Invicti Standard

Read the blog post for more details about this version

IMPROVEMENTS

• Updated known web applications vulnerability database (Apache, MySQL, WordPress, osCommerce, MediaWiki)

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• Added support for parsing and attacking JSON and XML request payloads

• CSRF engine is added

• HTML5 engine is added

• Updated vulnerability database (MySQL, Apache, PHP, Nginx, Tomcat, WordPress, Joomla, MediaWiki, osCommerce, phpBB, Twiki)

• Added Dynamic Payload – Slash/Backslash LFI patterns

NEW FEATURES

• Added support for new HTML5 input types

• Most of the global settings now moved to scan policy and they can be set per scan basis

• Added a new knowledge base item where all out of scope links in current scan are listed with the reasons

• Added a new knowledge base item where HTML, JavaScript and CSS comments on pages are listed and possible sensitive keywords are highlighted

• Added a new knowledge base item where frames with external URLs are reported

• Added a new knowledge base item where embedded objects such as Adobe Flash movies, Java Applets, ActiveX objects, etc. are reported

• Added support for cookies set by meta tags

• Added support for generating multiple reports at a time using command line

• Added support for updating vulnerability database without requiring to update the application

• Added logging feature to log HTTP requests/responses in Fiddler .saz file format

IMPROVEMENTS

• DOM parser simulation is improved

• Attack possibility calculation is improved

• Rendering in severity bar chart in scan summary dashboard is improved

• Added late confirmation support for Blind Command Injection engine

• DOM parser print dialog prevention improved

• Browser View tab now shows XML responses in a tree view

• Tweaked sleep tolerance value of time based engines

• Improved the impact sections of most of the vulnerability templates

• Improved LFI Exploitation which now is capable of better file content extraction and highlighting on text editor

• Form inputs listed under knowledge base are now grouped by their types

• Improved PHP Source Code Disclosure pattern

• Improved DOM parser to extract textarea elements

• Improved LFI Exploitation to cover case where LFI vulnerable page contains extra HTML tags

• Improved LFI confirmation patterns

• Improved XSS confirmation for Full URL and Full Query String attacks

• Optimized XSS confirmation phase to skip redundant patterns

• Improved binary response detection

• Added limit controls to the knowledge base items to prevent performance degradation of excessive amounts of items

• Default user agent string is set to the one used in IE8

• Improved the importers, manual proxy and Form Authentication Configuration wizard to support JSON, XML and multipart/form-data requests

• Improved multipart/form-data request parsing

• Improved threading code in DOM parser and made DOM parser run in multiple processes

• Improved Knowledge base user interface

• Improved form value pattern for URL inputs

• Add vulnerability database version information to related vulnerability templates

• Configure Form Authentication wizard clears persistent cookies when started

• Added detailed crawling/attacking activity information to Scan Summary Dashboard

• Added activity information to Scan Summary Dashboard for ReCrawling and Extra Confirmation phases

BUG FIXES

• Fixed a bug where sitemap context menu was missing menu items when a scan is imported from a file

• Fixed a bug where reports generated after an auto pilot scan may contain missing items

• Fixed a bug where Invicti was telling “Scan Finished” even though Recrawling was still in progress

• Fixed scrolling issue on HTTP response text editor when the highlighted text spans multi lines

• Fixed a NullReferenceException thrown from Knowledge Base when a scan imported from file

• Fixed an issue where Error dialog was showing in autopilot mode

• Fixed an issue where Auto Update dialog was showing in autopilot mode

• Fixed a bug where DOM parser was failing to trigger click event for button elements

• Fixed a bug where DOM parser was failing to extract value attribute for button elements

• Fixed a bug where Possible LFI is reported for a binary file

• Fixed a bug where LFI Exploitation was combining two files if they were having same names in different folders

• Fixed a DOM parser issue where forms with empty action values are not captured

• Fixed a DOM parser issue where all callback links in an ASP.NET Web Forms page are not clicked

• Fixed typo in “Only Entered Url” section of User Manual

• Fixed a DOM parser issue where a form containing multiple submit buttons is submitted using only one of the buttons

• Fixed a DOM parser issue where button element with empty value is parsed

• Fixed scan policy editor to reject policies with empty names

• Fixed include/exclude URLs list to reject empty patterns

• Fixed wrong URLs for Permanent XSS vulnerabilities shown in Issues panel

• Fixed a scan policy bug where cloning a policy doesn’t copy the database type of Boolean SQL Injection engine

• Fixed Burp importer where rn occurrences were normalized to n chars.

• Fixed Burp importer which was failing to parse headers properly

• Fixed Burp importer which was failing with base64 encoded requests

• Fixed Paros importer which was failing to parse POST request bodies with multiple lines

• Fixed a bug where XSS payload is not executed in javascript context however reported as possible XSS

• Fixed misleading status message in dashboard after file import

• Fixed a bug in fingerprinting which was causing a NullReferenceException

• Fixed an issue where Anti-CSRF token extraction didn’t work in crawling

NOTE: This update has a breaking change due to new Scan Policy settings feature. If you have customized some global settings, they will reset to their default values.

Read the blog post for more details about this version

IMPROVEMENTS

• Moved Scan Policy settings from Settings dialog to Scan Policy Editor dialog

• Added “debug” keyword to default sensitive comment keyword list

• Improved Scan Policy Editor dialog to default to unique policy names when a new policy is created or cloned

• Improved Custom 404 RegEx validation to prevent empty patterns

• Improved HTML5 engine to ignore non-HTTP protocols on iframe sources

• Improved Configure Form Authentication wizard to use the selected Scan Policy settings (Custom headers, proxy, user-agent, etc.) on Start a New Scan dialog

• Improved Cross-site Scripting vulnerability template

BUG FIXES

• Fixed wrong PDF scaling issue which causes fonts to be rendered very small for report templates

• Fixed DOM Parser InvalidCastException crashes while trying to cast option tags on some cases

• Fixed form “action” value reported wrong on vulnerability details

• Fixed Internal Proxy port value setting upper bound to 65535

• Fixed incorrect attack possibility calculation for XSS confirmation requests

• Fixed dialog sizes on various screen resolutions and DPIs

• Fixed some issues in XSS detecting within script blocks

• Fixed XML attacks where reserved “xmlns” attribute values were being modified

• Fixed a DOM Parser issue on HTML pages with nested form tags

FIXES

• Fixed an InvalidCastException occurs on DOM Parser on some configurations

• Fixed some incorrect UI control sizes and locations

Read the blog post for more details about this version

NEW FEATURES

• Added classifications for PCI DSS Version 3.0 to vulnerability details

• Added new PCI Version 3.0 report template

BUG FIX

• Fixed an issue on Configure Form Authentication wizard where token, custom header and proxy settings weren’t used from selected scan policy

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• Added attack patterns for LFI vulnerability which is revealed with only backslashes in file path

• Added Programming Error Message vulnerability detection for SOAP faults

• Added AutoComplete vulnerability for password inputs

• NuSOAP version disclosure

• NuSOAP version check

NEW FEATURES

• SOAP Web Services scanning – ability to scan SOAP web services for security issues and vulnerabilities

• Request and Response viewers to view HTTP requests/responses like XML and JSON tree views

• New knowledge base node that will include all AJAX/XML HTTP Requests

• New value matching options for form values other than regex pattern (exact, contains, starts, ends)

• New report template for parsing source information Crawled URLs List (CSV)

IMPROVEMENTS

• Improved XSS vulnerability confirmation

• Improved Generic Source Code Disclosure security check by excluding JavaScript and CSS resources

• Added latest version custom field for the version vulnerabilities

• Added standard context menus to text editors

• Sitemap tree will display nodes of JSON, XML and SOAP requests and responses with no parameters

• Added force option to form value settings to enforce user specified values

• Optimized attack patterns for JSON and XML attacks by reducing attack requests

• Optimized Common Directories list and removed the limit for Extensive Security Checks policy

• Improved the license dialog to show whether a license is missing or expired

FIXES

• Fixed update dialog to not show in autopilot mode

• Fixed an interim auto update crash

• Fixed typo in Out of Scope Links knowledge base report template

• Fixed an issue in LFI exploiter where XML tags with namespace prefixes was preventing exploitation

• Fixed Controlled Scan button disabled issue for some sitemap nodes

• Fixed parameter anchors in Vulnerability Summary table of Detailed Scan Report template

• Fixed form authentication wizard to use user agent set on currently selected policy

• Fixed zero response time issue for some sitemap nodes

• Fixed dashboard progress bar showing 100%

• Fixed random crashes on license dialog while loading license file or closing dialog

• Fixed Microsoft Anti-XSS Library links on vulnerability references

BUG FIX

• Fixed an issue where an imported NSS file containing multiple version vulnerabilities was throwing exceptions during report generation

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• OpenSSL Heartbleed checks added

BUG FIX

• Fixed SocketException error which occurs during Heartbleed check

BUG FIXES

• Fixed a bug where application hangs in Heartbleed engine

• Fixed SOAP WSDL parser to parse web services containing .NET System.Data references

• Fixed SOAP WSDL parser to parse web services containing array parameters

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• DOM based cross-site scripting vulnerability scanning

• Scanning of parameters in URLs

• Nginx web server Out-of-date version check

• Perl possible source code disclosure

• Python possible source code disclosure

• Ruby possible source code disclosure

• Java possible source code disclosure

• Nginx Web Server identification

• Apache Web Server identification

• Java stack trace disclosure

NEW FEATURES

• Chrome based web browser engine for DOM parsing

• URL rewrite rules configuration wizard to scan parameters in URLs

• “Ignore Vulnerability from Scan” option to exclude vulnerabilities from reports

IMPROVEMENTS

• Improved the correctness and coverage of Remote Code Execution via Local File Inclusion vulnerabilities

• Improved cross-site scripting vulnerability confirmation patterns

• Added support for viewing JSON arrays in document roots in request/response viewers

• Added support for Microsoft Office ACCDB database file detection

• Improved DOM parser to exclude non-HTML files

• Improved PHP Source Code Disclosure vulnerability detection

• Improved Nginx Version Disclosure vulnerability template

• Improved IIS 8 Default Page detection

• Improved Email List knowledgebase report to include generic email addresses

• Improved Configure Form Authentication wizard by replacing embedded record browser with a Chrome based browser

• Improved the form authentication configuration wizard to handle cases where Basic/NTLM/Digest is used in conjunction with Form Authentication

• Added a cross-site scripting attack pattern which constructs a valid XHTML in order to trigger the XSS

• Added double encoded attack groups in order to reduce local file inclusion vulnerability confirmation requests

• Added status bar label which displays current VDB version and VDB version update notifications

• Added login activity indicator to Scan Summary Dashboard

• Added a new knowledgebase out-of-scope reason for links which exceed maximum depth

• Updated external references in cross-site scripting vulnerability templates

• Improved DOM parser by providing current cookies and referer to DOM/JavaScript context

• Added several new DOM events to simulate including keyboard events

• Improved the parsing of “Anti-CSRF token field names” setting by trimming each individual token name pattern

• Added support for simulating DOM events inside HTML frames/iframes

• Consolidated XSS exploitation function name (invicti()) throughout all the areas reported

• Removed redundant semicolon followed by waitfor delay statements from time based SQLi attack patterns to bypass more blacklistings

• Changed default user-agent string to mimic a Chrome based browser

• Improved LFI extraction file list to extract files from target system according to detected OS

• Removed outdated PCI 1.2 classifications

BUG FIXES

• Fixed indentation problem of bullets in knowledgebase reports

• Fixed path disclosure reports in MooTools JavaScript file

• Fixed KeyNotFoundException occurs when a node from Sitemap tree is clicked

• Fixed NullReferenceException thrown from Boolean SQL Injection Engine

• Fixed an issue in WebDav Engine where an extra parameter is added when requesting with Options method

• Fixed a bug where LFI exploitation does not work for double encoded paths

• Fixed a bug in Export file dialog where .nss extension isn’t appended if file name ends with a known file extension

• Fixed a bug in Configure Form Authentication wizard where the number of scripts loaded shows incorrectly

• Fixed a bug which occurs while retesting with CSRF engine

• Fixed a bug where retest does not work after loading a saved scan session

• Fixed a bug where Invicti reports out of date PHP even though PHP is up to date

• Fixed a UI hang where Invicti tries to display a binary response in Browser View tab

• Fixed an ArgumentNullException thrown when clicking Heartbleed vulnerability

• Fixed a bug where Invicti makes requests to DTD URIs in XML documents

• Fixed a bug in Scan Policy settings dialog where list of user agents are duplicated

• Fixed a typo in ViewState MAC Not Enabled vulnerability template

• Fixed a bug in auto updater where the updater doesn’t honour the AutoPilot and Silent command line switches

• Fixed XSS exploit generation code to handle cases where input name is “submit”

• Fixed a bug that prevents invicti.exe process from closing if you try to close Invicti immediately after starting a new scan

• Fixed a UI hang happens when the highlighted text is huge in response source code

• Fixed issues with decoded HTML attribute values in text parser

• Fixed session cookie path issues according to how they are implemented in modern browsers

• Fixed scan stuck at re-crawling issue for imported scan sessions

• Fixed highlighting issues for possible XSS vulnerabilities

• Fixed a crash due to empty/missing URL value for form authentication macro requests

• Fixed a NullReferenceException in Open Redirect Engine which occurs if redirect response is missing Location header

• Fixed an error in authentication macro sequence player happens when the request URI is wrong or missing

Read the blog post for more details about this version

NEW FEATURE

• New option available to specify the type of parameter when configuring URL rewrite rules, e.g. numeric, date, alphanumeric

IMPROVEMENTS

• Improved the performance of the DOM Parser

• Improved the performance of the DOM cross-site scripting scanner

• Optimized DOM XSS Scanner to avoid scanning pages with same source code

• Changed the default HTTP User agent string of built-in policies to Chrome web browser User agent string

• Improved selected element simulation for select HTML elements

• Added new patterns for Open Redirect engine

BUG FIXES

• Fixed a bug in WSDL parser which prevents web service detection if XML comments are present before the definitions tag

• Fixed a bug in WSDL parser which prevents web service detection if an external schema request gets a 404 not found response

• Fixed a bug that occurs when custom URL rewrite rules do not match the URL with injected attack pattern and request is not performed

• Fixed a configure form authentication wizard problem where the web browser does not load the page if the target site uses client certificates

• Fixed a crash in configure form authentication wizard that occurs when HTML source code contains an object element with data: URL scheme is requested

• Fixed a bug in DOM Parser where events are not simulated for elements inside frames

• Fixed a cookie parsing bug where a malformed cookie was causing an empty HTTP response