Invicti Enterprise On-Premises

NEW FEATURES

• Added scan policy settings for CSRF security checks.
• Added ability to use custom HTTP headers during scan.
• Added attacking optimization option for recurring parameters on different pages.
• Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.
• Redesigned the Basic, NTLM, Digest and Kerberos authentication settings which now supports multiple credentials for different URL paths.

NEW SECURITY CHECKS

• Added Referrer Policy security checks.
• Added markdown injection XSS patterns.
• Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
• Added Database Name Disclosure security checks for MS SQL and MySQL.
• Added Out of Date security checks for several JavaScript libraries.
• Added Remote Code Evaluation (Node.js) security checks.
• Added SSRF detection with server-status.
• Added user controllable cookie detection.
• Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.
• Added Default Page checks for IIS 7.0, 7.5, 8.5 and 10.0.
• Added IIS 10.0 Version Disclosure checks.
• Added WordPress Setup Configuration File checks.

IMPROVEMENTS

• Improved design of the group scan email template.
• Improved accessibility of several pages to follow WCAG guidelines.
• Optimized compression time while archiving the raw scan files.
• Added support for allowing users to launch scheduled scans manually.
• Disabled scheduled scans if the license is expired.
• Updated the links to several external references.
• Improved JavaScript and CSS resource parsing.
• Added DOM simulation options to scan policy optimizer wizard.
• Improved Mixed Content vulnerability reporting by separating them according to resource types.
• Improved boolean SQL injection detection for redirect responses.
• Improved WSDL parsing for files that contain optional extensions.
• Improved .sql file detection signature.
• Added extra confirmation for weak credentials detection.
• Added scan policy option to allow XHR requests during DOM simulation.
• Added form value for password input types to default scan policy.
• Increased the maximum response size limit for JavaScript resources.
• Improved the send to JIRA error message.
• Added maximum number of option elements per select element to simulate scan policy setting.
• Added filter ‘colon’ events scan policy option to filter events that contain colon character in its name during DOM simulation.
• Improved error based SQLi exploitation by generating prefix/suffix dynamically.
• Improved command injection vulnerability detection by prepending original parameter value to attack payload.
• Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.
• Improved LFI attack patterns.
• Improved DOM XSS attack patterns.
• Improved DOM/JavaScript simulation.
• Improved the performance of email address disclosure detection.
• Improved the performance of database connection string disclosure detection.
• Improved the performance of JavaScript library detection.
• Improved the performance of RoR database configuration detection.
• Improved Blind Command Injection detection on Linux systems.
• Improved resource finder to find more hidden resources.
• Improved support for simulating customized select elements.
• Improved NTLM, Digest and Kerberos authentication support.
• Improved DOM simulation stability and performance.
• Improved the default parameter name list for Parameter Based Navigation.
• Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
• Improved boolean and blind SQL injection checks for MySQL databases.
• Improved blind SQL injection checks for PostgreSQL databases.
• Improved reflected and stored XSS detection.
• HSTS checks now reports missing preload directives.
• Updated Korean translation.
• Improved JSON response parsing.
• Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
• Improved email disclosure checks by checking host names against to public suffix list.

BUG FIXES

• Fixed a NullReferenceException which may have been thrown while editing settings of an user.
• Fixed an issue where email notifications are not sent for unconfirmed phone numbers.
• Fixed an issue which may have been thrown while deleting an account.
• Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
• Fixed the duplicate import link issue.
• Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
• Fixed crawling of URLs on pages where base element points to some other URL.
• Fixes an issue where blacklisted Invicti attacks prevent further source code disclosures in HTML response.
• Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
• Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
• Fixed an issue where signature fails to match MS SQL username in error messages.
• Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.
• Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
• Fixed an incorrect “Password Transmitted over HTTP” issue for relative URLs on pages redirected to HTTPS addresses.
• Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
• Fixed incorrect “Interesting Header” report for Content-Security-Policy header.
• Fixed directory listing is not reported issues on some IIS versions.
• Fixed the issue where comments in CSS files are not parsed.
• Fixed the incorrect URL found in CSS comments.
• Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
• Fixed an IndexOutOfRangeException caused by CSP checks.
• Fixed the signature pattern which fails to match “Programming Error Message (PHP)” in multiple lines.
• Fixed markdown XSS attack patterns causing incorrect findings.
• Fixed incorrect “Interesting Header” reports for some headers.
• Fixed the incorrect http protocol displayed for SSL vulnerabilities.
• Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
• Fixed the maximum crawled URL limit exceeded issue.
• Fixed duplicate resource finder requests.
• Fixed the WADL import issue where the operation fails for responses with no status codes.
• Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
• Fixed the incorrect missing object-src report on CSP checks.
• Fixed an issue where default crawled value is double-encoded instead of single.
• Fixed the missing content for Site Profile section of Knowledge Base report.

NEW FEATURES

• Added support for integrating Invicti Enterprise with JIRA issue tracking system.
• (BETA) Added support for scanning internal websites in Invicti Enterprise
• Added proxy support for on-premises scanner agents.

IMPROVEMENTS

• Decreased scan results’ registration time by optimazing database queries.
• Added several improvements for running Invicti Enterprise on-premises on AWS.
• Added more information (such as Total Requests and Average Speed) to the detailed scan report.
• Improved code samples used in API documentation.
• Improved help text and messages. 
• Added delete button to website edit page.
• Improved scanner agent’s startup script to ensure agent is started properly.
• Improved sign-in/logout flow to make user sessions more secure.
• Reviewed and fixed duplicate IDs in HTML elements.
• Improved design of the email templates.
• Updated AWS SDK to the latest version.
• Added Korean support to scan report API endpoint. 
• Added support for setting preferred agent name via API.
• Added status information to preferred agent section on the new scan page.

FIXES

• Fixed an issue with the archiving of raw scan files.
• Fixed the total website count which was incorrect on manage website groups page.
• Fixed the user’s date format that was not used while selecting dates on account settings page.
• Fixed the account settings page which was not displayed properly in high-DPI screens.
• Fixed a bug where issue counts were not displayed correctly on website dashboard page.
• “JavaScript – Elements To Skip” setting was is now set properly in new scan policy page.
• Expired license error is now returned properly in API endpoints.
• Fixed issues with the order of the websites in the  “Websites That Have Shortest Fix Time” widget.
• Fixed an error which was being thrown when adding a website via API in Invicti Enterprise on-premises.
• Fixed CVE links in scan report page.
• Fixed a bug in website verification API endpoint.
• Fixed a NRE which was being thrown during exporting CSV reports.
• Fixed a bug where CSV comma separator is not remembered on Export to CSV pages.
• Fixed an error which was being thrown during deleting a scan profile.
• Fixed a bug in website verification API endpoint.

New Features

• A wizard to assist first time users add a new website and setup a web security scan
• Late confirmation of vulnerabilities (vulnerabilities can be confirmed after the scan has finished with Invicti Hawk)

New Security Checks

• New security check that detects insecure targets in Content Security Policy.
• Added checks for exposure of trace.axd in ASP.NET applications.
• New security check for Time Based Server-Side Request Forgery.
• Added Markdown Injection attack pattern to XSS engine.
• Added a Code Evaluation check for Apache Struts framework.

Improvements

• Improved Boolean SQL Injection detection.
• Updated the Local File Inclusion vulnerability classifications.
• Improved Trace/Track security checks.
• Improved coverage of XSS engine in redirects.
• Added policy optimization support for SSRF security checks.
• Added exploit generation support for “Cross-site Scripting via Remote File Inclusion” vulnerability.
• Added a specialized parser to parse JavaScript responses better to reduce discovering incorrect links.
• Improved form authentication logout detection by ignoring the responses of some attacks to prevent incorrect logout detections.
• Added VDB support to Blind & Boolean SQLi post exploitation.
• Added support for checking Open Redirection vulnerability on Refresh response header.
• Added the XPath information of the element that causes the DOM XSS vulnerability.
• Added “Sub Path Max Dynamic Signatures” setting for Heuristic URL Rewrite detection.
• Added a JavaScript scan policy option to reduce triggered event count during the simulation.
• Added a JavaScript scan policy option to exclude HTML elements such as logout buttons from event simulation by CSS selectors.
• Added checks for vulnerabilities which sink into window.name capability for DOM XSS security checks.
• Improved the coverage of the Local File Inclusion engine so the vulnerability can be found in a full url attack.
• Changed severity numbers’ style on scan result pages.
• Added support for editing scan time window settings for running scans.
• Highlighted special fields of vulnerability notes on the scan report page.
• Settings of completed scans are automatically applied to new scans when a user launches a new scan from the recent scans page or scan report page.
• Improved notifications email templates.
• Improved help text by adding netsparker.com article links to relevant sections.
• Improved input validation for request rate limit settings on the scan policy page.
• Added support for remembering previously entered filters on list pages.
• Allowing users to select CSV separator while export scan reports.
• Added support to allow users to re-verify logout settings on the form authentication verification dialog.

Bug Fixes

• Fixed several issues related to DOM parsing and simulation.
• Fixed a NullReferenceException thrown by HTTP Methods checks.
• Fixed a StackOverflowException caused by JSON responses with too many nested elements.
• Fixed Proof of Concept generation during post exploitation for time based SQLi checks.
• Fixed a NullReferenceException while confirming a Boolean SQLi vulnerability.
• Fixed an issue where scan is paused when an additional host is unreachable.
• Fixed typos in CSP vulnerability templates.
• Fixed an issue where ignored emails are still reported as knowledge base issue.
• Fixed an issue where source code disclosure is reported in JS and CSS files.
• Fixed an SQL exploitation issue where executing a SQL query which expected an integer result is no longer giving failure for PostgreSQL database.
• Fixed a Text Parser issue where single quote characters were being captured as part of links.
• Fixed the incorrect path disclosure caused by the Shellshock attack.
• Fixed missing SSRF proofs under Proofs knowledge base.
• Fixed incorrect encoded parameter names for multipart/form-data forms.
• Fixed the performance recrawling for DOM XSS checks on websites with lots of links.
• Fixed the incorrect CR LF encoding issues on proof URLs.
• Fixed DOM Parser clearInterval JavaScript function simulation.
• Fixed an issue where stored XSS vulnerability is reported in an XHR response rather than in the page itself which makes XHR request.
• Fixed an issue where Boolean SQL Injection vulnerability is missed due to crawled parameter value.
• Fixed an issue where reflected XSS vulnerability is missed because the reflected payload is HTML encoded in an attribute.
• Fixed an issue where Text Parser does not handle the same referenced JavaScript in different files.
• Fixed an issue where timezone is not being set correctly when a validation error occurs on the signup page.
• Fixed a filtering issue on the Manage Team page.

New Features

• Authentication & session verification for form based authentication.
• Credentials test for Basic and NTLM/Kerberos authentication mechanisms.
• Support for the Invicti Hawk infrastructure, used for detecting SSRF and out-of-band vulnerabilities.
• Added HTTP request rate limiting options to Scan Policy.
• Added “Ignored Email Addresses” section in Scan Policy.
• Added accept and reject options for untrusted SSL certificates.
• Added an option to disable automatic detection of 404 error pages.
• Support for importation of Postman files.

New Security Checks

• New security checks for Server Side Request Forgery (SSRF) vulnerability
• New security checks for out-of-band vulnerabilities such as OOB SQL Injection, OOB XXE, Blind XSS, OOB RCE, OOB RFI etc.
• New security check for Stored DOM based XSS
• Added “Missing object-src in CSP Declaration” vulnerability detection.
• Added “Apache Multiple Choices” vulnerability detection.

Improvements

• Improved the performance of several link importers.
• Added “Bearer Token” support for form authentication.
• Added confirmation for Frame Injection vulnerabilities.
• Added http: and https: checks for CSP vulnerability detection.
• Improved link importers – redundant CONNECT requests are now excluded.
• Optimized attacker performance for links containing single parameter.
• Optimized crawling parser by skipping DOM simulation on pages with static content.
• Improved coverage of CORS security check with extra attacks.
• Removed GWT attacks from file upload security checks.
• Improved DOM simulation performance.
• Improved CSS parsing which now follows CSS import directives.
• Improved coverage of open redirect security checks by adding/updating attacks patterns.
• Improved logout detection by skipping JavaScript responses.
• Added support for “HTTP 410 Gone” and “HTTP 451 Unavailable For Legal Reasons” response status codes.
• Added CVSS information to more vulnerabilities.
• Updated vulnerability database.
• Added URL Rewrite mode to Detailed Scan Report.
• Added support for configuring websites on manage groups page.
• Improved the UI & UX of several pages.

Bug Fixes

• Fixed an issue where a “multiple cookies issue” should not be reported.
• Fixed a JSON parsing issue with text parser.
• Fixed an HTTP response issue where the response could not be read because only BOM bytes are sent on first read attempt.
• Fixed an issue where a false positive file upload vulnerability might be reported.
• Fixed several DOM simulation issues on pages that have many iframe elements.
• Fixed a NullReferenceException while performing an internal MD5 encoding operation.
• Fixed an encoding issue on a proof URL of an XSS vulnerability.
• Fixed an issue where “Shell Script Identified” vulnerability is not found when retested.
• Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
• Fixed a text parsing issue where absolute URLs were converted to invalid relative URLs.
• Fixed incorrect protocol detection for protocol-relative URLs.
• Fixed an issue which occurs during importing websites with unix line endings.
• Fixed a retest issue which occurs if vulnerable URL contains a dash character.
• Fixed an issue where SSL details were not shown properly on knowledge base report.

New Feature

• Email and SMS notifications allowing you to be instantly alerted about scan progress, results and identified vulnerabilities.

Improvements

• Description in Scan Status have been improved to give a better overview.
• Added a new crawling option Find and Follow New Links. Previously it was hidden and always enabled.
• Improved the names of the exported reports by adding the report type as prefix in filename.

Bug Fixes

• Fixed an issue where the target website screenshot was not being captured.
• Fixed the CSS styles in some knowledge base items in the scan report page.
• Fixed an issue where the Upload client certificate button was not working.

Fixes

• Fixed a licensing bug in a third-party library.

New Technical Check

• Added “Cookie Header Contains Multiple Cookies” check

Improvements

• Improved the Content Security Policy (CSP) and “Misconfigured Access-Control-Allow-Origin Header” vulnerability templates.
• Improved CSP vulnerability detection by only reporting vulnerabilities on HTML resources.
• Improved the coverage of the boolean SQL injection vulnerability engine.

Fixes

• Fixed an issue which was preventing the deletion of multiple websites.
• Fixed the External CSS, Script and Frame Knowledge Base items which were not considering the port during checks.
• Fixed an issue in the Open Redirect detection where incorrect URLs may also be reported.
• Fixed an issue related to the form authentication which prevents logout detection during attacking phase.
• Fixed an Local File Inclusion (LFI) vulnerability detection issue when attacked with a FullUrl payload.
• Fixed an incorrect retest result which occurs when the target website is not reachable.
• Fixed a CSP vulnerability issue for deprecated CSP header name on meta tags.

New Features

• Added the ability to configure the scanner to scan websites which are linked from the target website.
• Added the Common Vulnerability Scoring System (CVSS) in vulnerability reports.
• Added the OWASP Proactive Guide to classification list.

New Web Security Checks

• Added security checks for Content Security Policy (CSP) web security standard.
• Added DOM based open redirection security check.

Improvements

• Improved the Cross-site Scripting (XSS) vulnerability security checks coverage.
• Renamed “Permanent XSS” vulnerability to “Stored XSS”.
• Added type ahead search functionality for Scan Policy > Security Checks.
• Added HTTP methods to AJAX / XML HTTP Requests knowledge base section.
• Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
• Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
• Improved DOM simulation by simulating “contextmenu” events.
• Increased the default values for “Maximum Page Visit” and “Max. Number of Parameters to Attack on a Single Page” settings.
• Improved XML parsing during crawling by parsing empty XML elements as parameters too.
• Added the ability to attack parameter names.
• Added a note to vulnerability detail for non-exploitable frame injection.
• Added .jhtml and .jsp attacks to file upload engine.
• Improved CORS security checks.
• Improved Open Redirect engine to detect CNAME injection such as example.com.r87.com.
• Improved XSS confirmation for vulnerabilities found inside noscript tags.
• Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.

Bug Fixes

• Fixed a form authentication issue where the last form authentication sequence requests were prematurely cancelled.
• Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
• Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
• Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
• Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
• Fixed a DOM simulation issue occurs when there is a form element with name “action” on target web page.
• Fixed duplicate “Email Address Disclosure” reporting issue.
• Fixed a NullReferenceException on occurs during CORS security checks.
• Fixed a CSRF exploit generation issue where the generated file is empty.
• Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
• Fixed a text parsing issue where relative URLs were not supported as base href values.
• Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
• Fixed an XSS attacking issue where duplicate attacks are made for same payload.
• Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
• Fixed an issue where post exploitation does not work sometimes.
• Fixed a form authentication issue where any slash character in credentials cannot be used.

New Features

• Completely revamped the Invicti Enterprise vulnerability tracking system.

Improvements

• Improved the users’ permissions as explained in Understanding and configuring Invicti Enterprise users permissions.
• Added several tooltips in the UI.

Bug Fixes

• Fixed wrong websites threat levels (they were just representing the last scan’s threat level).
• Fixed the security overview chart which was showing only the last scan’s threat level for each website.

NEW FEATURES

• Support and Scanning of RESTful web services.
• Auto Heuristic URL Rewrite Rules can be used with Custom URL Rewrite rules during a website security scan.
• New Reporting utility.
• Added the new option “Crawl & Attack at the Same Time” setting to new scan page.

NEW SECURITY CHECKS

• Added Samesite cookie attribute check.
• Added Reverse Tabnabbing check.
• Added Subresource Integrity (SRI) Not Implemented check.
• Added Subresource Integrity (SRI) Hash Invalid check.
  

IMPROVEMENTS

• Various memory usage improvements to better handle large websites.
• Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
• Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
• Improved coverage of Local File Inclusion security check engine.
• Improved the automatic form authentication script to click the “button” HTML elements if no suitable button is found.
• Improved the “HTML Base Tag Hijacking” vulnerability template.
• Improved the long-term memory usage of the DOM simulation and cross-site scripting (XSS) scanning.
• DOM simulation smart filtering now prunes unnecessary DOM branches.
• Improved the detection of “Redirect Body Too Large” vulnerability.

BUG FIXES

• Fixed the “Cross-site Scripting via Remote File Inclusion” vulnerability, which was not being confirmed automatically.
• Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
• Fixed an HTTP Archive Importer issue during which the POST method was parsed as GET when postData is empty.
• Fixed a bug in which a GWT parameter that contained a Base64 encoded value was not detected.
• Fixed a time span parsing bug in Knowledge base report templates.
• Fixed an issue in which some vulnerabilities are treated as fixed while retesting.
• Fixed an issue in which XSS proof URL was missing alert function call.
• Fixed the broken “Generate Debug Info” function of JavaScript simulation feature.
• Fixed a NullReferenceException that can be thrown by the Subresource integrity security checks.
• Fixed cURL login sample in API documentation.

NEW SECURITY CHECKS

• Detection of a Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)

New Features

• Ability to export the scanners’ findings as ModSecurity web application firewall rules.
  
• Scan Time Window that allows you to specify when the scanner can scan your website or not.

NEW SECURITY CHECKS

• Detection of SQLite Database files.
• Detection of Microsoft Outlook Personal Folders File (.pst) files.
• Detection of DS_Store files.
• Detection of SVN files, supporting the latest version of SVN.

IMPROVEMENTS

• Improved LFI “Long attack – boot.ini” attack.
• Added Internet Explorer 10, 11 and Microsoft Edge browser user agent values.
• Improved the performance of the scan session auto saves.
• Improved link importing to better handle relative URLs.
• Improved the “MIME Types” knowledge base list by ordering items alphabetically.
• Added “Extract static resources” option to JavaScript scan policy settings.
• Improved coverage of XML External Entity engine.

FIXES

• Fixed an attacking issue that occurs when retesting a vulnerability in an incremental scan.
• Fixed a link parsing issue in the text parser where links were incorrectly split.
• Fixed a form authentication “Override Target URL with authenticated page” issue which caused a wrong URL to be identified as the “Target URL”.
• Fixed a highlighting issue where the URL for “Insecure Frame (External)” vulnerability is partially highlighted.
• Fixed an incorrect “Source Code Disclosure” vulnerability report when the response contained an ASP.NET event validation code sample.
• Fixed a broken link in XSS vulnerability templates.