Invicti Standard

New security checks

• Added new security check for LDAP injection for IAST.
• Added new security check for MongoDB injection.
• Added new security check for Server-side Template Injection for IAST.
• Added new security check for XPath injection for IAST.
• Implemented security check for Sensitive Data Exposure.

Improvements

• Improved the text parser to check URI before parsing.
• Added the Response Receiver information event to remove waiting time for requests.
• Improved the GraphQL Introspection query.

Fixes

• Fixed an issue that caused a bad CSRF token when confirming Cross-site Scripting.
• Fixed an issue that caused an argument null exception when the browser context was closed.
• Fixed the issue that is filling out the login form on the logout page during the login verification.
• Fixed the issue of changing the order of API parameters while importing the JSON file.
• Fixed the dark template issue that displayed the What's New section in the light template.
• Fixed the vulnerability signature types for Cloudflare and Cdnjs.

Version information: 23.4.0.40376

New security checks

• Added new patterns for GrapQL attack usage.
• Added new attack pattern to CommandInjection.xml.
• Implemented Bootstrap Libraries Detection.
• Added Out-of-Date vulnerability for mod_ssl.
• Added a report template and vulnerability type for Spring Framework Identified.
• Added JavaMelody Interface Detected Signature.
• Changed WAF Identification Signature for F5 Big IP.
• Added the support for Nested objects for GraphQL attacks.

Improvements

• Updated Invicti Standard with new brand logo.
• Added external schema import to solve a WSDL file importing another WSDL file.
• Removed the interactive login button from the verifier dialog.
• Added the Retest All Subitems in the Sitemap to prevent non-retestable issues from being retested.
• Added a null check for HAR files imported.
• Improved the cookie importing process in order for cookies to be compatible with RFC.
• Updated IAST NuGet PHP package.
• Updated StaticDetection.xml & StaticResourceFinder.xml.
• Added service worker request support for authentication, login simulation, and crawling.

Fixes

• Fixed an issue that caused high memory usage while collecting form values.
• Fixed the untrusted certificate error for internal proxies.
• Fixed the issue that caused the change in the date and time format during the Postman file importing.
• Fixed the Linux agents problem that failed to work in the FIPS-enabled environment.
• Fixed the untrusted certificate error for internal proxies.
• Fixed the "Catastrophic Backtracking" in Whoops Debugging detection.

Version information: 23.3.0.39944

New security checks

• Added package.json Configuration File attack pattern.
• Added new File Upload Injection pattern.
• Added SSRF (Equinix) vulnerability.
• Added Swagger user interface Out-of-Date vulnerability.
• Added a file upload injection pattern.
• Added StackPath CDN Identified vulnerability.
• Added Insecure Usage of Version 1 GUID vulnerability.
• Added JBoss Web Console JMX Invoker check.
• Added Windows Server check.
• Added Windows CE check.
• Added Cloudflare Identified, Cloudflare Bot Management, Cloudflare Browser Insights, and cdnjs checks.
• Added Varnish Version Disclosure vulnerability check.
• Added Stack Trace Disclosure (Apache Shiro) vulnerability check.
• Added Java Servlet Ouf-of-Date vulnerability check.
• Added AEM Detected vulnerability check.
• Added CDN Detected(JsDelivr) vulnerability check.

Improvements

• Improved the scan compression algorithm to lower the size of the scan data.
• Improved WS_FTP Log vulnerability test pattern.
• Improved X-XSS-Protection Header Issue vulnerability template.
• Improved MySQL Database Error Message attack pattern.
• Improved XML External Entity Injection vulnerability test pattern.
• Improved Forced Browsing List.
• Added CWE classification for Insecure HTTP Usage.
• Added GraphQL Attack Usage to existing test patterns by default.

Fixes

• Fixed an issue that may cause out-of-memory when cloning callbacks of the browser.
• Fixed the update issue in the Proof node in the Knowledge Base panel.

Version information: 23.2.0.39705

New security checks

• Added JWT Forgery through Kid by using static files.
• Added the JSON Web Tokens detected check.

Improvements

• Improved the default browser settings to be reflected in the business logic recorder (BLR).
• Improved the JWT Finder Regex in the JWT engine.
• Extended excluded header names with new headers.
• Updated JWT Forgery check condition.
• Improved the JSON Web Tokens' vulnerability detection logic.
• Added the link scope check for the user-controllable cookie vulnerability.

Fixes

• Fixed an issue that caused unhandled exceptions when there is no service endpoint definition in the WSDL file.
• Fixed "file in use error" while archiving scan logs.
• Fixed the OAuth 2.0 authentication problem caused by the failure to get code information and certification validation in out-of-scope links.
• Fixed missing cookies for the JSON Web Tokens attack requests.
• Fixed the vulnerability family issue that caused the Hawk not to detect issues.
• Fixed the vulnerability serialization issue that caused the out-of-memory error.

New features

• Added CVSS 4.0 categorization of vulnerabilities
• Added support for PCI DSS 4.0
• Added new messaging for when scans fail due to mistyped http/https protocols

New security checks

• Added new HSQLDB vulnerabilities and report templates
• Added new Typo3 vulnerabilities and report templates

Improvements

• Improved the vulnerability calculator for Boolean MongoDB
• Improved the signature for .dockerignore file detected issues
• Improved the request body rating algorithm
• Improved the signature for Joomla detection
• Improved the signature for other docker-related signatures
• Improved the Postman collection parsing algorithm
• Resolved an issue with adding a client certificate to set up a scan
• Added logs for better traceability of BLR playbacks

Fixes

• Fixed the NRE in the agent log if any authentication is adjusted
• Fixed an issue that was causing verifiers to not use scan policy proxy settings
• Fixed an auth verifier client certificate authentication path error

New features

• Added an option under New Scan Policy > Ignored Parameters to allow customers to set 'Cookie' as a type of ignored parameter

New security checks

• Added new checks for the WordPress Login with Phone Number Plugin: CVE-2023-23492
• Added new checks for the WordPress JupiterX Core Plugin: CVE-2023-38389, CVE-2023-38388

Improvements

• Added support for custom authentication tokens without token type
• Improved LFI attack patterns for better accuracy
• Fixed some vulnerabilities in the Docker image
• Stricter sensitive data rules
• Improved bot detection bypass scenarios

Fixes

• Fixed custom header values in scan profiles so that they are masked
• Docker Cloud Stack check has been updated to reduce noise
• Fixed an issue with adding configuration files to scan profiles
• SSL/TLS classification updated from CWE-311 to CWE-319

Improvements

• Added a MaxAuthenticationTime configuration and set the default value as 480 seconds

Fixes

• Fixed a bug that was preventing the import of WSDL files to Invicti Standard
• Fixed version information reported in Web App Fingerprint Vulnerabilities

FIX

• Fixed the incorrect percentage encoding on Detailed Scan Report template.

SECURITY CHECKS

• Added "HSTS (HTTP Strict Transport Security) Not Enabled" security checks
• Added various checks being reported with "HTTP Strict Transport Security (HSTS) Errors and Warnings"
• Added version checks for OpenCart web application

IMPROVEMENTS

• Improved JavaScript/DOM simulation and DOM XSS attacks
• Added "Form Values" support for JavaScript/DOM simulation and DOM XSS attacks
• Rewritten HSTS security checks
• Added evidence information to vulnerabilities list XML report
• Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
• Added the file name information for the local file inclusion evidence
• Added support for specifying client certificate authentication certificate for manual crawling
• Added source code to vulnerability details for "Source Code Disclosure" vulnerabilities
• Added "Custom Not Found Analysis" activities to UI
• Improved "Open in Browser" for XSS vulnerabilities and produced a vulnerable link with alert function
• Improved Heuristic URL Rewrite implementation to detect more patterns and increase crawling efficiency
• Improved the performance of DOM simulation by aggressively caching external requests
• Improved the performance of DOM simulation by caching web page responses
• Improved the performance of DOM simulation by blocking requests to known ad networks
• Improved minlength and maxlength support for form inputs that sets a value with an appropriate length
• Added support for matching inputs by label and placeholder texts on form values
• Improved the vulnerability description on out-of-date cases where identified version is the latest version
• Added database version, name and user proof for SQL injection vulnerabilities
• Improved the loading performance of Start New Scan dialog
• Added support for reordering form values to denote precedence
• Optimized the attacks with multiple parameters to reduce the number of attacks
• Added "Identified Source Code" section for "Source Code Disclosure" vulnerabilities

FIXES

• Fixed an out of disk space issue which occurs while writing logs
• Fixed the "scan will be paused" warning for a scan that is already paused
• Fixed the toggle state of proxy toolbar button on cases when the operation is canceled
• Fixed an issue which fails reading cookies on form authentication verification for cases where Set-Cookie response header is empty
• Fixed an issue on sitemap tree where the results were still populating even though scan pauses after crawling
• Fixed the issued requests which gets a timeout do not display any details on "HTTP Request / Response" tab
• Fixed an issue with client certificate authentication where the client certificate may be sent to external hosts while making HTTP requests
• Fixed cases where Invicti was making requests to addresses that are generated by its own attacks
• Fixed an issue where crawling activity is not shown on the UI when the crawling activity is retried
• Fixed elapsed time stops when the current scan is exported
• Fixed an issue with JavaScript library version detection where wrong version is reported if the path to JavaScript file contains digits
• Fixed missing AJAX requests on knowledgebase while doing manual crawling
• Fixed the issue of unsigned eowp.exe shipped with installer
• Fixed an ArgumentOutOfRangeException occurs on schedule dialog when a report template with an incorrect file name exists
• Fixed the stacked severity bar chart on "Detailed Scan Report" gets split and overflows to the second page
• Fixed HSTS engine where an http:// request may cause to loose current session cookie
• Fixed an issue where extracted links by TextParser in a JavaScript file should be relative to the main document
• Fixed the issues of delegated events not simulated if added to the DOM after load time
• Fixed the issue where hidden resource requests made by Invicti are displayed on out of scope knowledgebase
• Fixed the issue with automatic SSL protocol fallback which attempts the fallback even if the current security protocol is same with the fallback value
• Fixed the issue of "Strict-Transport-Security" is being reported as "Interesting Header"
• Fixed some Korean vulnerability templates which are wrong formatted
• Fixed the broken HIPAA classification link

BUG FIXES

• Fixed a bug in custom URL rewrite detection where encoded URL paths are not matched with the provided patterns.
• Fixed a bug that occurs while displaying details of an XSS vulnerability discovered on a redirected page.

BUG FIXES

• Fixed a critical bug which crashes DOM Parser and DOM XSS processes on Windows 8.1 systems with KB3000850 update installed
• Fixed a bug in recrawler where the current concurrent connection count isn't honored
• Fixed a bug in multipart/form-data parser to read parameter names with semicolons correctly
• Fixed a bug in multipart/form-data parser to recognize the request body even if there are no parameters present
• Fixed a bug where a form with multipart/form-data encoding type is incorrectly parsed with a POST method rather than a GET
• Fixed an issue with DOM Parser to better simulate radio/check boxes with click event handlers attached
• Fixed an issue with HTTP request parser to recognize the correct HTTP method with POST requests containing an empty request body
• Fixed an issue where Content-Length header is not set to 0 with empty request bodies
• Fixed an issue where some requests discovered using DOM Parser with POST HTTP method are recognized as GET requests
• Fixed an issue with ASP.NET View State response viewer to show the View State data on cases where id attribute of input tag is missing
• Fixed an ASP.NET View State parser issue occurs while reading .NET 1.x View States

FIXES

• Fixed a bug where HTTPS endpoints might not be crawled properly upon a navigation action during DOM simulation
• Fixed a bug with Manual Crawl mode where the execution might stop after the initial crawling phase ends
• Fixed an issue where form authentication might fail to execute in some React websites
• Fixed an issue where the process may crash due to a NullReferenceException