Invicti Standard

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• Ruby on Rails Remote Code Execution vulnerability

• Off the shelf Web Application Fingerprinting and detection of known security issues (Such as WordPress, Joomla and Drupal)

• Version disclosure checks for Apache module mod_ssl, Ruby and WEBrick HTTP web server

• Identification of phpMyAdmin and Webalizer

• Detection of SHTML error messages that could disclose sensitive information

• New WebDAV engine that detects WebDAV implementation security issues and vulnerabilities

• Server-Side Includes (SSI) Injection checks.

NEW FEATURES

• Scan Policy Editor that allows you to build own scan policies for more efficient web application security scans.

• Oracle CHR encoding and decoding facility in the Encoder pane

• Support for multiple exclude and include URL patterns which can also be specified in REGEX

• Knowledge base node where additional information about the scanned website is reported to the user

• New PCI Compliance Report template.

IMPROVEMENTS

• Default include and exclude URL pattern has been improved

• DOM Parser now supports proxies and client certification support

• The performance of the Controlled Scan user interface has been improved

• HTTP Response text editor automatically scrolls to the first highlighted text when viewed

• Improved vulnerability classifications

• Vulnerability templates text has been improved

• Updated the look and feel of the vulnerability templates

• Version vulnerability database updated with new web applications version for better finger printing

• Cross-site scripting exploit generation improved

• Improved confirmed vulnerability representation on Detailed Scan Report

• Internal Path Disclosure for Windows and Unix security tests have been improved

• Improved version disclosure security tests for Perl and ASP.NET MVC

• Start a Scan user interface by moving rarely used settings to Invicti general settings

• Improved the performance of security scans which are started using the same Invicti process

• Scope documentation text has been updated

• Updated WASC links to point to the exact threat classification page

• Improved custom 404 detection on sites where the start URL is redirected.

BUG FIXES

• Fixed a bug in XSS report templates where plus char encoding was wrong

• Fixed a bug which causes multibyte unicode characters to be corrupted upon retrieval

• Fixed a bug where “Auto Complete Enabled” isn’t reported

• Fixed a bug where Community Edition was asking for exporting sessions

• Fixed a bug causes redundant responses to be stored on redirects

• Fixed a bug causing a NullReferenceException during reporting

• Fixed a bug where custom cookies are not preserved when an exported session is imported

• Fixed a bug on report templates where extra fields were missing when there are multiple fields

• Fixed the radio button overlap issue on Encoder panel for high DPIs

• Fixed an issue where CSRF tokens weren’t applied for time based (blind) engines in late confirmation

• Fixed an issue where data grids on Settings dialog were preventing to cancel the dialog when an invalid row is present

• Fixed an issue where some logouts occurred on attack phase couldn’t be detected

• Fixed a bug which causes requests to URLs containing text HTMLElementInputClass

• Fixed a bug where the injection request/response could be clipped wrong in the middle of HTML tags

• Fixed the size of the Configure Authentication wizard for higher DPIs

• Fixed an issue with CLI interpretation where built-in profiles couldn’t be specified

• Fixed the COMException thrown on Configure Authentication wizard on pages that contain JavaScript calls to window.close()

• Fixed clipped text issue on scan summary dashboard severity bar chart

• Fixed the anchors to vulnerability details in OWASP Top Ten 2010 report template

• Fixed incorrect buttons sizes on message dialogs on high DPI settings

• Fixed a startup crash which occurs on systems where “Use FIPS compliant algorithms for encryption, hashing, and signing” group policy setting is enabled

• Fixed click sounds on vulnerability view tab

• Fixed an issue where find next button was not working on HTTP Request / Response tab

• Fixed a bug on Configure Authentication wizard occurs when the response contains multiple headers with same names.

Note: Due to major updates to the scan files, Invicti version 3 cannot open scans exported with previous versions of Invicti (.nss files).

Read the blog post for more details about this version

IMPROVEMENTS

• Updated vulnerability database

• Updated fingerprinting tables for WordPress and Movable Type

• Improved the language used in knowledge base templates.

BUG FIXES

• Fixed a bug to prevent auto update message dialog when the auto update setting is disabled

• Fixed a bug in meta tag parser to match the correct generator version.

Read the blog post for more details about this version

IMPROVEMENT

• Updated OWASP Top10 2010 classifications for SVN and CVS vulnerabilities.

BUG FIXES

• Fixed a critical bug where vulnerability templates rendering is broken on systems with IE8

• Fixed a bug where some vulnerabilities is not reported due to a race condition

• Fixed a bug occurs when a scan file is imported and the related scan policy file is missing

• Fixed a syntax error on Cookie Not Marked As Secure vulnerability template

IMPROVEMENT

• Updated vulnerability database.

BUG FIX

• Fixed a critical bug where Possible Path Disclosure (Unix/Linux) was running slowly on large sources.

BUG FIX

Fixed a critical bug where scan was missing scope setting when started from command line and ending prematurely.

IMPROVEMENTS

• Added OWASP Top Ten 2013 Report template

• Updated vulnerability database (MySQL, WordPress, Joomla)

Read the blog post for more details about this version

IMPROVEMENTS

• Updated known web applications vulnerability database (Drupal, PHP)

Read the blog post for more details about this version

IMPROVEMENTS

• Updated vulnerability database (PHP, osCommerce, Python).

BUG FIXES

• Fixed a critical bug where some report templates weren’t printing all vulnerability instances.
• Fixed a bug on DOM/JavaScript Parser that causes some ASP.NET postback links to be not crawled.

Read the blog post for more details about this version

IMPROVEMENTS

• Updated known web applications vulnerability database (Apache, MySQL, WordPress, osCommerce, MediaWiki)

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• Added support for parsing and attacking JSON and XML request payloads

• CSRF engine is added

• HTML5 engine is added

• Updated vulnerability database (MySQL, Apache, PHP, Nginx, Tomcat, WordPress, Joomla, MediaWiki, osCommerce, phpBB, Twiki)

• Added Dynamic Payload – Slash/Backslash LFI patterns

NEW FEATURES

• Added support for new HTML5 input types

• Most of the global settings now moved to scan policy and they can be set per scan basis

• Added a new knowledge base item where all out of scope links in current scan are listed with the reasons

• Added a new knowledge base item where HTML, JavaScript and CSS comments on pages are listed and possible sensitive keywords are highlighted

• Added a new knowledge base item where frames with external URLs are reported

• Added a new knowledge base item where embedded objects such as Adobe Flash movies, Java Applets, ActiveX objects, etc. are reported

• Added support for cookies set by meta tags

• Added support for generating multiple reports at a time using command line

• Added support for updating vulnerability database without requiring to update the application

• Added logging feature to log HTTP requests/responses in Fiddler .saz file format

IMPROVEMENTS

• DOM parser simulation is improved

• Attack possibility calculation is improved

• Rendering in severity bar chart in scan summary dashboard is improved

• Added late confirmation support for Blind Command Injection engine

• DOM parser print dialog prevention improved

• Browser View tab now shows XML responses in a tree view

• Tweaked sleep tolerance value of time based engines

• Improved the impact sections of most of the vulnerability templates

• Improved LFI Exploitation which now is capable of better file content extraction and highlighting on text editor

• Form inputs listed under knowledge base are now grouped by their types

• Improved PHP Source Code Disclosure pattern

• Improved DOM parser to extract textarea elements

• Improved LFI Exploitation to cover case where LFI vulnerable page contains extra HTML tags

• Improved LFI confirmation patterns

• Improved XSS confirmation for Full URL and Full Query String attacks

• Optimized XSS confirmation phase to skip redundant patterns

• Improved binary response detection

• Added limit controls to the knowledge base items to prevent performance degradation of excessive amounts of items

• Default user agent string is set to the one used in IE8

• Improved the importers, manual proxy and Form Authentication Configuration wizard to support JSON, XML and multipart/form-data requests

• Improved multipart/form-data request parsing

• Improved threading code in DOM parser and made DOM parser run in multiple processes

• Improved Knowledge base user interface

• Improved form value pattern for URL inputs

• Add vulnerability database version information to related vulnerability templates

• Configure Form Authentication wizard clears persistent cookies when started

• Added detailed crawling/attacking activity information to Scan Summary Dashboard

• Added activity information to Scan Summary Dashboard for ReCrawling and Extra Confirmation phases

BUG FIXES

• Fixed a bug where sitemap context menu was missing menu items when a scan is imported from a file

• Fixed a bug where reports generated after an auto pilot scan may contain missing items

• Fixed a bug where Invicti was telling “Scan Finished” even though Recrawling was still in progress

• Fixed scrolling issue on HTTP response text editor when the highlighted text spans multi lines

• Fixed a NullReferenceException thrown from Knowledge Base when a scan imported from file

• Fixed an issue where Error dialog was showing in autopilot mode

• Fixed an issue where Auto Update dialog was showing in autopilot mode

• Fixed a bug where DOM parser was failing to trigger click event for button elements

• Fixed a bug where DOM parser was failing to extract value attribute for button elements

• Fixed a bug where Possible LFI is reported for a binary file

• Fixed a bug where LFI Exploitation was combining two files if they were having same names in different folders

• Fixed a DOM parser issue where forms with empty action values are not captured

• Fixed a DOM parser issue where all callback links in an ASP.NET Web Forms page are not clicked

• Fixed typo in “Only Entered Url” section of User Manual

• Fixed a DOM parser issue where a form containing multiple submit buttons is submitted using only one of the buttons

• Fixed a DOM parser issue where button element with empty value is parsed

• Fixed scan policy editor to reject policies with empty names

• Fixed include/exclude URLs list to reject empty patterns

• Fixed wrong URLs for Permanent XSS vulnerabilities shown in Issues panel

• Fixed a scan policy bug where cloning a policy doesn’t copy the database type of Boolean SQL Injection engine

• Fixed Burp importer where rn occurrences were normalized to n chars.

• Fixed Burp importer which was failing to parse headers properly

• Fixed Burp importer which was failing with base64 encoded requests

• Fixed Paros importer which was failing to parse POST request bodies with multiple lines

• Fixed a bug where XSS payload is not executed in javascript context however reported as possible XSS

• Fixed misleading status message in dashboard after file import

• Fixed a bug in fingerprinting which was causing a NullReferenceException

• Fixed an issue where Anti-CSRF token extraction didn’t work in crawling

NOTE: This update has a breaking change due to new Scan Policy settings feature. If you have customized some global settings, they will reset to their default values.

Read the blog post for more details about this version

IMPROVEMENTS

• Moved Scan Policy settings from Settings dialog to Scan Policy Editor dialog

• Added “debug” keyword to default sensitive comment keyword list

• Improved Scan Policy Editor dialog to default to unique policy names when a new policy is created or cloned

• Improved Custom 404 RegEx validation to prevent empty patterns

• Improved HTML5 engine to ignore non-HTTP protocols on iframe sources

• Improved Configure Form Authentication wizard to use the selected Scan Policy settings (Custom headers, proxy, user-agent, etc.) on Start a New Scan dialog

• Improved Cross-site Scripting vulnerability template

BUG FIXES

• Fixed wrong PDF scaling issue which causes fonts to be rendered very small for report templates

• Fixed DOM Parser InvalidCastException crashes while trying to cast option tags on some cases

• Fixed form “action” value reported wrong on vulnerability details

• Fixed Internal Proxy port value setting upper bound to 65535

• Fixed incorrect attack possibility calculation for XSS confirmation requests

• Fixed dialog sizes on various screen resolutions and DPIs

• Fixed some issues in XSS detecting within script blocks

• Fixed XML attacks where reserved “xmlns” attribute values were being modified

• Fixed a DOM Parser issue on HTML pages with nested form tags

FIXES

• Fixed an InvalidCastException occurs on DOM Parser on some configurations

• Fixed some incorrect UI control sizes and locations