Release Notes

Invicti Standard

RSS FEED

6.7.0.37625

COPY LINK

SECURITY CHECKS

Added pattern for XSS via file upload SVG.

IMPROVEMENTS

Added the Cache By CSS Selector and Max Cache Elements to the scan policies.
Added the GraphQL endpoints and libraries to the Knowledge Base.
Updated the Jira tooltip for the access token or password field.
Removed the target URL health check that lets the scan continue despite getting error messages such as 403.
Improved the raw scan file expired information message.
Improved the scan profile test coverage.
Updated regex for Stack Trace Disclosure (Java) - Java.Lang Exceptions.
Improved the JSON Web Tokens secret list.
Improved the re-login process when the logout is detected.

FIXES

Fixed the retest issue.
Fixed the null reference error thrown during the late confirmation.
Fixed an issue of using the disposed objects.
Fixed the exception error when cloning the report policy.
Fixed the broken links on the report policy.
Fixed mistaken NIST and DISA classifications.
Fixed a bug that threw the database locked error when Invicti is restarted after a scan.
Fixed an issue where a JavaScript Setting option blocks inputs for the single-page applications to be reported in the Web Pages with Inputs node.
Fixed a bug that caused the scan session failure when the scan is paused and resumed.
Fixed failed scans where the Target URL is IPv6 and starting with ::1
Fixed the Postman collection parsing by removing / in front of the query in the URL.
Fixed the Shark validation issue that threw exceptions while validating.
Fixed the issue with proxy settings, so Invicti prioritizes the settings in the scan policy.
Fixed NodeJS RCE-OOB security check.

6.6.1 - 19th July 2022

COPY LINK

IMPROVEMENTS

Improved the Late-Confirmation Storage Mechanism to lower disc usage.
Improved the Links/API definition to add links with a single click.
Added the Block navigation on SPAs to built-in scan policies.
Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
Fixed the bug that throws null reference exception at the link pool.
Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
Fixed the bug that resulted in running many Chromium instances when a new scan is started.
Fixed a null reference error when a new scan is started via the command line.

6.6.1.36926

COPY LINK

IMPROVEMENTS

Improved the Late-Confirmation Storage Mechanism to lower disc usage.
Improved the Links/API definition to add links with a single click.
Added the Block navigation on SPAs to built-in scan policies.
Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
Fixed the bug that throws null reference exception at the link pool.
Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
Fixed the bug that resulted in running many Chromium instances when a new scan is started.
Fixed a null reference error when a new scan is started via the command line.

6.6.0.36485

COPY LINK

NEW FEATURES

Added GraphQL Libraries detection support.
Added the Shark node to the Knowledge Base.
Added Acunetix XML to URL Import.
Added built-in DVWA policies to scan policies.

IMPROVEMENTS

Updated embedded Chromium browser.
Added a new IAST vulnerability: Overly Long Session Timeout.
Added new config vulnerabilities for the IAST Node.js sensor.
Added new config vulnerabilities for the IAST Java sensor.
Added support for detecting SQL Injections on HSQLDB.
Added support for detecting XSS through file upload.
Updated DISA STIG Classifications.
Updated Java and Node.js IAST sensors.
Improved time-based blind SQLi detection checks.
Improved the Content Security Policy Engine.
Updated XSS via File Upload vulnerability template.
Updated License Agreement on the Invicti Standard installer.
Added Extract Resource default property to DOM simulation.
Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
Added vulnerabilityType filter to add VulnerabilityLookup table.
Added the agent mode to the authentication request.
Added a default behavior to scan the login page.
Added an option to disable anti-CSRF token attacks.
Added an option to block navigation on SPAs pages.
Added a default behavior to disable TLS1.3

FIXES

Fixed basic authorization over HTTP bug.
Fixed SQL Injection Vulnerability Family Reporting Bug.
Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
Fixed a typo bug on GraphQL importing window.
Fixed the report naming bug that occurs users create a custom report from a base report.
Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
Fixed a bug that updates all built-in scan policies instead of edited scan policy.
Fixed a typo on Skip Crawling & Attacking pop-up.
Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
Fixed missing template section migration on report policy.
Fixed a bug that throws an error when a report is submitted upon error.
Fixed the LFI Exploiter null reference.
Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
Fixed a bug that occurs when users search the Target URL on the New Scan panel.
Fixed typo in the timeout error message.
Fixed a bug that prevents the WSDL files from being imported.
Fixed reporting "SSL/TLS not implemented" when scanning only TLS 1.3 supported sites.
Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.

REMOVAL

Removed Expect-CT security check.
Removed the End-of-Text characters in URL rewrite rules.

6.5

COPY LINK

IMPROVEMENTS

Updated embedded chromium browser
Improved JWT confirmation to avoid false positives.

FIXES

Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
Fixed an issue that imports global servers as Swagger files.
Fixed an issue where the OK button disappears during interactive login.
Fixed an issue that adds interactive login buttons to iframes.
Fixed a null reference exception at the LFI exploit panel.

6.4.3.35616

COPY LINK

NEW SECURITY CHECKS

Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

6.4.0.35166

COPY LINK

IMPROVEMENTS

Netsparker Standard now Invicti Standard.
Added a token matching rule when it is required to get the token from a website other than the target URL.
Improved the GraphQL attacks to include non-string fields.

FIXES

Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities.
Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
Fixed a null reference exception by adding a control whether the current scan policy is empty.
Fixed a bug that the agent does not continue the scan after a pause.
Fixed a bug that does not properly show all components detected by a software composition analysis after a retest.

6.3.3.34686

COPY LINK

IMPROVEMENTS

Implemented new Log4j attack patterns.
Added the parameter types to exported reports for GraphQL.

FIXES

Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
Fixed an issue that results in false positive Cross-site Scripting.
Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
Fixed an issue that the page counter goes to zero in the Recent Scans window.
Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.

6.3.2.34187

COPY LINK

IMPROVEMENTS

Added the .deploy extension to Default Policy's extension list.
Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs.

FIXES

Fixed a null reference error issue when a user right-clicks the target on the Sitemap.
Fixed the URL response error of the main node when Override Target URL check is enabled.
Fixed the Imported Links date and time value in the body that is cropped.
Fixed an issue that opens the vulnerability panel instead of the HTTP Request and Response panel when the email node is selected in the Knowledge Base panel.
Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
Fixed an issue that tries to stop the scan when the What's New tab is closed.
Fixed an issue that Invicti Standard starts a retest for a vulnerability randomly.
Fixed a payload for the GraphQL.

6.3.1.33855

COPY LINK

FIXES

Fixed a scan policy migration issue that causes selecting all the security checks.

6.3.033782

COPY LINK

NEW FEATURES

Added Software Composition Analysis (SCA) feature.
Added OWASP Top 10 2021 classification and report.
Added support for scanning GraphQL APIs.

NEW SECURITY CHECKS

Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira.
Added Stack Trace Disclosure Signature for Java.
Added Shopify Identified Security Check.

IMPROVEMENTS

Updated Invicti Standard .NET Framework version from 4.7.2 to 4.8.
Allowed to enter hyphens for the proxy address on the Proxy Settings.
Enabled that all child controlled scan parameters are listed in the Sitemap parent node.
Changed classification for Cross-site Referrer Leakage and Breach in OWASP Top Ten 2021.
Changed CryptographicException error log type.
Added condition that when the max crawling link is reached, the DOM simulation stops.
Updated Version Disclosure Signature for Apache Coyote.
Added callback flag to prevent multi trigger of DOM parser view callback
Improved the importing of RAML files includes other files.
Added tags property to the Kenna Send to Action.
Updated Freshservice integration not to send user agent header.
Updated Version Disclosure Signature for Jolokia.
Improved the Form Values to be entered into the relevant sections during the form authentication process in the React environment.
Improved the login verification process by detecting page load properly.

FIXES

Fixed an issue that created an incorrect issue link in Bitbucket Integration.
Fixed an issue that occurred when the proxy information from the Proxy Auto-Configuration file cannot be transmitted in requests made by the browser.
Fixed the null reference error (NRE) that occurred during importing the paused or canceled scan files.
Fixed an issue that calculated total response time incorrectly.
Fixed the bug related to Send To action of Kenna integration.
Fixed the Jolokia version disclosure report to properly highlight the related lines.
Fixed the OWASP classification links.
Fixed an issue that does not show a vulnerability when sorted by the Vulnerability Type although it shows when sorted by Severity.
Fixed the misleading tooltip in Scan Policy - Security Checks.
Fixed the misaligned text on the PDF version of Executive Summary Report.
Fixed an issue that Invicti Standard doesn't show out-of-scope warning when out-of-scope link is imported.
Fixed the inconsistent vulnerability count between reports and status bar.
Fixed the manual authentication issue when links are imported from URL.
Fixed the Sitemap multilevel group count.
Fixed Scan Policy security check count.
Fixed a naming issue that occurred when a new custom report name contains a dot.
Fixed an issue while changing the Data Directory option on Storage tab.
Fixed the issue that external references were not rendered correctly.

6.2.1.33642

COPY LINK

NEW SECURITY CHECKS

Added Out of Band Code Evaluation (Log4j - CVE-2021-44228) a.k.a. Log4Shell detection support.

6.2

COPY LINK

NEW FEATURES

Added Node.js sensor for Invicti Shark (IAST).
Added OWASP API Top 10 classification and report template.

NEW SECURITY CHECKS

Added signature matching to Web app fingerprint checker.
Added patterns for Base64 encoded DOM Cross-site Scripting.
Added phpMyAdmin Version Disclosure security check.
Added Atlassian Confluence Version disclosure and Out-of-date security checks.
Added exclusion feature to JavaScript Library detection.
Added PHP Version Detection via phpinfo() call.
Added the Shopify Identified security check.

IMPROVEMENTS

Added the Bridge URL and Shark token support for Invicti Shark (IAST).
Added setting to configure Session Cookie Names.
Updated CWE classification category orders for Out-of-date templates.
Improved Cross-site Scripting attack pattern.
Added support for exploiting local storage and session storage in the DOM XSS security checks.
Added highlighting support for custom scripts.
Added Web Application Firewall to the site profile.
Changed the default ignored parameter comparison to case insensitive.
Added 'Is Encoded' option to OAuth2 parameters.
Added JWT Token pre-request script template.
Added the CSP Not Implemented that will be reported as confirmed.
Added the Subresource integrity not implemented that will be reported as confirmed.

FIXES

Fixed the issue that Content-Type header missing was reported when there was no content in the response.
Fixed the issue FP JWT was reported in a not found response.
Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
Marked weak TLS ciphers.
Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
Fixed FP WAF Identified.
Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
Fixed the issue source code disclosure is reported in binary responses.
Fixed the issue fingerprint checker crashes when an applications file could not be found.
Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
Fixed the issue that some cipher suites are not reported as weak.
Fixed the issue classification links were not rendered correctly when there are multiple values.
Fixed the issue proof prefix was added when there were no more characters to be found.

6.1

COPY LINK

NEW FEATURES

Added Authentication Profiles
Added the Overall Latest Version field to out-of-date vulnerabilities
Added multiple vulnerabilities reporting support to passive and singular custom scripts
Added Acunetix 360 integration

NEW SECURITY CHECKS

Implemented JSON Web Token (JWT) security check
Added the SSL Certificate is About to Expire security check
Added StackPath Web Application Firewall (WAF) detection.
Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Proxy Server.
Added Identified, Version Disclosure, and Out-of-date security checks for JavaServer Pages
Added Identified, Version Disclosure, and Out-of-date security checks for Kong Server
Added Identified, Version Disclosure, and Out-of-date security checks for Liferay Digital Experience Platform.
Added Identified, Version Disclosure, and Out-of-date security checks for Taleo Web Server
Added Version Disclosure and Out-of-date security checks for Sugar Customer Relationship Management (CRM)
Added Version Disclosure and Out-of-date security checks for Squid
Added Identified and Out-of-date security checks for Magento
Added Out-of-date security check for Daiquiri
Added Identified security check for Plesk (Windows)
Added Identified security check for Vegur
Added Identified security check for HupSpot
Added Identified security check for DataDome
Added Identified security check for Craft CMS
Added Identified security check for Windows Azure Web Apps
Added Identified security check for OpenVPN Access Server
Added Identified security check for Squarespace
Added Identified security check for Plesk (Linux)
Added Identified security check for Lighthouse
Added Identified security check for BitNinja Captcha Server
Added Identified security check for Pardot Server

IMPROVEMENTS

Added Scan Paused, Scan Resumed, Scan Canceled, and Scan Finished states to the log category.
Send to Request Builder option is now visible for Issue Group Nodes
Added page type field to vulnerability reports
Added Authentication Profile name to reports
Improved RAML Importer to import the ZIP files
Added application name and version information to a vulnerability report
Implemented Swagger path parameter default value
Fixed a Dom XSS scan stuck issue
Fixed Daiquiri Identified reporting redundant custom field issue.
Improved Common Weakness Enumeration (CWE) classifications for Out-of-Date Version vulnerabilities
Added a new Akamai Content Delivery Network (CDN) detection signature
Added a new Varnish Cache detection signature
Added missing Identified security checks for the existing technologies
Improved the summary section of the Version Disclosure template for SharePoint
Improved TRACE/TRACK Method Detected security check
Improved SVN Detected security check
Improved Version Disclosure security check and report template for Phusion Passenger
Improved Caddy Web Server Identified security check.
Improved WAF Identifier security check.
Added Blind SQL Injection security check with a new XOR payload for MySQL
Proxy credential passed to Chrome page authentication
Vulnerabilities ordered by severity in the Comparison Report

FIXES

Fixed Invicti license decrypt problem
HTTPS Requests are recorded as HTTP
Fixed the requested security protocol is not supported error
Fixed handling Protocol Buffers encoding type
Fixed miswritten product name
Fixed Phusion Passenger version disclosure template and added Out-of-Date mapping
Fixed analyzing headers even if the identification source is the crawler
Fixed an issue that may cause deadlock during adding items to Sitemap
Fixed an issue that caused out-of-scope URLs to be scanned when the override target URL option is enabled and the authentication is failed while scanning.
Fixed issue where headers in Postman collection were not replaced with variables
Fixed an issue that cause SSL validation callback returns invalid SSL certificates as out-of-scope links
Added disable-feature flag to the browser manager
Fixed a null reference exception while generating Knowledge Base report
Rare error when loading overlay window showed was ignored
Fixed out-of-scope imported links showing in Knowledge Base Rest API List
Fixed a detection issue with the Akamai CDN signature.
Fixed a detection issue with Tomcat Identified security check.
Fixed the signatures of phpMyAdmin Identified security check
Fixed big size upload error
The Exclude Authentication Page option will be checked if there is a selected authentication profile
Fixed DPI settings at Custom Script Dialog
Disabled GPU acceleration to prevent rendering errors and black bars
Fixed UI bugs at General Scan Profile Settings
Fixed issue max page visit was not received but showing in Knowledge Base because of max signature limit
Fixed Custom 404 Regex in Invicti Enterprise scan data is shown as Auto 404 at Invicti Standard
Fixed malformed VDB exception while getting the latest version of the application
Severity null control added to the Vulnerability Profile dialog
Fixed a non-recurring parameter while logging in with auto-authenticator
Fixed Scan Policy Report migration primary key error
Fixed saving Crawl & Attack option to the Scan Profile
Fixed Logout detection window shows first entered URL for every login simulation error
Fixed reporting false positive HSTS vulnerability

6.0.2.30446

COPY LINK

NEW FEATURES

Added TLS 1.3 support
Added the character limit setting for Blind SQL Injection proof generation and enabled proof generation by default
Added the Common Vulnerability Scoring System field to the known vulnerabilities
Added the Vulnerability Database version to the scan logs

IMPROVEMENTS

Improved IPv6 support to cover all SSL checks
Added an advanced setting option to turn on/off the "disable-web-security" command line option while launching chromium
Added the redirect navigation support for DOM Parser
Fixed Ghost Chromium problems and DOM simulation leaks
Added multiple ISO Classification support
Added alphabetical order to the Knowledge Base nodes
Updated Invicti Shark (IAST) licensing
Improved WAF Identification checks to prevent false positives
Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled
Improved Open Redirection checks
Updated Capture Group for OpenResty Version Disclosure
Updated DS_Store File Found Report Template
Changed the Referrer-Policy Report Template names to be more accurate
Refined Possible Stored XSS Vulnerability template
Added missing external references to SSL Templates that are removed after the merge
Added IAST suffix to titles of vulnerability detected by Invicti Shark
Updated OpenSSL regex
Updated OpenSSL version disclosure regex
Updated SSTI patterns to use specific type to match code execution patterns

NEW SECURITY CHECKS

Added Short XSS Attack to bypass character limit checks
Added Revoked SSL Certificate check
Added SSL Certificate's Name and Hostname Mismatch security check
Added SSL Certificate is not signed by a trusted root certification authority security check
Added Daiquiri Identified security check
Added Expired SSL Certificate security check
Added ZSH History File Detected
Added DOM XSS pattern for the script SRC Injection

FIXES

Fixed an issue with simultaneous access to the same object while updating the sitemap during scanning
Fixed unexpected error when saving parse from URL in form values screen
Fixed the Chrome address bar displaying in different resolutions on the verify login form
Fixed the detected logout status when an unreachable link is given
Fixed the customization menu at the form authentication's custom script dialog
Fixed unsupported browser issue for Headless Chromium
Fixed weak ciphers not reported for additional websites issue
Fixed ignoring weak ciphers check because of the ROBOT attack
Fixed logging HTTPS requests as HTTP when LogHttpRequests option is enabled
Updated Invicti Updater icons
Fixed an issue where the Postman Importer ignores the authorization header that is defined in a request item
Updated requester not to send Accept-Language header if it is not enabled in a scan policy
Fixed an issue that occurred when exporting custom reports generated from Compliance, Detailed Scan, and Executive Summary report
Fixed a synchronization problem while creating puppeteer instances
Fixed an issue where external schema was not added when importing WSDL
Fixed the Write Lock Leak in LinkPool
Disabled mouse wheel on the Include/Exclude URLs with Regex radio group
Fixed the typo in the jQuery validation out-of-date vulnerability type
Fixed the issue Untrusted Root certificate was not reported on the self-signed certificates
Fixed the issue that the wrong version was reported in the web app fingerprinting
Fixed False Positive weak credentials vulnerability
Fixed the issue that logs were not correctly formatted in the Logs panel
Fixed the issue that SSL vulnerabilities found in additional sites might be reported in the wrong URL
Fixed the issue that authenticated link was not crawled
Fixed the issue that the proof URL was not added to XSS
Fixed word-wrapping in Tags label in the Azure DevOps Send to Action Configuration Wizard
Removed the logging for the replacing control characters in headers
Changed the log level of DOM simulation timeout from Error to Warning
Fixed the issue that another hash was appended to URLs with a fragment on DOM XSS attacks
Fixed the issue that SSL certificates were not analyzed for each website when there are additional websites
Fixed the issue that URI fragment was parsed incorrectly
Fixed OpenSSL version disclosure regex
Fixed WS_FTP Log check
Fixed F5 BIG-IP WAF detection
Fixed the typo in the jQuery Validation Out-of-date Vulnerability type
Fixed Extractor for Lodash in repository.json by adding a new function
Fixed WildFly regex for the WildFly Application Server Identified
Fixed Whoops Error Handling framework signature
Fixed the signature for Liferay Portal Identified
Fixed Version Disclosure for Artifactory by adding missing custom field tag
Fixed regex of Grafana Version Disclosure
Fixed OpenResty regex for Version Disclosure
Fixed the regex of Liferay Portal Version Disclosure pattern

11-Feb-2021

COPY LINK

IMPROVEMENTS

Added IAST suffix to titles of vulnerabilities identified by Invicti Shark

FIXES

Fixed the issue that custom fields were removed when a vulnerability was cached
Fixed a typo in the Invicti Shark dialog
Fixed the issue that Invicti Shark responses were reported as comments in the Knowledge Base
Fixed the issue that Invicti Shark engines were not enabled on old scan policies
Fixed renaming default scan profile while using the Invicti Shark configuration with test websites
Fixed setting explicit logout URL from the authentication verification dialog
Fixed an NRE that occurred while opening the Invicti Enterprise options panel in Invicti Standard

28-Jan-2021

COPY LINK

NEW FEATURES

Added NIST SP 800-53 compliance classification and report template.
Added DISA STIG compliance classification and report template.
Added the OWASP ASVS 4.0 classification and report template.
Added header and footer section to customize reports.
Added an option to customize POST attacks for the Open Redirect engine.

NEW SECURITY CHECKS

Added PHP magic_quotes_gpc Is Disabled security check.
Added PHP register_globals Is Enabled security check.
Added PHP display_errors Is Enabled security check.
Added PHP allow_url_fopen Is Enabled security check.
Added PHP allow_url_include Is Enabled security check.
Added PHP session.use_trans_sid Is Enabled security check.
Added PHP open_basedir Is Not Configured security check.
Added PHP enable_dl Is Enabled security check.
Added ASP.NET Tracing Is Enabled security check.
Added ASP.NET Cookieless Session State Is Enabled security check.
Added ASP.NET Cookieless Authentication Is Enabled security check.
Added ASP.NET Failure To Require SSL For Authentication Cookies security check.
Added ASP.NET Login Credentials Stored In Plain Text security check.
Added ASP.NET ValidateRequest Is Globally Disabled security check.
Added ASP.NET ViewStateUserKey Is Not Set security check.
Added ASP.NET CustomErrors Is Disabled security check.
Added PHP session.use_only_cookies Is Disabled security check.
Added new Blind SQL Injection attack pattern.
Added Jinjava SSTI security check.
Added Whoops Framework Detected security check.
Added CrushFTP server detected security check.
Added database error message signature pattern for Hibernate.
Added Identified, Version Disclosure, and Out-of-date security checks for W3 Total Cache.
Added Identified, Version Disclosure, and Out-of-date security checks for Next.JS React Framework.
Added Identified, Version Disclosure, and Out-of-date security checks for Twisted Web HTTP Server.
Added Identified, Version Disclosure, and Out-of-date security checks for Werkzeug Python WSGI Library.
Added Identified, Version Disclosure, and Out-of-date security checks for OpenResty.
Added Identified, Version Disclosure, and Out-of-date security checks for GlassFish.
Added Identified, Version Disclosure, and Out-of-date security checks for Resin Application Server.
Added Identified, Version Disclosure, and Out-of-date security checks for Plone CMS.
Added Identified, Version Disclosure, and Out-of-date security checks for Trac Software Project Management Tool.
Added Identified, Version Disclosure, and Out-of-date security checks for IBM RTC.
Added Identified, Version Disclosure, and Out-of-date security checks for Tornado Web Server.
Added Identified, Version Disclosure, and Out-of-date security checks for Jetty Web Server.
Added Identified, Version Disclosure, and Out-of-date security checks for Axway SecureTransport Server.
Added Identified, Version Disclosure, and Out-of-date security checks for Artifactory.
Added Identified, Version Disclosure, and Out-of-date security checks for Gunicorn Python WSGI HTTP Server.
Added Identified, Version Disclosure, and Out-of-date security checks for IBM Security Access Manager (WebSEAL).
Added Identified, Version Disclosure, and Out-of-date security checks for Nexus OSS.
Added Identified, Version Disclosure, and Out-of-date security checks for Cowboy HTTP Server.
Added Identified, Version Disclosure, and Out-of-date security checks for Python WSGIserver.
Added Identified, Version Disclosure, and Out-of-date security checks for Restlet Framework.
Added Identified, Version Disclosure, and Out-of-date security checks for Phusion Passenger.
Added Version Disclosure and Out-of-date security checks for Liferay Portal.
Added Version Disclosure and Out-of-date security checks for Tracy debugging tool.
Added detection for Varnish HTTP Cache Server.
Added detection for SonicWall VPN.
Added detection for Play Web Framework.
Added detection for Private Burp Collaborator Server.
Added detection for LiteSpeed Web Server.
Added detection for JBoss Enterprise Application Platform.
Added detection for JBoss Core Services.
Added detection for WildFly Application Server.
Added detection for Oracle HTTP Server.
Added version disclosure Daiquiri security check.

IMPROVEMENTS

Added Wordlist Entries feature to the Resource Finder security check group
Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled.
Improved Open Redirect attack patterns.
Improved TLS 1.0 issue remediation reference.
Added WCF service support to WSDL importer.
Added a fix to reduce the possibility of an out-of-memory problem.
Added authentication support to system proxy for PAC file.
Verification dialog remembers old logout keywords.
Added scan profile information and URL to all reports.
Added bypass list for scan policy settings.
Added scan scope variables to the Pre-Request Scripts.
Added information label to the Pre-Request Script settings panel
Added a fail tolerance to Puppeteer launch.
Improved Tomcat signature patterns.
Improved authenticator not to store the plain password in the request data
Added HTTP Request Logger to authentication
Added Canada region to the Invicti Enterprise settings
Added tooltip to the Excluded Usage Trackers feature.
Removed X-Scanner header from default scan policies
Added new sensitive comment patterns.
Revised the description of the Resource Finder checks option.
Removed header and footer settings for reports that do not contain header and footer in the save report dialog.
Added Incremental Scan to Knowledge Base reports.
Updated Invicti Standard splash screen.

FIXES

Fixed Lodash Identified security check signature.
Fixed WebLogic Version Disclosure security check signature.
Fixed Whoops Error Handling Framework Identified security check signature.
Fixed Zope Web Server Version Disclosure security check signature.
Fixed Grafana Version Disclosure security check signature.
Fixed ASP.NET MVC Version Disclosure security check signature.
Fixed Telerik Version Disclosure vulnerability severity to be low.
Fixed IIS Version Disclosure vulnerability severity to be low.
Fixed the grammar issues at the CSP Not Implemented report template.
Hide the scope tooltip at the manual authentication panel.
Fixed the order of Out-of-Date vulnerabilities; now sorting vulnerabilities by their severities.
Fixed the issue "link stuck error" was repeated many times in the scan logs.
Fixed the typo in the Pre-Request Scripts Menu.
Fixed a few typos in the Impact descriptions.
Fixed validating WAF settings before trying to test WAF connection
Fixed the issue where the Exclude Authentication Pages option could not be manually disabled when the Form Authentication is enabled.
Fixed an issue where the Form Authentication verification dialog loses focus and disappears.
Fixed directory modifiers limit usage
Fixed sending previous request headers while navigating to the Form Authentication's latest response URL.
Fixed an issue where the custom script dialog failed to display login page when requests encoded with Brotli
Fixed an issue that causes Reflected Parameter analyzer attacks to the ignored parameters when the breach engine is disabled
Fixed an issue that may cause the null reference exception when reflected parameter analyzer working
Fixed an issue that caused WASC ID is not sent properly in the Kenna Send To Action
Fixed an issue where the HTTP request is not redirected to HTTPS when Strict Transport Security is enabled
Fixed an issue that caused DOM simulation to fail because of the null windows and elements
Fixed an issue that is caused by NTLM, Kerberos, Negotiate authentication credentials send with every request without challenge
Fixed an issue that causes the Pre-Request Script requests to be ignored when its method is disallowed from the Scope settings
Fixed an issue that causes raw request created without cookies
Added SSL, Attack Possibility, and JavaScript files to Knowledge Base
Fixed the order of classification report ribbon menu.
Fixed handling the invalid characters of request headers set from the Pre-Request Scripts.
Fixed the tooltip of Send To Tasks button at the ribbon
Fixed unwanted warning on the auto authenticator
Fixed date and time zone problem on Swagger file.
Fixed null reference exception on excluded URL check.
Fixed multiple instance knowledge base render problem.
Fixed reporting style issues.
Fixed relativity of the charts in the Comparison Report.
Fixed grid showing on the logout detection screen.
Fixed scan resuming problem on unavailable host.
Fixed pop-up problem on the DOM simulation for better performance.
Fixed the logo at the Knowledge Base render error page.
Fixed an issue which causes unhandled exception when the link clicked multiple times on authentication verify dialog when interactive login is enabled
Fixed internet connection problem at test site configuration dialog.
Added information label to the Azure Configuration wizard.
Fixed request and response results in out-of-band vulnerabilities.
Fixed Blind SQL Injection cache issue.
Fixed wrong expiry time for cookie which occurs at DOM simulation.
Fixed the null reference exception while checking the source type.
Fixed the Basic Authentication header problem for chromium requests.
Fixed the null reference exception while getting authorization tokens.
Fixed an issue where XSLT requests are not intercepted.
Fixed Netsparker Helper Service dll not found issue.
Fixed the client certificate selection issue while logging in to the target website.
Fixed session storage problem at DOM simulation.
Fixed upload request problem that creates false positive at LFI engine.
Fixed chromium errors at authentication
Fixed the unhandled multiple choices redirect status code at requester.
Fixed the keyword-based logout detection stuck when the pop-up opened at chromium browsers.
Fixed the Generate Exploit button label in the ribbon menu and vulnerability pop-up menu.
Fixed an issue where the form value parser was not working.
Fixed unauthorized request handling in the license view.
Fixed an issue that causes invalid parent issue selection if Check Inverse is used at Security Checks
Fixed maximum logout detection issue.
Fixed the typo in the Pre-request Scripts menu.
Fixed a few typos in the Impact descriptions.
Fixed the issue that email disclosure was reported without identified email addresses.
Fixed an issue in the scan policy optimizer where the DOM preset was set wrong.
Removed URL signature field from the phpinfo detection pattern.
Fixed Perl version disclosure pattern.
Fixed the issue that movable type cannot be detected because the app name contained whitespace.
Removed the Fiddler core dependency from Fiddler Importer that caused issues in Linux agents.
Fixed the custom script dialog title.
Fixed the signature of Python version disclosure pattern.
Fixed the issue that charset error was repeated many times in the logs.
Fixed the issue that the attack parameter name was not displayed on error based SQL injection vulnerabilities.
Fixed an ArgumentNullException that was thrown when the proxy bypass list is null.
Fixed the request parsing error in TCP Requester.
Fixed the issue that header and footer were mixed up in the reports.
Fixed info icons position in the Knowledge Base reports.
Fixed the issue XSS payload was not highlighted correctly.
Fixed the typo in the base scan CLI argument.
Fixed the issue that the confirmation dialog was not displayed when the delete rows button in the context menu is used.
Fixed the inconsistencies in the summary page of Asana configuration wizard.
Fixed tooltip enabled/disabled states in Form Authentication, Client Certificate, and Smart Card Authentication settings.
Fixed the issue that search results were not highlighted correctly.
Fixed the issue that URL was not correctly encoded in Send To Action templates.
Fixed the issue request.Headers was empty in custom script API.
Fixed the issue Mithril version could not be detected.
Fixed the issue that SSTI could not be detected consistently because the code execution patterns were not loaded correctly.
Fixed the issue that version disclosure vulnerabilities were always fixed in retest.
Fixed the issue that causes FP Open Redirection because of the improper decoding of location header
Fixed Swagger parser that caused importing object with a parent node while the object is inside an array

6-Nov-2020

COPY LINK

NEW SECURITY CHECKS

Added Oracle WebLogic Server Remote Code Execution (CVE-2020-14882)
Added Oracle WebLogic Server Authentication Bypass (CVE-2020-14883)

30-Sep-2020

COPY LINK

NEW FEATURES

Added a new signature limit for URL Rewrite matched links
Added a crawling limit for Not found (404) links
Added a WASC Classification Report template
Added an option to exclude authentication pages and removed authentication related regexes from the default settings

NEW SECURITY CHECKS

Added Out-of-date security checks for the Liferay portal
Added Version Disclosure and Out-of-date security checks for Jolokia
Added Nested XSS security checks
Added an ASP.NET Razor SSTI security check
Added a Java Pebble SSTI security check
Added a Theymeleaf SSTI security check
Added Version Disclosure and Out-of-date security checks for Grafana

IMPROVEMENTS

Improved custom scripting to send raw requests
Improved the authenticator to hide passwords in request data in order to prevent exposing them in reports
Added an Auto Follow Redirect setting to the Advanced settings
Added request and response details to Out of Band vulnerabilities
Improved logging for timed out regexes in the Javascript Library Checker
Updated signature of Stack Trace/Custom Stack Trace (Python)
Improved the memory consumption on long running scans

FIXES

Fixed an error that was caused when parsing duplicate response content-type headers
Updated Invicti logos, splash screen and icons
Fixed reporting of Crawl Performance for crawl-only scans
Fixed an issue where Form Value Errors were occurring after simulation was finished
Fixed the Maximum Body Length exceeded log message
Fixed the log level of the Dom Parser's ignored link message
Fixed the Jira Send To application description
Fixed an issue that occured when the content-type and accept header was used in a parameter in the Open API (Swagger) file
Fixed an issue where the custom Comparison Report was not generated
Fixed an ArgumentNullException that was occuring in the TestSiteConfiguration dialog
Disabled the LFI button for possible xxe
Fixed a certificate error problem on the new ssl checker
Fixed the timezone problem on reports
Fixed the Executive Summary Report title
Fixed an ArgumentException that was thrown when the URI was empty
Fixed HIPAA classification links
Fixed the issue where the Invicti session importer did not import all links from the session
Fixed the bug where the URL was split incorrectly when a segment contained the file extension
Fixed the issue responses that were not being analyzed in the Signatures engine during the re-crawl phase
Fixed the HIPAA classification link when there are multiple classifications
Removed plugin functions that are used to detect bootstrap to prevent false positive versions from being reported
Fixed NRE in the static detection engine
Fixed the Swagger parser that caused an object to be imported with a parent node while the object was inside an array

10-Jul-2020

COPY LINK

IMPROVEMENTS

Added a highlight icon to the attack parameters on the vulnerability reports
Added a report URL to the scheduled reports

FIXES

Fixed a ObjectDisposedException that was occasionally thrown when the attacker started in manual proxy mode
Fixed a NRE that occurred when exporting a report from a scheduled scan
Fixed an issue caused when the login page identifier was disabled in the Scan Policy
Fixed an issue where the Jira Send To Action failed to create an issue when the components field did not exist in the project
Fixed the issue where the content type was not parsed correctly when there were multiple Content-type headers
Fixed the issue where responses were not being analyzed in signature detection in the re-crawl phase.
Fixed the list of enabled security checks on reports
Changed the Sans Top 25 classification name to CWE on reports

NEW SECURITY CHECKS

Added an F5 Big IP LFI (CVE-2020-5902) attack pattern
Added out of date checks for Apache Traffic Server
Added version disclosure for Undertow Server
Added out of date checks for Undertow Server
Added version disclosure for Jenkins
Added out of date checks for Jenkins
Added signature detection for Kestrel
Added detection for Tableau Server
Added detection for Bomgar Remote Support Software
Added version disclosure for Apache Traffic Server

4-Jun-2020

COPY LINK

IMPROVEMENTS

Added Request API to Form Authentication's Custom Script
Added ability to add, edit and remove HTTP parameters and headers from Custom Security Check requests
Improved the Jira Send To Action to include a new Components field
Improved the SSL security check implementation
Improved the design of default Report Templates

FIXES

Fixed a memory leak in the Attacking phase
Fixed a CSS Parser issue that caused infinite loops while parsing invalid css files
Fixed an Attacker issue that caused a memory leak
Fixed a Null Reference Exception that occurred during crawling
Fixed the parsing of duplicate content-type headers

14-May-2020

COPY LINK

NEW FEATURES

Added Pivotal Tracker Send To integration
Added test website (Target URL) configuration to enable the scanning of REST websites with selected XML and JSON mime type(s)
Added ability to add, remove or edit request parameters, headers and edit the request body in pre-request scripts
Added a Fragment Parsing checkbox to the Crawling tab of the Scan Policy Editor dialog

NEW SECURITY CHECKS

Added a new vulnerability for Same Site Cookies that are set to None and not marked as secure

IMPROVEMENTS

Improved the Webhook Send To Action to enable it to send data from the query string when the POST or PUT method is selected
Improved the Jira Send To Action to include Epic Key and Epic Name fields
Updated the default value for Allow Out-of-scope XHR requests from False to True, to improve the simulation process
Improved Form Authentication to capture All Authorization Headers instead of just Bearer Authentication Tokens
Improved the scan performance with memoization of Passive Security Checks
Optimized Stored XSS checks to eliminate unnecessary DOM simulations in PermanentXssSignature
Optimized signature detection to avoid executing unnecessary Regex checks
Improved the attack payload of the Open - Integer (MySQL) pattern

FIXES

Fixed the problem where the authentication header was parsing if an empty OAuth2 token type was provided
Fixed a typo in the XSS vulnerability template
Fixed a typo in Expect-CT engine error message
The WAF Identified dialog is no longer displayed when Invicti is started from the command line in Silent Mode
Fixed an issue that meant the Target URL was not crawled when the Override Target URL with authenticated page checkbox was enabled in the Form Authentication tab of the Start a New Website or Web Service Scan dialog
Fixed the visibility of the scan search bar
Fixed the Regex Pattern of the BREACH Engine's sensitive keywords
Fixed an issue where the Possible OOB Command Injection Vulnerability was reported as confirmed
Fixed the exception that was thrown if the script file name was empty when the Execute button was clicked in the Custom Scripts panel
Fixed the problem where the XXE engine was reporting a false positive on possible XXEs
Data Type Mismatch errors are now ignored while importing OpenAPI (Swagger) documents
Fixed an issue where Authentication Verification was failing to complete in Silent Mode when the Target URL was unreachable
Fixed an issue that caused the crawler to be exited abnormally and stopping the scan when Invicti Assistant changed the Scan Settings
Fixed a NullReferenceException in the Custom Scripts panel
Fixed an issue that caused the link to get stuck in Crawling causing the scan to take too long
Fixed a NRE that occurred when a Retest was performed on an imported scan
Fixed an issue that occasionally caused scans to hang when the Target URL timed out on requests
Removed an extra semicolon from the Actions to Take section of the Insecure Transportation Security Protocol Supported vulnerability templates

9-Apr-2020

COPY LINK

IMPROVEMENTS

Added an image injection pattern to the Blind Cross-site Scripting security check
Added Script Type information to the comment section of the Custom Security Check scripts
Added the ability to show the Custom Scripts Panel without opening a scan

FIXES

Fixed an issue so that the JavaScript configuration in the Scan Policy is saved when it is updated by Invicti Assistant
Fixed an issue where the web proxy was not being used while connecting to Invicti Enterprise
Fixed an issue where the Custom Scripts were not executing inside pop-up dialogs that open during Form Authentication
Fixed an issue wherelogouts was not detected with single page applications that used Form Authentication

25-Mar-2020

COPY LINK

FIXES

Fixed a case sensitivity issue in Imported Links which caused Content-Type headers to be sent without requests
Fixed an issue where the WAF Identification notification dialog was occasionally unclickable
Fixed issue links for the Azure Send To Action to match Azure's new link scheme
Fixed an issue that caused the computer to go into Sleep mode even when the advanced PreventSleepModeDuringScan setting was enabled

12-Mar-2020

COPY LINK

NEW FEATURES

Added a new Form Validation Errors node to the Knowledge Base panel, and to scan reports, to show Form Validation errors
Added the capability to abort requests from the Pre-Request Scripts tab of the Start a New Website or Web Service URL dialog
Added CVSS 3.1 support, to help with vulnerability scores
Added a new Query Parameters checkbox to the Parameter-Based Navigation section of the Crawling tab in the Scan Policy Editor

NEW SECURITY CHECKS

Added a Login Page Identified security check
Added a Content Delivery Networks (CDN) security check
Added a Reverse Proxies security check

IMPROVEMENTS

Added two new settings to the list available in the Advanced tab of the Options dialog, including DisableRequestParametersReordering (to disable the reordering of query parameters) and DisableIriParsing (to change the IRI parsing configuration of the .NET framework)
Improved the ability to crawl URLs with fragments
Added reflected parameter names and sensitive keywords to the BREACH Attack's report template
Added a metadata section to the Custom Security Check scripting templates in the Custom Script Checks section of the Security Checks tab in the Scan Policy Editor
Added extra information to error reports
Added a check for the vulnerability GUIDs used to create vulnerabilities in Custom Security Check scripts

FIXES

Fixed the tab order in the Scan Profile settings in the Start a New Website or Web Service Scan dialog
Resized the Type column in the Logs panel
Added a scrollbar to the Get Shell panel
Fixed an issue that prevented a backspace key from working in Save Profile As dialog's name editor
Fixed the issue where vulnerabilities' Fixed states were not updated following a Controlled scan
Fixed an issue that prevented custom fields from being rendered for the YouTrack Send To Action
Added missing tooltips to the Enabled check box of the Script Settings and Manual Authentication settings panels
Added a Frame Injection XSS pattern
Fixed a typo in the Copy to Clipboard tooltip
Fixed the issue where POST parameters were not parsed correctly in the HAR importer
Fixed the location of the Override Version vulnerability severities ch
Fixed the typo in the description of the NotifiedExpiringLicenses setting
Fixed an issue in the JSON Response panel that caused the Address textbox to be editable instead of read-only
Fixed an localization issue that occurred while displaying severities in the Vulnerability Editor dialog in the Report Policy Editor
Fixed escaping Form Authentication's Custom Script username and password.
Fixed the problem where day-long scan durations were not displaying correctly in the Knowledge Base reports and screens
Fixed a couple of design problems in reports
Fixed the usage of the '/v' command line parameter
Updated the default User-Agent
Fixed the scheduling of Incremental Scans to be consistent with the regular Incremental Scan, so that the system checks for the current session and offers the option to use it as the base scan before trying to open a scan file
Fixed typos in the tooltips in URL Rewrite tab of the Start a New Website or Web Service Scan dialog
Fixed problem caused by a missing obfuscation exclusion in the License validation process
Fixed the issue where the wrong engine was selected in Controlled Scans when a vulnerability was detected by a Custom Script
Fixed the issue where localized values were not displayed for some custom fields
Fixed the issue where duplicate notifications were displayed following the import and export of scans
Fixed a Null Reference Exception that was caused when Basic, NTLM/Kerberos Authentication settings were null in old profile files
Fixed an issue where the default values were not set for the Scan Policy Optimizer options' properties while deserializing a Scan Policy
Fixed an issue that caused the same Authentication method to be added twice in the Basic, NTLM/Kerberos Authentication settings
Updated OpenAPI.NET to 1.1.4 version to support the latest Swagger files
Fixed the issue where single engines were not working in the Import Only scan mode
Fixed an issue where the Request body was encoded improperly, caused an error following the sending of requests
Fixed some typos in the WAF Identified dialog, along with some refactorings
Fixed the issue where Incremental Scan caused unnecessary DOM simulations