Invicti Product Release Notes
28 Jan 2021
28-Jan-2021
NEW FEATURES
- Added NIST SP 800-53 compliance classification and report template.
- Added DISA STIG compliance classification and report template.
- Added the OWASP ASVS 4.0 classification and report template.
- Added header and footer section to customize reports.
- Added an option to customize POST attacks for the Open Redirect engine.
NEW SECURITY CHECKS
- Added PHP magic_quotes_gpc Is Disabled security check.
- Added PHP register_globals Is Enabled security check.
- Added PHP display_errors Is Enabled security check.
- Added PHP allow_url_fopen Is Enabled security check.
- Added PHP allow_url_include Is Enabled security check.
- Added PHP session.use_trans_sid Is Enabled security check.
- Added PHP open_basedir Is Not Configured security check.
- Added PHP enable_dl Is Enabled security check.
- Added ASP.NET Tracing Is Enabled security check.
- Added ASP.NET Cookieless Session State Is Enabled security check.
- Added ASP.NET Cookieless Authentication Is Enabled security check.
- Added ASP.NET Failure To Require SSL For Authentication Cookies security check.
- Added ASP.NET Login Credentials Stored In Plain Text security check.
- Added ASP.NET ValidateRequest Is Globally Disabled security check.
- Added ASP.NET ViewStateUserKey Is Not Set security check.
- Added ASP.NET CustomErrors Is Disabled security check.
- Added PHP session.use_only_cookies Is Disabled security check.
- Added new Blind SQL Injection attack pattern.
- Added Jinjava SSTI security check.
- Added Whoops Framework Detected security check.
- Added CrushFTP server detected security check.
- Added database error message signature pattern for Hibernate.
- Added Identified, Version Disclosure, and Out-of-date security checks for W3 Total Cache.
- Added Identified, Version Disclosure, and Out-of-date security checks for Next.JS React Framework.
- Added Identified, Version Disclosure, and Out-of-date security checks for Twisted Web HTTP Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for Werkzeug Python WSGI Library.
- Added Identified, Version Disclosure, and Out-of-date security checks for OpenResty.
- Added Identified, Version Disclosure, and Out-of-date security checks for GlassFish.
- Added Identified, Version Disclosure, and Out-of-date security checks for Resin Application Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for Plone CMS.
- Added Identified, Version Disclosure, and Out-of-date security checks for Trac Software Project Management Tool.
- Added Identified, Version Disclosure, and Out-of-date security checks for IBM RTC.
- Added Identified, Version Disclosure, and Out-of-date security checks for Tornado Web Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for Jetty Web Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for Axway SecureTransport Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for Artifactory.
- Added Identified, Version Disclosure, and Out-of-date security checks for Gunicorn Python WSGI HTTP Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for IBM Security Access Manager (WebSEAL).
- Added Identified, Version Disclosure, and Out-of-date security checks for Nexus OSS.
- Added Identified, Version Disclosure, and Out-of-date security checks for Cowboy HTTP Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for Python WSGIserver.
- Added Identified, Version Disclosure, and Out-of-date security checks for Restlet Framework.
- Added Identified, Version Disclosure, and Out-of-date security checks for Phusion Passenger.
- Added Version Disclosure and Out-of-date security checks for Liferay Portal.
- Added Version Disclosure and Out-of-date security checks for Tracy debugging tool.
- Added detection for Varnish HTTP Cache Server.
- Added detection for SonicWall VPN.
- Added detection for Play Web Framework.
- Added detection for Private Burp Collaborator Server.
- Added detection for LiteSpeed Web Server.
- Added detection for JBoss Enterprise Application Platform.
- Added detection for JBoss Core Services.
- Added detection for WildFly Application Server.
- Added detection for Oracle HTTP Server.
- Added version disclosure Daiquiri security check.
IMPROVEMENTS
- Added Wordlist Entries feature to the Resource Finder security check group
- Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled.
- Improved Open Redirect attack patterns.
- Improved TLS 1.0 issue remediation reference.
- Added WCF service support to WSDL importer.
- Added a fix to reduce the possibility of an out-of-memory problem.
- Added authentication support to system proxy for PAC file.
- Verification dialog remembers old logout keywords.
- Added scan profile information and URL to all reports.
- Added bypass list for scan policy settings.
- Added scan scope variables to the Pre-Request Scripts.
- Added information label to the Pre-Request Script settings panel
- Added a fail tolerance to Puppeteer launch.
- Improved Tomcat signature patterns.
- Improved authenticator not to store the plain password in the request data
- Added HTTP Request Logger to authentication
- Added Canada region to the Invicti Enterprise settings
- Added tooltip to the Excluded Usage Trackers feature.
- Removed X-Scanner header from default scan policies
- Added new sensitive comment patterns.
- Revised the description of the Resource Finder checks option.
- Removed header and footer settings for reports that do not contain header and footer in the save report dialog.
- Added Incremental Scan to Knowledge Base reports.
- Updated Invicti Standard splash screen.
FIXES
- Fixed Lodash Identified security check signature.
- Fixed WebLogic Version Disclosure security check signature.
- Fixed Whoops Error Handling Framework Identified security check signature.
- Fixed Zope Web Server Version Disclosure security check signature.
- Fixed Grafana Version Disclosure security check signature.
- Fixed ASP.NET MVC Version Disclosure security check signature.
- Fixed Telerik Version Disclosure vulnerability severity to be low.
- Fixed IIS Version Disclosure vulnerability severity to be low.
- Fixed the grammar issues at the CSP Not Implemented report template.
- Hide the scope tooltip at the manual authentication panel.
- Fixed the order of Out-of-Date vulnerabilities; now sorting vulnerabilities by their severities.
- Fixed the issue "link stuck error" was repeated many times in the scan logs.
- Fixed the typo in the Pre-Request Scripts Menu.
- Fixed a few typos in the Impact descriptions.
- Fixed validating WAF settings before trying to test WAF connection
- Fixed the issue where the Exclude Authentication Pages option could not be manually disabled when the Form Authentication is enabled.
- Fixed an issue where the Form Authentication verification dialog loses focus and disappears.
- Fixed directory modifiers limit usage
- Fixed sending previous request headers while navigating to the Form Authentication's latest response URL.
- Fixed an issue where the custom script dialog failed to display login page when requests encoded with Brotli
- Fixed an issue that causes Reflected Parameter analyzer attacks to the ignored parameters when the breach engine is disabled
- Fixed an issue that may cause the null reference exception when reflected parameter analyzer working
- Fixed an issue that caused WASC ID is not sent properly in the Kenna Send To Action
- Fixed an issue where the HTTP request is not redirected to HTTPS when Strict Transport Security is enabled
- Fixed an issue that caused DOM simulation to fail because of the null windows and elements
- Fixed an issue that is caused by NTLM, Kerberos, Negotiate authentication credentials send with every request without challenge
- Fixed an issue that causes the Pre-Request Script requests to be ignored when its method is disallowed from the Scope settings
- Fixed an issue that causes raw request created without cookies
- Added SSL, Attack Possibility, and JavaScript files to Knowledge Base
- Fixed the order of classification report ribbon menu.
- Fixed handling the invalid characters of request headers set from the Pre-Request Scripts.
- Fixed the tooltip of Send To Tasks button at the ribbon
- Fixed unwanted warning on the auto authenticator
- Fixed date and time zone problem on Swagger file.
- Fixed null reference exception on excluded URL check.
- Fixed multiple instance knowledge base render problem.
- Fixed reporting style issues.
- Fixed relativity of the charts in the Comparison Report.
- Fixed grid showing on the logout detection screen.
- Fixed scan resuming problem on unavailable host.
- Fixed pop-up problem on the DOM simulation for better performance.
- Fixed the logo at the Knowledge Base render error page.
- Fixed an issue which causes unhandled exception when the link clicked multiple times on authentication verify dialog when interactive login is enabled
- Fixed internet connection problem at test site configuration dialog.
- Added information label to the Azure Configuration wizard.
- Fixed request and response results in out-of-band vulnerabilities.
- Fixed Blind SQL Injection cache issue.
- Fixed wrong expiry time for cookie which occurs at DOM simulation.
- Fixed the null reference exception while checking the source type.
- Fixed the Basic Authentication header problem for chromium requests.
- Fixed the null reference exception while getting authorization tokens.
- Fixed an issue where XSLT requests are not intercepted.
- Fixed Netsparker Helper Service dll not found issue.
- Fixed the client certificate selection issue while logging in to the target website.
- Fixed session storage problem at DOM simulation.
- Fixed upload request problem that creates false positive at LFI engine.
- Fixed chromium errors at authentication
- Fixed the unhandled multiple choices redirect status code at requester.
- Fixed the keyword-based logout detection stuck when the pop-up opened at chromium browsers.
- Fixed the Generate Exploit button label in the ribbon menu and vulnerability pop-up menu.
- Fixed an issue where the form value parser was not working.
- Fixed unauthorized request handling in the license view.
- Fixed an issue that causes invalid parent issue selection if Check Inverse is used at Security Checks
- Fixed maximum logout detection issue.
- Fixed the typo in the Pre-request Scripts menu.
- Fixed a few typos in the Impact descriptions.
- Fixed the issue that email disclosure was reported without identified email addresses.
- Fixed an issue in the scan policy optimizer where the DOM preset was set wrong.
- Removed URL signature field from the phpinfo detection pattern.
- Fixed Perl version disclosure pattern.
- Fixed the issue that movable type cannot be detected because the app name contained whitespace.
- Removed the Fiddler core dependency from Fiddler Importer that caused issues in Linux agents.
- Fixed the custom script dialog title.
- Fixed the signature of Python version disclosure pattern.
- Fixed the issue that charset error was repeated many times in the logs.
- Fixed the issue that the attack parameter name was not displayed on error based SQL injection vulnerabilities.
- Fixed an ArgumentNullException that was thrown when the proxy bypass list is null.
- Fixed the request parsing error in TCP Requester.
- Fixed the issue that header and footer were mixed up in the reports.
- Fixed info icons position in the Knowledge Base reports.
- Fixed the issue XSS payload was not highlighted correctly.
- Fixed the typo in the base scan CLI argument.
- Fixed the issue that the confirmation dialog was not displayed when the delete rows button in the context menu is used.
- Fixed the inconsistencies in the summary page of Asana configuration wizard.
- Fixed tooltip enabled/disabled states in Form Authentication, Client Certificate, and Smart Card Authentication settings.
- Fixed the issue that search results were not highlighted correctly.
- Fixed the issue that URL was not correctly encoded in Send To Action templates.
- Fixed the issue request.Headers was empty in custom script API.
- Fixed the issue Mithril version could not be detected.
- Fixed the issue that SSTI could not be detected consistently because the code execution patterns were not loaded correctly.
- Fixed the issue that version disclosure vulnerabilities were always fixed in retest.
- Fixed the issue that causes FP Open Redirection because of the improper decoding of location header
- Fixed Swagger parser that caused importing object with a parent node while the object is inside an array