Invicti Product Release Notes
17 Jan 2019
17-Jan-2019
NEW FEATURES
- Added issue synchronization support for Jira and Manuscript issue trackers
- Added notification support for Fixed, Revived, False Positive and Accepted Risk Issues to Slack integration
- Upgraded the Invicti scanning engine to v5.2-hf2 (5.2.0.22027)
- Added a new Vulnerability Families feature, where similar types of vulnerabilities are no longer reported separately
- Added out of the box Issue tracking integration for GitLab, Bitbucket, Unfuddle, Zapier, and Azure DevOps
- Added support for Swagger 3/OpenAPI link import
- Added support for importing links in the IOdocs file format
- Added Retest support for several Cookie vulnerabilities
- Added a new Knowledge Base item for Not Found pages
- Added ISO 27001 vulnerability classifications and report template
- Added custom field support for Issue tracking integrations
- Added Azure DevOps Continuous Integration system integration
- Added PowerShell support to the Gitlab Continuous Integration system integration. The Gitlab page now has Integration Script Generator information for Gitlab PowerShell scripts.
- Added Pipeline Script Generation support to Jenkins Continuous Integration system informtion. The Jenkins page now has Integration Script Generation information for Jenkins Pipeline scripts.
NEW SECURITY CHECKS
- Added a new pattern for CherryPy Version Disclosure
- Added an LFI attack pattern for WEB-INF/web.xml
- Added Ruby Error Disclosure detection
- Added WP Engine Configuration File detection
- Added CherryPy Stack Trace Disclosure detection
- Added Intro.js Out-of-date Version detection
- Added Axios Out-of-date Version detection
- Added Fingerprintjs2 Out-of-date Version detection
- Added XRegExp Out-of-date Version detection
- Added DataTables Out-of-date Version detection
- Added Lazy.js Out-of-date Version detection
- Added FancyBox Out-of-date Version detection
- Added Underscore.js Out-of-date Version detection
- Added Lightbox Out-of-date Version detection
- Added JBoss application server Out-of-date Version detection
- Added SweetAlert2 Out-of-date Version detection
- Added Lodash Out-of-date Version detection
- Added Bluebird Out-of-date Version detection
- Added Polymer Out-of-date Version detection
IMPROVEMENTS
- Added Content Security Policy (CSP) to the Invicti Enterprise web application
- Changed enum values to display in alphabetical order in the Value column in the Filter popup
- Added an Audit Log for Rate Limited requests
- Highlighted selected option for JavaScript section on the New Scan Policy page
- Highlighted relevant tabs for validation errors on the New Scan Policy page
- Improved the Report Policy page to make it more responsive and added a scroll bar
- Improved help text for Application and Service Discovery pages
- Added a Check/Uncheck by Severity filtering option on the Report Policy page
- Added PHP extension attack for Nginx vulnerability to the File Upload engine
- Added File Upload patterns for the Nginx Parsing vulnerability
- Added settings to the File Upload engine for configuring upload folders
- Added errorlog.axd detection support
- Improved elmah.axd detection
- The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
- Improved SSTI PHP Smarty attack detection
- Improved the Swagger link importer to handle additional properties with integer and string value types
- Improved the Expect-CT engine by only reporting a vulnerability once for each host
- Improved RSA key confirmation by handling OpenPGP format
- Increased the HSTS Not Enabled vulnerability severity from Information to Low
- Improved HTTP 407 Proxy Authentication error handling
- Added classifications to the HSTS Not Enabled vulnerability
- Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
- Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
- Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
- Improved JSON format detection
- Replaced Unicode replacement characters with question marks in responses
- Added a Scan Policy option to attack cookies
- Improved element click DOM simulation for various element types
- SRI Not Implemented will no longer be reported for localhost URLs
- Improved ASP.NET error message detection
- Added descriptions to PCI categories in the PCI Compliance Report
- Improved Boolean SQL Injection detection
- Improved the Blind Command Injection attack patterns
- Improved the representation of Report Template compilation errors
- Misconfigured X-Frame-Options Header is now reported separately
- Improved Source Code Disclosure checks to prevent the reporting of JavaScript template pages
- Status Code, Status Description and Content Length information have been added to the Slowest Pages node in the Knowledge Base
- Improved WADL document parsing by ignoring DTDs
- Improved Open Redirect DOM based confirmation performance
- Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
- Cookie vulnerabilities report where the cookie is set from
- Improved Swagger Document Format detection
- The file upload engine now detects new links in the response after the file is uploaded
BUG FIXES
- Fixed the issue where Authentication did not work when retesting
- Fixed the issue where the Swagger importer generated an invalid JSON request body
- Fixed the ArgumentException thrown while performing Heartbleed security checks
- Fixed the issue where the wrong version was identified for Drupal
- Fixed a disallowed HTTP method issue where some methods were still being allowed
- Fixed a typo in the CSP Not Implemented vulnerability details
- Fixed a Form Authentication issue that occured on some React-based websites
- Fixed signature detection for links found via the crawler
- Fixed an issue in the CSP engine where it reported an incorrect vulnerability
- Fixed a URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
- Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
- Fixed duplicate parsing source field values reported for IFrame vulnerabilities
- Fixed an issue where Apache MultiViews could not be detected in the target server
- Fixed the incorrect Cookie Expire Date set during Form Authentication
- Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
- Fixed a Content-Type parsing issue in Form Authentication
- Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
- Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
- Fixed a bug in cookie handling code during Form Authentication
- Fixed the incorrect severity reported for the Cookie not Marked as Secure vulnerability on some scans
- Fixed an ArgumentOutOfRangeException thrown on some long scans