Invicti Standard

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• Possible Windows Username Disclosure

• LigHTTPD Directory Listing

• Nginx Directory Listing

• LiteSpeed Directory Listing

• Generic Email Address Disclosure

• LigHTTPD Version Disclosure

• Nginx Version Disclosure

• SharePoint Version Disclosure

• IIS 8 Default Page Detection

• Struts2 Development Mode Enabled.

NEW FEATURES

• Seamless Update Support

• Error Reporting and Help Desk Integration

• Custom HTTP Header Support.

Read the blog post for more details about this version

NEW FEATURES

• Windows 8/Server 2012 Support.

IMPROVEMENT

• Vulnerability Database Update.

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• HTTP Strict Transport Security (HSTS) Test

• Shell Script Found detection

• XHTML XSS Attack

• Database Connection String Found vulnerability

• Possible Administration Page Found Issue

• UNC Server and Share Disclosure.

NEW FEATURES

• Integration with Bug Tracking Tools and Send To Feature

• Generate Exploit Feature

• OWASP Top Ten Report.

IMPROVEMENTS

• Vulnerability Database Update

• Performance Improvements.

Read the blog post for more details about this version

IMPROVEMENTS

• Vulnerability Database Update

• Configure Authentication user interface enhancements.

BUG FIX

• Fixed issues in Form authentication logout detection.

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• Ruby on Rails Remote Code Execution vulnerability

• Off the shelf Web Application Fingerprinting and detection of known security issues (Such as WordPress, Joomla and Drupal)

• Version disclosure checks for Apache module mod_ssl, Ruby and WEBrick HTTP web server

• Identification of phpMyAdmin and Webalizer

• Detection of SHTML error messages that could disclose sensitive information

• New WebDAV engine that detects WebDAV implementation security issues and vulnerabilities

• Server-Side Includes (SSI) Injection checks.

NEW FEATURES

• Scan Policy Editor that allows you to build own scan policies for more efficient web application security scans.

• Oracle CHR encoding and decoding facility in the Encoder pane

• Support for multiple exclude and include URL patterns which can also be specified in REGEX

• Knowledge base node where additional information about the scanned website is reported to the user

• New PCI Compliance Report template.

IMPROVEMENTS

• Default include and exclude URL pattern has been improved

• DOM Parser now supports proxies and client certification support

• The performance of the Controlled Scan user interface has been improved

• HTTP Response text editor automatically scrolls to the first highlighted text when viewed

• Improved vulnerability classifications

• Vulnerability templates text has been improved

• Updated the look and feel of the vulnerability templates

• Version vulnerability database updated with new web applications version for better finger printing

• Cross-site scripting exploit generation improved

• Improved confirmed vulnerability representation on Detailed Scan Report

• Internal Path Disclosure for Windows and Unix security tests have been improved

• Improved version disclosure security tests for Perl and ASP.NET MVC

• Start a Scan user interface by moving rarely used settings to Invicti general settings

• Improved the performance of security scans which are started using the same Invicti process

• Scope documentation text has been updated

• Updated WASC links to point to the exact threat classification page

• Improved custom 404 detection on sites where the start URL is redirected.

BUG FIXES

• Fixed a bug in XSS report templates where plus char encoding was wrong

• Fixed a bug which causes multibyte unicode characters to be corrupted upon retrieval

• Fixed a bug where “Auto Complete Enabled” isn’t reported

• Fixed a bug where Community Edition was asking for exporting sessions

• Fixed a bug causes redundant responses to be stored on redirects

• Fixed a bug causing a NullReferenceException during reporting

• Fixed a bug where custom cookies are not preserved when an exported session is imported

• Fixed a bug on report templates where extra fields were missing when there are multiple fields

• Fixed the radio button overlap issue on Encoder panel for high DPIs

• Fixed an issue where CSRF tokens weren’t applied for time based (blind) engines in late confirmation

• Fixed an issue where data grids on Settings dialog were preventing to cancel the dialog when an invalid row is present

• Fixed an issue where some logouts occurred on attack phase couldn’t be detected

• Fixed a bug which causes requests to URLs containing text HTMLElementInputClass

• Fixed a bug where the injection request/response could be clipped wrong in the middle of HTML tags

• Fixed the size of the Configure Authentication wizard for higher DPIs

• Fixed an issue with CLI interpretation where built-in profiles couldn’t be specified

• Fixed the COMException thrown on Configure Authentication wizard on pages that contain JavaScript calls to window.close()

• Fixed clipped text issue on scan summary dashboard severity bar chart

• Fixed the anchors to vulnerability details in OWASP Top Ten 2010 report template

• Fixed incorrect buttons sizes on message dialogs on high DPI settings

• Fixed a startup crash which occurs on systems where “Use FIPS compliant algorithms for encryption, hashing, and signing” group policy setting is enabled

• Fixed click sounds on vulnerability view tab

• Fixed an issue where find next button was not working on HTTP Request / Response tab

• Fixed a bug on Configure Authentication wizard occurs when the response contains multiple headers with same names.

Note: Due to major updates to the scan files, Invicti version 3 cannot open scans exported with previous versions of Invicti (.nss files).

Read the blog post for more details about this version

IMPROVEMENTS

• Updated vulnerability database

• Updated fingerprinting tables for WordPress and Movable Type

• Improved the language used in knowledge base templates.

BUG FIXES

• Fixed a bug to prevent auto update message dialog when the auto update setting is disabled

• Fixed a bug in meta tag parser to match the correct generator version.

Read the blog post for more details about this version

IMPROVEMENT

• Updated OWASP Top10 2010 classifications for SVN and CVS vulnerabilities.

BUG FIXES

• Fixed a critical bug where vulnerability templates rendering is broken on systems with IE8

• Fixed a bug where some vulnerabilities is not reported due to a race condition

• Fixed a bug occurs when a scan file is imported and the related scan policy file is missing

• Fixed a syntax error on Cookie Not Marked As Secure vulnerability template

IMPROVEMENT

• Updated vulnerability database.

BUG FIX

• Fixed a critical bug where Possible Path Disclosure (Unix/Linux) was running slowly on large sources.

BUG FIX

Fixed a critical bug where scan was missing scope setting when started from command line and ending prematurely.

IMPROVEMENTS

• Added OWASP Top Ten 2013 Report template

• Updated vulnerability database (MySQL, WordPress, Joomla)

Read the blog post for more details about this version

IMPROVEMENTS

• Updated known web applications vulnerability database (Drupal, PHP)

Read the blog post for more details about this version

IMPROVEMENTS

• Updated vulnerability database (PHP, osCommerce, Python).

BUG FIXES

• Fixed a critical bug where some report templates weren’t printing all vulnerability instances.
• Fixed a bug on DOM/JavaScript Parser that causes some ASP.NET postback links to be not crawled.