Home
/
Documentation
/
28-Jan-2021
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
28 Jan 2021

28-Jan-2021

NEW FEATURES

  • Added NIST SP 800-53 compliance classification and report template.
  • Added DISA STIG compliance classification and report template.
  • Added the OWASP ASVS 4.0 classification and report template.
  • Added header and footer section to customize reports.
  • Added an option to customize POST attacks for the Open Redirect engine.

NEW SECURITY CHECKS

  • Added PHP magic_quotes_gpc Is Disabled security check.
  • Added PHP register_globals Is Enabled security check.
  • Added PHP display_errors Is Enabled security check.
  • Added PHP allow_url_fopen Is Enabled security check.
  • Added PHP allow_url_include Is Enabled security check.
  • Added PHP session.use_trans_sid Is Enabled security check.
  • Added PHP open_basedir Is Not Configured security check.
  • Added PHP enable_dl Is Enabled security check.
  • Added ASP.NET Tracing Is Enabled security check.
  • Added ASP.NET Cookieless Session State Is Enabled security check.
  • Added ASP.NET Cookieless Authentication Is Enabled security check.
  • Added ASP.NET Failure To Require SSL For Authentication Cookies security check.
  • Added ASP.NET Login Credentials Stored In Plain Text security check.
  • Added ASP.NET ValidateRequest Is Globally Disabled security check.
  • Added ASP.NET ViewStateUserKey Is Not Set security check.
  • Added ASP.NET CustomErrors Is Disabled security check.
  • Added PHP session.use_only_cookies Is Disabled security check.
  • Added new Blind SQL Injection attack pattern.
  • Added Jinjava SSTI security check.
  • Added Whoops Framework Detected security check.
  • Added CrushFTP server detected security check.
  • Added database error message signature pattern for Hibernate.
  • Added Identified, Version Disclosure, and Out-of-date security checks for W3 Total Cache.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Next.JS React Framework.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Twisted Web HTTP Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Werkzeug Python WSGI Library.
  • Added Identified, Version Disclosure, and Out-of-date security checks for OpenResty.
  • Added Identified, Version Disclosure, and Out-of-date security checks for GlassFish.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Resin Application Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Plone CMS.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Trac Software Project Management Tool.
  • Added Identified, Version Disclosure, and Out-of-date security checks for IBM RTC.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Tornado Web Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Jetty Web Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Axway SecureTransport Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Artifactory.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Gunicorn Python WSGI HTTP Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for IBM Security Access Manager (WebSEAL).
  • Added Identified, Version Disclosure, and Out-of-date security checks for Nexus OSS.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Cowboy HTTP Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Python WSGIserver.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Restlet Framework.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Phusion Passenger.
  • Added Version Disclosure and Out-of-date security checks for Liferay Portal.
  • Added Version Disclosure and Out-of-date security checks for Tracy debugging tool.
  • Added detection for Varnish HTTP Cache Server.
  • Added detection for SonicWall VPN.
  • Added detection for Play Web Framework.
  • Added detection for Private Burp Collaborator Server.
  • Added detection for LiteSpeed Web Server.
  • Added detection for JBoss Enterprise Application Platform.
  • Added detection for JBoss Core Services.
  • Added detection for WildFly Application Server.
  • Added detection for Oracle HTTP Server.
  • Added version disclosure Daiquiri security check.

IMPROVEMENTS

  • Added Wordlist Entries feature to the Resource Finder security check group
  • Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled.
  • Improved Open Redirect attack patterns.
  • Improved TLS 1.0 issue remediation reference.
  • Added WCF service support to WSDL importer.
  • Added a fix to reduce the possibility of an out-of-memory problem.
  • Added authentication support to system proxy for PAC file.
  • Verification dialog remembers old logout keywords.
  • Added scan profile information and URL to all reports.
  • Added bypass list for scan policy settings.
  • Added scan scope variables to the Pre-Request Scripts.
  • Added information label to the Pre-Request Script settings panel
  • Added a fail tolerance to Puppeteer launch.
  • Improved Tomcat signature patterns.
  • Improved authenticator not to store the plain password in the request data
  • Added HTTP Request Logger to authentication
  • Added Canada region to the Invicti Enterprise settings
  • Added tooltip to the Excluded Usage Trackers feature.
  • Removed X-Scanner header from default scan policies
  • Added new sensitive comment patterns.
  • Revised the description of the Resource Finder checks option.
  • Removed header and footer settings for reports that do not contain header and footer in the save report dialog.
  • Added Incremental Scan to Knowledge Base reports.
  • Updated Invicti Standard splash screen.

FIXES

  • Fixed Lodash Identified security check signature.
  • Fixed WebLogic Version Disclosure security check signature.
  • Fixed Whoops Error Handling Framework Identified security check signature.
  • Fixed Zope Web Server Version Disclosure security check signature.
  • Fixed Grafana Version Disclosure security check signature.
  • Fixed ASP.NET MVC Version Disclosure security check signature.
  • Fixed Telerik Version Disclosure vulnerability severity to be low.
  • Fixed IIS Version Disclosure vulnerability severity to be low.
  • Fixed the grammar issues at the CSP Not Implemented report template.
  • Hide the scope tooltip at the manual authentication panel.
  • Fixed the order of Out-of-Date vulnerabilities; now sorting vulnerabilities by their severities.
  • Fixed the issue "link stuck error" was repeated many times in the scan logs.
  • Fixed the typo in the Pre-Request Scripts Menu.
  • Fixed a few typos in the Impact descriptions.
  • Fixed validating WAF settings before trying to test WAF connection
  • Fixed the issue where the Exclude Authentication Pages option could not be manually disabled when the Form Authentication is enabled.
  • Fixed an issue where the Form Authentication verification dialog loses focus and disappears.
  • Fixed directory modifiers limit usage
  • Fixed sending previous request headers while navigating to the Form Authentication's latest response URL.
  • Fixed an issue where the custom script dialog failed to display login page when requests encoded with Brotli
  • Fixed an issue that causes Reflected Parameter analyzer attacks to the ignored parameters when the breach engine is disabled
  • Fixed an issue that may cause the null reference exception when reflected parameter analyzer working
  • Fixed an issue that caused WASC ID is not sent properly in the Kenna Send To Action
  • Fixed an issue where the HTTP request is not redirected to HTTPS when Strict Transport Security is enabled
  • Fixed an issue that caused DOM simulation to fail because of the null windows and elements
  • Fixed an issue that is caused by NTLM, Kerberos, Negotiate authentication credentials send with every request without challenge
  • Fixed an issue that causes the Pre-Request Script requests to be ignored when its method is disallowed from the Scope settings
  • Fixed an issue that causes raw request created without cookies
  • Added SSL, Attack Possibility, and JavaScript files to Knowledge Base
  • Fixed the order of classification report ribbon menu.
  • Fixed handling the invalid characters of request headers set from the Pre-Request Scripts.
  • Fixed the tooltip of Send To Tasks button at the ribbon
  • Fixed unwanted warning on the auto authenticator
  • Fixed date and time zone problem on Swagger file.
  • Fixed null reference exception on excluded URL check.
  • Fixed multiple instance knowledge base render problem.
  • Fixed reporting style issues.
  • Fixed relativity of the charts in the Comparison Report.
  • Fixed grid showing on the logout detection screen.
  • Fixed scan resuming problem on unavailable host.
  • Fixed pop-up problem on the DOM simulation for better performance.
  • Fixed the logo at the Knowledge Base render error page.
  • Fixed an issue which causes unhandled exception when the link clicked multiple times on authentication verify dialog when interactive login is enabled
  • Fixed internet connection problem at test site configuration dialog.
  • Added information label to the Azure Configuration wizard.
  • Fixed request and response results in out-of-band vulnerabilities.
  • Fixed Blind SQL Injection cache issue.
  • Fixed wrong expiry time for cookie which occurs at DOM simulation.
  • Fixed the null reference exception while checking the source type.
  • Fixed the Basic Authentication header problem for chromium requests.
  • Fixed the null reference exception while getting authorization tokens.
  • Fixed an issue where XSLT requests are not intercepted.
  • Fixed Netsparker Helper Service dll not found issue.
  • Fixed the client certificate selection issue while logging in to the target website.
  • Fixed session storage problem at DOM simulation.
  • Fixed upload request problem that creates false positive at LFI engine.
  • Fixed chromium errors at authentication
  • Fixed the unhandled multiple choices redirect status code at requester.
  • Fixed the keyword-based logout detection stuck when the pop-up opened at chromium browsers.
  • Fixed the Generate Exploit button label in the ribbon menu and vulnerability pop-up menu.
  • Fixed an issue where the form value parser was not working.
  • Fixed unauthorized request handling in the license view.
  • Fixed an issue that causes invalid parent issue selection if Check Inverse is used at Security Checks
  • Fixed maximum logout detection issue.
  • Fixed the typo in the Pre-request Scripts menu.
  • Fixed a few typos in the Impact descriptions.
  • Fixed the issue that email disclosure was reported without identified email addresses.
  • Fixed an issue in the scan policy optimizer where the DOM preset was set wrong.
  • Removed URL signature field from the phpinfo detection pattern.
  • Fixed Perl version disclosure pattern.
  • Fixed the issue that movable type cannot be detected because the app name contained whitespace.
  • Removed the Fiddler core dependency from Fiddler Importer that caused issues in Linux agents.
  • Fixed the custom script dialog title.
  • Fixed the signature of Python version disclosure pattern.
  • Fixed the issue that charset error was repeated many times in the logs.
  • Fixed the issue that the attack parameter name was not displayed on error based SQL injection vulnerabilities.
  • Fixed an ArgumentNullException that was thrown when the proxy bypass list is null.
  • Fixed the request parsing error in TCP Requester.
  • Fixed the issue that header and footer were mixed up in the reports.
  • Fixed info icons position in the Knowledge Base reports.
  • Fixed the issue XSS payload was not highlighted correctly.
  • Fixed the typo in the base scan CLI argument.
  • Fixed the issue that the confirmation dialog was not displayed when the delete rows button in the context menu is used.
  • Fixed the inconsistencies in the summary page of Asana configuration wizard.
  • Fixed tooltip enabled/disabled states in Form Authentication, Client Certificate, and Smart Card Authentication settings.
  • Fixed the issue that search results were not highlighted correctly.
  • Fixed the issue that URL was not correctly encoded in Send To Action templates.
  • Fixed the issue request.Headers was empty in custom script API.
  • Fixed the issue Mithril version could not be detected.
  • Fixed the issue that SSTI could not be detected consistently because the code execution patterns were not loaded correctly.
  • Fixed the issue that version disclosure vulnerabilities were always fixed in retest.
  • Fixed the issue that causes FP Open Redirection because of the improper decoding of location header
  • Fixed Swagger parser that caused importing object with a parent node while the object is inside an array