severity level of Version Disclosure (Varnish) from 'Information' to 'Low'

Fixes

• Fixed the issue where the customer couldn't scan their target with the additional website properly
• Fixed an issue that was causing a memory issue in Javascript Parser
• Fixed the inability of the custom script editor to load the form authentication fields

New features

• Added the ability to force authentication verifier agents to use incognito mode by default on Chromium browsers

New security checks

• Added detection for ActiveMQ RCE to the OOB RCE Attack Pattern (CVE-2023-46604)

Fixes

• Added a Cookie Source field to the Knowledge Base Cookies screen

New features

• Added a new BLR log providing details on BLR execution

New security checks

• Implemented a detection and reporting mechanism for the Backup Migration WordPress plugin (CVE-2023-6553)
• Added detection for TinyMCE

Improvements

• Updated the "Insecure Transportation Security Protocol Supported (TLS 1.0)" vulnerability to High Severity
• Updated the WSDL serialization mechanism
• Implemented support for scanning sites with location permission pop-ups
• Added support for FreshService API V2
• Removed obsolete X-Frame-Options Header security checks

Fixes

• Fixed a bug in the Request/Response tab of Version Disclosure vulnerabilities
• Removed the target URL from the scope control list

New security checks

• Added a check for dotCMS
• Added a check for the Ultimate Member WordPress plugin
• Added a new mXSS pattern
• Added new signatures to detect JWKs

Improvements

• Improved the recommendations for the Weak Ciphers Enabled vulnerability
• Improved detection of swagger.json vulnerabilities
• Added support for AWS WAFv2 rules
• Improved more of our error and warning messages so they are more user friendly
• Added Sentry implementation into the Agent repository

Fixes

• Fixed a proxy issue that was impacting the detection of weak ciphers
• Fixed a problem with importing WDSL files

New features

• In the scan settings section, we've added a checkbox (under Authentication > Form) to collect all logs about the authentication progress
• Enhanced reporting of DOM XSS vulnerabilities

Improvements

• Updated the Shark Dotnet Sensor to .NET Core 6
• Improved site-logout detection

Fixes

• Resolved a problem with missing information in the report policy database
• Fixed an issue with the import of scan data from Invicti Enterprise to Invicti Standard
• Fixed a bug in the importing of links
• Fixed some vulnerabilities on our Invicti Docker Image by updating the packages
• Fixed reporting of some false/positive passive out-of-date vulnerabilities

New features

• Added CVSS 4.0 categorization of vulnerabilities
• Added support for PCI DSS 4.0
• Added new messaging for when scans fail due to mistyped http/https protocols

New security checks

• Added new HSQLDB vulnerabilities and report templates
• Added new Typo3 vulnerabilities and report templates

Improvements

• Improved the vulnerability calculator for Boolean MongoDB
• Improved the signature for .dockerignore file detected issues
• Improved the request body rating algorithm
• Improved the signature for Joomla detection
• Improved the signature for other docker-related signatures
• Improved the Postman collection parsing algorithm
• Resolved an issue with adding a client certificate to set up a scan
• Added logs for better traceability of BLR playbacks

Fixes

• Fixed the NRE in the agent log if any authentication is adjusted
• Fixed an issue that was causing verifiers to not use scan policy proxy settings
• Fixed an auth verifier client certificate authentication path error

New features

• Added an option under New Scan Policy > Ignored Parameters to allow customers to set 'Cookie' as a type of ignored parameter

New security checks

• Added new checks for the WordPress Login with Phone Number Plugin: CVE-2023-23492
• Added new checks for the WordPress JupiterX Core Plugin: CVE-2023-38389, CVE-2023-38388

Improvements

• Added support for custom authentication tokens without token type
• Improved LFI attack patterns for better accuracy
• Fixed some vulnerabilities in the Docker image
• Stricter sensitive data rules
• Improved bot detection bypass scenarios

Fixes

• Fixed custom header values in scan profiles so that they are masked
• Docker Cloud Stack check has been updated to reduce noise
• Fixed an issue with adding configuration files to scan profiles
• SSL/TLS classification updated from CWE-311 to CWE-319

Improvements

• Added a MaxAuthenticationTime configuration and set the default value as 480 seconds

Fixes

• Fixed a bug that was preventing the import of WSDL files to Invicti Standard
• Fixed version information reported in Web App Fingerprint Vulnerabilities

New features

• Added encoding for sensitive data
• Added the option to enable CSRF checks for authenticated scans only
• Added a sensitive data (password, session cookie, token etc.) encoder

New security checks

• Added JQuery placeholder detection methods
• Added a new security check for the Missing X-Content-Type-Options vulnerability

Improvements

• Improved the JS Delivery CDN disclosure check to increase stability
• Improved the remediation part for the Weak Ciphers Enabled vulnerability
• Reduced the certainty value to 90 for the Robot Attack Detected vulnerability
• Improved the detection method for CSP
• Improved the detection method for the Dockerignore File Detected vulnerability
• Improved the detection method for the Docker Cloud Stack File Detected vulnerability

Fixes

• Improved our XSS capabilities
• Fixed an NTLM login issue
• Fixed a bug that was overwriting proxy settings in scan policies
• Fixed a unique analyzer bug for the WSDL importer
• Fixed a custom proxy bypass list issue

New feature

• We’ve added the ability to set proxy configurations to Docker Agent as an environment variable when creating a container

Improvements

• Disabled caching from the boolean-based MongoDB security engine to avoid possible false positives
• Improved the content-type exemption for non-HTML content types in the CSP engine
• Improved the typehead.js check to increase stability
• Removed the X-XSS-Protection header check because it is deprecated by modern browsers
• Fixed a scan coverage issue
• Improved the remediation part for the JetBrains .idea detected vulnerability
• Added functionalities to prevent bot detection and fixed an issue that was causing cookie loss after authentication

Fixes

• Fixed the update agent command that was not working correctly
• Fixed the internal Linux v23.7 AV agent that wasn’t sending header configurations
• Encrypted the proxy password used in the scan policy file
• Fixed an issue with missing links when importing a .nss file from Invicti into Acunetix 360
• Fixed the external SOAP web service import problem
• Fixed a custom script issue so that now passwords written to the logs are encrypted
• Fixed an issue that might cause broken functionality for popup pages
• Fixed an issue where vulnerabilities could not be generated as CloudFlare WAF rules via API
• Fixed a bug with Multiple Declarations in the X-Frame-Options Header
• Fixed a localized time issue in the Files area
• Fixed a problem that was causing default values to be filled incorrectly, resulting in false negatives

New security checks

• Added new patterns to detect XSS

Improvements

• Improved detection and reporting of File Inclusion vulnerabilities
• Improved detection and reporting of Sensitive Data Exposure vulnerabilities
• Improved detection and reporting of Dockerfiles
• Added a custom authentication support header to scan policy

Fixes

• Fixed incorrect reporting of outdated technology versions
• Fixed a bug that was preventing reports from being saved
• Fixed the navigation check error on the dom parsing phase
• Fixed an issue that can cause too much browser user data to be left in the temp folder
• Fixed a custom script that was preventing successful basic authentication in some scenarios

Features

• Added Diana.jl support for GraphQL Library Detection
• Added Hot Chocolate support for GraphQL Library Detection
• Added Zero Day Vulnerability for MOVEit Software

Improvements

• Improved logout detection for OAuth2 authenticated websites
• Improved detection of IT Hit WebDav Server .Net versions
• Improved Internal Path Disclosure detection
• Improved Remediation Advice for Autocomplete Enabled vulnerability
• Improved detection logic for LFI vulnerability
• Improved identification and version disclosure for PopperJS, CanvasJS, and Next.js
• Improved WAF Detection for F5 BIG IP

Fixes

• Fixed issue with scans stopping with the Find & Follow New Links option enabled
• Fixed issue with agent compression of chromium and node files
• Fixed InvalidCastException with REST API
• Fixed ArgumentNullException with Custom Security Checks
• Fixed BLR cannot fill address fields
• Fixed adding some MongoDB vulnerabilities to Knowledge Base report
• Fixed scans unauthenticated after successful authentication verification
• Fixed rare stuck scan issue
• Fixed false positive due to TLS v1.3 not enabled
• Fixed ArgumentNullException during scan launch
• Fixed Authentication Verifier fails creating a new scan while another scan is running
• Fixed GraphQL import OutOfMemoryException

New security checks

• Added the check for Boolean-based MongoDB injection.
• Added the check for MongoDB Operator Injector.
• Implemented the XML external entity check for IAST.
• Added the ISO/IEC27001:2022 Classification.
• Added the report template and attack pattern to the Out-of-band RCE.
• Added passive check for Lua.
• Added a security check to detect public Docker files.
• Implemented a new engine to identify WordPress themes and Plugins.
• Added new security checks for SAML.
• Added security check for IT Hit WebDAV Server .Net Version Disclosure.
• Added security check for MS Exchange Version Disclosure.
• Added new payloads for Command Injection.
• Added support for PopperJS.
• Added support for CanvasJS.
• Added new security check for the SQLite Database Detection.
• Added new payloads for Header Injection.
• Added new security check for Spring Boot Actuator Detection.
• Added security check for NodeJS Stack Trace Disclosure.
• Added security check for SailsJS and ActionHero Identified.
• Added security check for JetBrains .idea Detected.
• Added security check for GraphQL Stack Trace Disclosure.
• Added security checks for Javascript Libraries.
• Added security checks for Web Application Fingerprinter Engine.
• Added new security checks for WordPress Hello Elementor Theme Detection.
• Added new security checks for WordPress Twenty Twenty-Three Theme Detection.
• Added new security checks for WordPress Twenty Twenty-Two Theme Detection.
• Added new security checks for WordPress Astra Theme Detection.
• Added new security checks for WordPress Twenty Twenty-One Theme Detection.
• Added new security checks for WordPress Twenty Twenty Theme Detection.
• Added new security checks for WordPress OceanWP Theme Detection.
• Added new security checks for WordPress Twenty Seventeen Theme Detection.
• Added new security checks for WordPress Kadence Theme Detection.
• Added new security checks for WordPress Twenty-Sixteen Theme Detection.
• Added new security checks for WordPress Twenty Nineteen Theme Detection.
• Added new security checks for WordPress PopularFX Theme Detection.
• Added new security checks for WordPress GeneratePress Theme Detection.
• Added new security checks for WordPress Inspiro Theme Detection.
• Added new security checks for WordPress Go Theme Detection.
• Added new security checks for WordPress Smash Balloon Social Photo Feed Plugin Detection.
• Added new security checks for WordPress Contact Form 7 Plugin Detection.
• Added new security checks for WordPress Yoast SEO Plugin Detection.
• Added new security checks for WordPress Elementor Website Builder Plugin Detection.
• Added new security checks for WordPress Classic Editor Plugin Detection.
• Added new security checks for WordPress Akismet Spam Protection Plugin Detection.
• Added new security checks for WordPress WooCommerce Plugin Detection.
• Added new security checks for WordPress Contact Form by WPForms Plugin Detection.
• Added new security checks for WordPress Really Simple SSL Plugin Detection.
• Added new security checks for WordPress Jetpack Plugin Detection.
• Added new security checks for WordPress All-in-One WP Migration Plugin Detection.
• Added new security checks for WordPress Wordfence Security Plugin Detection.
• Added new security checks for WordPress Yoast Duplicate Post Plugin Detection.
• Added new security checks for WordPress WordPress Importer Plugin Detection.
• Added new security checks for WordPress LiteSpeed Cache Plugin Detection.
• Added new security checks for WordPress UpdraftPlus WordPress Backup Plugin Plugin Detection.
• Added new security check for EZProxy Identified.

Improvements

• Updated the Signature Detection pattern.
• Improved the wordlist for Forced Browsing checks.
• Changed the Session Cookie not marked as Secure severity from High to Medium.
• Improved the task queue by optimizing code.
• Improved Drupal and Joomla detection.
• Improved the Next.js version detection.
• Improved Django debug mode enabled.
• Updated the SSL/TLS report template.

Fixes

• Fixed the navigational error by ignoring initial requests other than the document-type resources.
• Fixed an issue about HTTP Status codes on the crawler performance in the Knowledge Base Report.
• Fixed the importing GraphQL introspection issue.
• Fixed the weak Nonce detection in Content Security Policy.

New security checks

• Added new security check for LDAP injection for IAST.
• Added new security check for MongoDB injection.
• Added new security check for Server-side Template Injection for IAST.
• Added new security check for XPath injection for IAST.
• Implemented security check for Sensitive Data Exposure.

Improvements

• Improved the text parser to check URI before parsing.
• Added the Response Receiver information event to remove waiting time for requests.
• Improved the GraphQL Introspection query.

Fixes

• Fixed an issue that caused a bad CSRF token when confirming Cross-site Scripting.
• Fixed an issue that caused an argument null exception when the browser context was closed.
• Fixed the issue that is filling out the login form on the logout page during the login verification.
• Fixed the issue of changing the order of API parameters while importing the JSON file.
• Fixed the dark template issue that displayed the What's New section in the light template.
• Fixed the vulnerability signature types for Cloudflare and Cdnjs.

Version information: 23.4.0.40376

New security checks

• Added new patterns for GrapQL attack usage.
• Added new attack pattern to CommandInjection.xml.
• Implemented Bootstrap Libraries Detection.
• Added Out-of-Date vulnerability for mod_ssl.
• Added a report template and vulnerability type for Spring Framework Identified.
• Added JavaMelody Interface Detected Signature.
• Changed WAF Identification Signature for F5 Big IP.
• Added the support for Nested objects for GraphQL attacks.

Improvements

• Updated Invicti Standard with new brand logo.
• Added external schema import to solve a WSDL file importing another WSDL file.
• Removed the interactive login button from the verifier dialog.
• Added the Retest All Subitems in the Sitemap to prevent non-retestable issues from being retested.
• Added a null check for HAR files imported.
• Improved the cookie importing process in order for cookies to be compatible with RFC.
• Updated IAST NuGet PHP package.
• Updated StaticDetection.xml & StaticResourceFinder.xml.
• Added service worker request support for authentication, login simulation, and crawling.

Fixes

• Fixed an issue that caused high memory usage while collecting form values.
• Fixed the untrusted certificate error for internal proxies.
• Fixed the issue that caused the change in the date and time format during the Postman file importing.
• Fixed the Linux agents problem that failed to work in the FIPS-enabled environment.
• Fixed the untrusted certificate error for internal proxies.
• Fixed the "Catastrophic Backtracking" in Whoops Debugging detection.

Version information: 23.3.0.39944

New security checks

• Added package.json Configuration File attack pattern.
• Added new File Upload Injection pattern.
• Added SSRF (Equinix) vulnerability.
• Added Swagger user interface Out-of-Date vulnerability.
• Added a file upload injection pattern.
• Added StackPath CDN Identified vulnerability.
• Added Insecure Usage of Version 1 GUID vulnerability.
• Added JBoss Web Console JMX Invoker check.
• Added Windows Server check.
• Added Windows CE check.
• Added Cloudflare Identified, Cloudflare Bot Management, Cloudflare Browser Insights, and cdnjs checks.
• Added Varnish Version Disclosure vulnerability check.
• Added Stack Trace Disclosure (Apache Shiro) vulnerability check.
• Added Java Servlet Ouf-of-Date vulnerability check.
• Added AEM Detected vulnerability check.
• Added CDN Detected(JsDelivr) vulnerability check.

Improvements

• Improved the scan compression algorithm to lower the size of the scan data.
• Improved WS_FTP Log vulnerability test pattern.
• Improved X-XSS-Protection Header Issue vulnerability template.
• Improved MySQL Database Error Message attack pattern.
• Improved XML External Entity Injection vulnerability test pattern.
• Improved Forced Browsing List.
• Added CWE classification for Insecure HTTP Usage.
• Added GraphQL Attack Usage to existing test patterns by default.

Fixes

• Fixed an issue that may cause out-of-memory when cloning callbacks of the browser.
• Fixed the update issue in the Proof node in the Knowledge Base panel.

Version information: 23.2.0.39705

New security checks

• Added JWT Forgery through Kid by using static files.
• Added the JSON Web Tokens detected check.

Improvements

• Improved the default browser settings to be reflected in the business logic recorder (BLR).
• Improved the JWT Finder Regex in the JWT engine.
• Extended excluded header names with new headers.
• Updated JWT Forgery check condition.
• Improved the JSON Web Tokens' vulnerability detection logic.
• Added the link scope check for the user-controllable cookie vulnerability.

Fixes

• Fixed an issue that caused unhandled exceptions when there is no service endpoint definition in the WSDL file.
• Fixed "file in use error" while archiving scan logs.
• Fixed the OAuth 2.0 authentication problem caused by the failure to get code information and certification validation in out-of-scope links.
• Fixed missing cookies for the JSON Web Tokens attack requests.
• Fixed the vulnerability family issue that caused the Hawk not to detect issues.
• Fixed the vulnerability serialization issue that caused the out-of-memory error.

Improvements

• Added control for login and logout during vulnerability retest.
• Added auto responder for images to escape the onerror issue.

Fixes

• Fixed an issue that overrode TLS settings available in the scan policy when the Ignore SSL Certificate Errors is set to True in the Appsetting.json file.
• Fixed a bug that throws a null reference exception at the authentication.
• Fixed missing CSP 3 Directive.
• Fixed an issue about 3-legged OAuth which cause failed authentication at scan.
• Fixed the scheduled scans not being exported issue to Invicti Enterprise.
• Fixed an issue about header encoding that cause false positive CSP reporting.
• Fixed the bug on the Interactive Login page where the Ok and Pause buttons are not available.
• Fixed case sensitivity when checking HTTP headers for JSON Web Tokens.
• Fixed the IPv6 registered website resolution issue thrown before scanning.
• Improved the vulnerability database updating process to enable it to use a proxy.
• Fixed a bug that prevents the scanner from attacking to login and logout pages.
• Fixed the bug in which OAuth2 settings were not transferred properly from the web application to the agent.

Improvements

• Added an explanation for the failed requests error.
• Added name variable support for Passive and Singular Custom Security Checks.

Fixes

• Fixed WSDL parse issue for non-defined object types.
• Fixed the deserialization problem when importing the scan session.
• Fixed the CSP analyzer Regex enumeration problem.
• Fixed the null reference exception on HTTP Requester.

New security check

• Added the Text4Shell (CVE-2022-42889) check.

Improvements

• Updated the embedded Chromium browser.
• Improved the importing link to parse the complex example value for RAML.
• Added the support for browser flag.
• Improved the scan failure messages on the issue page.
• Added the URL decode to scanned and crawled URL list reports.

Fixes

• Fixed the issue that deleted the customization folder in the agent's folder after the update.
• Fixed the knowledge base report format to display information clearly.

NEW FEATURES

• Added auto-GraphQL attack after endpoint is detected.
• Added request wait filter for request wait handler.

NEW SECURITY CHECKS

• Added MongoDB Time-based (Blind) Injection.
• Added SQLite Boolean SQL Injection.
• Added MongoDB Error-based Injection.

IMPROVEMENTS

• Updated the embedded browser.
• Updated the hardcoded scan policy for http://rest.testinvicti.com.
• Added the out-of-scope check for the target website content links.
• Updated the Check for VDB Update status and tooltip when users start the check for update.
• Updated Vulnerability Detection Logic in JWT engine.
• Updated Liferay portal signature and added a mapping for version conversion.

FIXES

• Fixed the web security issue for the origin header problem.
• Fixed the sitemap bug that caused missing information when imported.
• Fixed the bug that threw an error when exporting as SQL script.
• Fixed the bug that threw an error, as HTTP Requester deletes the whole body part of the request which contains the login credentials.
• Fixed multiple headers highlighting for the same value.
• Fixed highlighting CSP Directives in different header issues.
• Fixed duplicate bearer tokens for some requests.
• Fixed the out-of-memory bug at the browser manager.
• Fixed the null reference exception on the custom script screen.
• Fixed the connection time-out issue caused by the RegEx engine.
• Fixed an issue that resulted in false positive Cross-site Scripting (DOM-based).
• Fixed the retest issue that displays zero requests in the repetitive retests.
• Fixed the bug that shows the previous version of VDB.
• Fixed parsable false attack patterns place.

IMPROVEMENTS

• Updated embedded Chromium browser.