Invicti Product Release Notes
Release Notes
Invicti Standard
RSS FEED
Engines & Exploitation
- Experimental Second Order SQL Injection support added. Doesn't support confirmation or exploitation yet.
- Confirmation added to Permanent Cross-site Scripting Engine
- SQL Injection Error based confirmation added for PostgreSQL, MySQL and Oracle.
- SQL Injection Engine was missing string based SQL Injection vulnerabilities in LIKE clauses when crawler can't find the correct search string. This issue is fixed and works regardless of the found default string.
- URI Based Cross-site Scripting Confirmation added
- URI Based issues were reported more than once, this problem fixed
- LFI Engine and exploitation works better now. Several minor bugs addressed.
- Many possible SQL Injections issues removed as we are now sure they are not vulnerable
- XSS Confirmation now bypasses more blacklists
- Content-Type based XSS detection added and ratings changed
- Email disclosure check improved
- Minor bugs addressed in Unix and Windows Internal Path Disclosure issues. Windows Internal Path Disclosure improved.
Proxy
- Proxy settings moved to global settings
- Now you can see the active proxy settings in the status bar
- Invicti now support NTLM, Basic, Digest, Kerberos and Negotiation Authentication for Proxy
GUI
- New Community menu added for easier access to Invicti Blog and Request a Feature
- All message boxes use the correct theme now
- Attack Possibility in the dashboard is now more accurate
- Some typos and missing tooltips addressed
Form Authentication
- Several minor bugs addressed and features improved
- Now it's possible to use use Form Authentication even when the website requires NTLM, Basic, Digest, Kerberos and Negotiation Authentication as well
- Now it's possible to use Form Authentication even when server uses an invalid SSL certificate
Parsers
- Text parser works better now
Installer
- Installer simplified
- Extra checks added for .NET Framework 3.5 SP1 check and installation
Other Fixes & Improvements
- Extra runtime checking and error handling added for .NET Framework 3.5 SP1 and SQL Server CE dependencies
- Static and Backup tests weren't working when Invicti launched from CLI in auto-pilot mode
- LFI Panel crashes fixed
- Full HTTP Response added XML Reports
- XML reports doesn't show attack parameter anymore if the vulnerability identified passively such as Server Version Disclosure
- Several other minor bug fixes and improvements
NEW SECURITY CHECKS
- Added RSA Private Key Detected vulnerability check
IMPROVEMENTS
- Improved Credit Card Disclosure detection
- Reporting cookie name in "Cookie values used in Anti-CSRF token" issue
- Improved "Delegated event" simulation in DOM Parser
- Improved comment order in knowledgebase by displaying comments having sensitive keywords first
- Improved the wording at "ViewState is not Encrypted" vulnerability report template
- Improved DOM Parser and DOM XSS by providing the received response headers to JavaScript context
- Improved Exclude/Include patterns to match parameter names and values in addition to the URL
- Improved resource finder to accept HTTP 401 and 500 status codes when a hidden resource is discovered
- Improved logging of regex timeout issues with additional parameter name and URL information
- Improved reporting API documentation by including more types
FIXES
- Fixed "Options Method Enabled" vulnerability reporting by adding status code checks
- Fixed a NullReferenceException issue that occurs when Invicti is started using command line
- Fixed an encoding issue for parameter names in multipart/form-data requests
- Fixed an issue related to form authentication verification in which the Continue button is missing on the verification dialog if there is no configured persona
- Fixed click simulation in custom form authentication scripting by preventing the extra click on elements
- Fixed an SSL connection issue where the target web server demands only TLS 1.1 or TLS 1.2 protocols
- Fixed custom data reporting in vulnerability templates by removing the extra space added to the values
- Fixed custom data reporting in vulnerability templates to get rid of the bullet point if there is only a single custom data
- Fixed an issue with "Out of Scope" links reported under knowledgebase where the links discovered in DOM Parser are not reported
- Fixed a report template customization issue where modifying a report template while Invicti is running was causing it to fail during report generation
- Fixed a multipart/form-data request issue where "filename" attribute was not submitted for file upload parameters
- Fixed a dashboard issue where the progress bar is stuck on Crawl Only scans even though crawling finishes
- Fixed a custom URL rewrite bug where rules with multiple numeric parameters were not being matched
- Fixed custom URL rewrite test interface where only visible rows were being tested before
NEW SECURITY TESTS
- Form Hijacking Security Checks added
- Base Tag Hijacking Security Checks added
IMPROVEMENTS
- Added several new backup file checks to improve the coverage
- Improved the number of combinations that Common Directory checks find
- Added support for using digits in custom URL rewrite parameter names
- Added new XSS attack patterns to detect a full URL vulnerability and remote XSS attacks
- Added HTTP POST method support for Open Redirection security tests
- Improved resource finder behavior by falling back to GET requests when HEAD requests are failing
- Improved detection of XSS vulnerabilities in CSS blocks
- Improved vulnerability template for Open Redirection vulnerabilities
- Increased coverage by finding LFI vulnerabilities exposed to file:// protocol
- Set default maximum vulnerability report limit to 1000 for active engines
- Improved detection of Remote Code Execution and DoS in HTTP.sys vulnerability
FIXES
- Fixed a race condition issue which occurs while adding new links on DOM simulation
- Fixed an InvalidOperationException issue which occurs while trying to apply token parameter values
- Fixed incorrect parsing of multiple response headers with same name on DOM simulation and DOM XSS attacks
- Fixed a vulnerability template generation issue where temporary files were being kept on disk
- Fixed installer to handle .NET framework versions released after 4.5.2
- Fixed the incorrect description text for SQL Injection security test on scan policy editor dialog
- Fixed "Maximum 404 Pages to Attack" scan policy option which was previously limiting the maximum page number to 10 no matter what set with this option
NEW SECURITY CHECKS
- Added Remote Code Execution and DoS in HTTP.sys (CVE-2015-1635) security check
IMPROVEMENTS
- Improved Auto Complete Enabled vulnerability report by highlighting input name on response viewer
- Improved Auto Complete Enabled vulnerability report by displaying all the matching input names
- Improved PCI reporting by adding PCI 3.1 data to vulnerabilities
FIXES
- Fixed the wrong highlighting of selected row on custom URL rewrite rule editor while testing rules
Read the blog post for more details about this version
NEW FEATURE
- New option available to specify the type of parameter when configuring URL rewrite rules, e.g. numeric, date, alphanumeric
IMPROVEMENTS
- Improved the performance of the DOM Parser
- Improved the performance of the DOM cross-site scripting scanner
- Optimized DOM XSS Scanner to avoid scanning pages with same source code
- Changed the default HTTP User agent string of built-in policies to Chrome web browser User agent string
- Improved selected element simulation for select HTML elements
- Added new patterns for Open Redirect engine
BUG FIXES
- Fixed a bug in WSDL parser which prevents web service detection if XML comments are present before the definitions tag
- Fixed a bug in WSDL parser which prevents web service detection if an external schema request gets a 404 not found response
- Fixed a bug that occurs when custom URL rewrite rules do not match the URL with injected attack pattern and request is not performed
- Fixed a configure form authentication wizard problem where the web browser does not load the page if the target site uses client certificates
- Fixed a crash in configure form authentication wizard that occurs when HTML source code contains an object element with data: URL scheme is requested
- Fixed a bug in DOM Parser where events are not simulated for elements inside frames
- Fixed a cookie parsing bug where a malformed cookie was causing an empty HTTP response
NEW WEB SECURITY TEST
BUG FIXES
- Fixed a specific issue where generic email addresses were not being reported.
- Fixed form authentication configuration wizard problem where it couldn't handle pages with popups.
- Fixed an issue where Invicti was crashing when the application is closed during report generation.
- Fixed a crash which occurs on systems where Trebuchet MS font is missing
- Fixed 2 Heartbleed engine bugs.
Read the blog post for more details about this version
NEW WEB SECURITY TESTS
- OpenSSL Heartbleed checks added