Invicti Standard

IMPROVEMENTS

• Improved the automatic form authentication script to click “button” HTML elements if no suitable button is found.

FIXES

• Fixed the clipped dialog buttons on “Report Policy Editor”.
• Fixed the incompatibility issues of “Report Policy Editor” on some Windows 8/8.1 systems with Internet Explorer 10.
• Fixed a Report Policy issue where a vulnerability hidden from a scan was still not being displayed when a report is generated using the Default Report Policy.
• Fixed scope related bugs in SRI checks.

NEW FEATURES

• Scanning of RESTful web services.
• Report Policies to customize the scan results and reports
• “Heuristic Rule Detection” support while using custom URL rewrite rules.
• Added an option to disable logout detection for form authentication.
• Added ASP.NET Web Application project import support.

NEW SECURITY CHECKS

• Added Samesite cookie attribute check.
• Added Reverse Tabnabbing check.
• Added Subresource Integrity (SRI) Not Implemented check.
• Added Subresource Integrity (SRI) Hash Invalid check.

IMPROVEMENTS

• Various memory usage improvements to handle large web sites.
• Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
• Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
• Improved coverage of LFI engine.
• Added name completion for profile save as dialog.
• Updated missing localized text for Korean translation.

FIXES

• Fixed the issue of form authentication remembers the cookies from the previous scan while using the same Invicti instance for a new scan.
• Fixed the incorrect progress bar while performing a controlled scan.
• Fixed the issue of DOM Based XSS security checks enabled status were not being logged.
• Fixed the “Cross-site Scripting via Remote File Inclusion” vulnerability was not being confirmed issue.
• Fixed JIRA Send To action issue where the port number of the JIRA service were being ignored.
• Fixed the synchronization issue on JavaScript Scan Policy section where UI elements are left enabled even though “Analyze JavaScript / AJAX” option is not checked.
• Fixed the NullReferenceException thrown when scan is paused and resumed during performing form authentication.
• Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
• Fixed the broken layout of input controls on basic authentication dialog shown during form authentication.
• Fixed the error reporting issue occurs when log file collection and/or compression fails.
• Fixed the HTTP Archive Importer issue where POST method was parsed as GET when postData is empty.
• Fixed the ObjectDisposedException thrown on form authentication verification dialog.
• Fixed a bug where GWT parameter cannot be detected which contains a Base64 encoded value.
• Fixed a time span parsing bug in Knowledge base report templates.
• Fixed an issue where some vulnerabilities are treated as fixed while retesting.
• Fixed an issue where XSS proof URL was missing alert function call.
• Fixed a typo on “Base Tag Hijacking” vulnerability template.
• Fixed the broken “Generate Debug Info” function of JavaScript simulation feature.

IMPROVEMENTS

• Added PCI DSS 3.2 vulnerability ratings
• Update the PCI Compliance report template with the details of PCI DSS version 3.2

NEW SECURITY CHECK

• Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)

NEW FEATURES

• Added ModSecurity WAF rule generation feature.

NEW SECURITY CHECKS

• Detection of SQLite Database files.
• Detection of Microsoft Outlook Personal Folders File (.pst) files.
• Detection of DS_Store files.
• Detection of SVN files, supporting the latest version of SVN.

IMPROVEMENTS

• Improved LFI “Long attack – boot.ini” attack.
• Added Internet Explorer 10, 11 and Microsoft Edge browser user agent values.
• Improved the performance of the scan session auto saves.
• Improved link importing to better handle relative URLs.
• Improved the “MIME Types” knowledge base list by ordering items alphabetically.
• Added “Extract static resources” option to JavaScript scan policy settings.
• Improved coverage of XML External Entity engine.

FIXES

• Fixed an attacking issue that occurs when retesting a vulnerability in an incremental scan.
• Fixed a link parsing issue in the text parser where links were incorrectly split.
• Fixed a form authentication “Override Target URL with authenticated page” issue which caused a wrong URL to be identified as the “Target URL”.
• Fixed a highlighting issue where the URL for “Insecure Frame (External)” vulnerability is partially highlighted.
• Fixed an incorrect “Source Code Disclosure” vulnerability report when the response contained an ASP.NET event validation code sample.
• Fixed an ObjectDisposedException which occured while trying to close the Authentication Verification dialog.
• Fixed a broken link in XSS vulnerability templates.

FIXES

• Fixed an exception that happens when reordering form values.
• Fixed the hidden URL text box on custom URL rewrite settings.
• Fixed the clipped automatic update notification label.

NEW FEATURES

• Added Proof of Concept generation for the CSRF vulnerability.
• Added Parameter-Based Navigation settings to better crawl and attack parameters that are used for website navigation.
• Added a new crawling option in the Scan Policy that allows users to add new extensions for the crawler to parse.

NEW SECURITY TESTS

• Added Missing X-XSS-Protection Header vulnerability check.
• Added Video.js JavaScript library detection.
• Added Critical Form Send to HTTP vulnerability check.
• Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

IMPROVEMENTS

• Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid  multiple scanning of the same or similar parameters.
• Added license load option to Help menu.
• Improved “Not Found Analyzer” to better handle binary responses and long strings.
• Changed the default settings of JIRA Send to Action for better out of the box support.
• Added a link to the proof URL for XSS vulnerabilities.
• Added link generation to Text Parser for all select element options.
• Improved the DOM parser to skip redirect responses.
• Added an option to allow the user to move the Invicti data directory to a different location.
• Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
• Added support for modifying asynchronous JavaScript executions in order to increase DOM Parser coverage.
• Improved relative link parsing on JavaScript files.
• Improved the coverage of file upload security checks.
• Improved the coverage of XSS security checks.

FIXES

• Fixed an issue where LFI attack patterns are reported as internal path disclosure.
• Fixed the incorrect raw response representing SSL connections.
• Fixed an issue where forms containing ignored parameters are not reported as CSRF vulnerability.
• Fixed a case where dynamically generated HTML option elements’ change event were not being triggered.
• Fixed cross-domain document access errors on DOM parser and XSS scanner.
• Fixed an issue where a JSON request’s method was incorrectly recognized as POST rather than GET.
• Fixed a retest issue where a vulnerability is reported as fixed incorrectly.
• Fixed form values target setting to use Name as the default value when a Target is not selected.
• Fixed an issue related with JavaScript “Load Preset Values” combo where selecting a preset value may revert the combo value to “(Custom)”.
• Fixed a file extension parsing issue related with File Extension List knowledgebase item.
• Fixed a hang issue occurs while performing JavaScript library checks.
• Fixed a custom form authentication API issue where “ns” namespace was conflicting with a global variable on target web site (authentication API has been moved to “invicti” namespace preserving the “ns” backward compatibility)
• Fixed a DOM Parser and XSS scanner bug that incorrectly follows redirects.
• Fixed misplaced certainty label on vulnerability details for trial editions.
• Fixed an ObjectDisposedException occurs on trial edition when you press escape key several times during application load.
• Fixed a resource deployment issue occurs on Invicti installations with custom application data path.
• Fixed a form values issue where empty form values should not set any default values for parameters.
• Fixed an issue where trying to set Connection request header fails.

IMPROVEMENTS

• Increased severity of “Insecure Transportation Security Protocol Supported (SSLv2)” vulnerability to “Important”
• Added support for adding several more request headers including the “Host” header

FIXES

• Fixed a bug related to VDB update process where a computer with no internet access may not get newer VDB updates even when it is updated using the offline installer

SECURITY CHECKS

• Added “HSTS (HTTP Strict Transport Security) Not Enabled” security checks
• Added various checks being reported with “HTTP Strict Transport Security (HSTS) Errors and Warnings”
• Added version checks for OpenCart web application

IMPROVEMENTS

• Improved JavaScript/DOM simulation and DOM XSS attacks
• Added “Form Values” support for JavaScript/DOM simulation and DOM XSS attacks
• Rewritten HSTS security checks
• Added evidence information to vulnerabilities list XML report
• Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
• Added the file name information for the local file inclusion evidence
• Added support for specifying client certificate authentication certificate for manual crawling
• Added source code to vulnerability details for “Source Code Disclosure” vulnerabilities
• Added “Custom Not Found Analysis” activities to UI
• Improved “Open in Browser” for XSS vulnerabilities and produced a vulnerable link with alert function
• Improved Heuristic URL Rewrite implementation to detect more patterns and increase crawling efficiency
• Improved the performance of DOM simulation by aggressively caching external requests
• Improved the performance of DOM simulation by caching web page responses
• Improved the performance of DOM simulation by blocking requests to known ad networks
• Improved minlength and maxlength support for form inputs that sets a value with an appropriate length
• Added support for matching inputs by label and placeholder texts on form values
• Improved the vulnerability description on out-of-date cases where identified version is the latest version
• Added database version, name and user proof for SQL injection vulnerabilities
• Improved the loading performance of Start New Scan dialog
• Added support for reordering form values to denote precedence
• Optimized the attacks with multiple parameters to reduce the number of attacks
• Added “Identified Source Code” section for “Source Code Disclosure” vulnerabilities

FIXES

• Fixed an out of disk space issue which occurs while writing logs
• Fixed the “scan will be paused” warning for a scan that is already paused
• Fixed the toggle state of proxy toolbar button on cases when the operation is canceled
• Fixed an issue which fails reading cookies on form authentication verification for cases where Set-Cookie response header is empty
• Fixed an issue on sitemap tree where the results were still populating even though scan pauses after crawling
• Fixed the issued requests which gets a timeout do not display any details on “HTTP Request / Response” tab
• Fixed an issue with client certificate authentication where the client certificate may be sent to external hosts while making HTTP requests
• Fixed cases where Invicti was making requests to addresses that are generated by its own attacks
• Fixed an issue where crawling activity is not shown on the UI when the crawling activity is retried
• Fixed elapsed time stops when the current scan is exported
• Fixed an issue with JavaScript library version detection where wrong version is reported if the path to JavaScript file contains digits
• Fixed missing AJAX requests on knowledgebase while doing manual crawling
• Fixed the issue of unsigned eowp.exe shipped with installer
• Fixed an ArgumentOutOfRangeException occurs on schedule dialog when a report template with an incorrect file name exists
• Fixed the stacked severity bar chart on “Detailed Scan Report” gets split and overflows to the second page
• Fixed HSTS engine where an http:// request may cause to loose current session cookie
• Fixed an issue where extracted links by TextParser in a JavaScript file should be relative to the main document
• Fixed the issues of delegated events not simulated if added to the DOM after load time
• Fixed the issue where hidden resource requests made by Invicti are displayed on out of scope knowledgebase
• Fixed the issue with automatic SSL protocol fallback which attempts the fallback even if the current security protocol is same with the fallback value
• Fixed the issue of “Strict-Transport-Security” is being reported as “Interesting Header”
• Fixed some Korean vulnerability templates which are wrong formatted
• Fixed the broken HIPAA classification link

Improvements

• Added “DROWN Attack” reporting

Fixes

• Fixed an issue that causes auto update process to hang after restarting Invicti for the update

Bug Fixes

• Fixed an issue with form authentication verification dialog where you may get a blank web page on left
• Fixed a cookie parsing issue where Invicti may fail to read some cookies on HTTP responses