18 Mar 2015
Read the blog post for more details about this version
NEW FEATURES
-
Windows 8/Server 2012 Support.
IMPROVEMENT
- Vulnerability Database Update.
18 Mar 2015
Read the blog post for more details about this version
IMPROVEMENTS
-
Vulnerability Database Update
-
Configure Authentication user interface enhancements.
BUG FIX
- Fixed issues in Form authentication logout detection.
18 Mar 2015
Read the blog post for more details about this version
NEW WEB SECURITY TESTS
-
Ruby on Rails Remote Code Execution vulnerability
-
Off the shelf Web Application Fingerprinting and detection of known security issues (Such as WordPress, Joomla and Drupal)
-
Version disclosure checks for Apache module mod_ssl, Ruby and WEBrick HTTP web server
-
Identification of phpMyAdmin and Webalizer
-
Detection of SHTML error messages that could disclose sensitive information
-
New WebDAV engine that detects WebDAV implementation security issues and vulnerabilities
-
Server-Side Includes (SSI) Injection checks.
NEW FEATURES
-
Scan Policy Editor that allows you to build own scan policies for more efficient web application security scans.
-
Oracle CHR encoding and decoding facility in the Encoder pane
-
Support for multiple exclude and include URL patterns which can also be specified in REGEX
-
Knowledge base node where additional information about the scanned website is reported to the user
-
New PCI Compliance Report template.
IMPROVEMENTS
-
Default include and exclude URL pattern has been improved
-
DOM Parser now supports proxies and client certification support
-
The performance of the Controlled Scan user interface has been improved
-
HTTP Response text editor automatically scrolls to the first highlighted text when viewed
-
Improved vulnerability classifications
-
Vulnerability templates text has been improved
-
Updated the look and feel of the vulnerability templates
-
Version vulnerability database updated with new web applications version for better finger printing
-
Cross-site scripting exploit generation improved
-
Improved confirmed vulnerability representation on Detailed Scan Report
-
Internal Path Disclosure for Windows and Unix security tests have been improved
-
Improved version disclosure security tests for Perl and ASP.NET MVC
-
Start a Scan user interface by moving rarely used settings to Invicti general settings
-
Improved the performance of security scans which are started using the same Invicti process
-
Scope documentation text has been updated
-
Updated WASC links to point to the exact threat classification page
-
Improved custom 404 detection on sites where the start URL is redirected.
BUG FIXES
-
Fixed a bug in XSS report templates where plus char encoding was wrong
-
Fixed a bug which causes multibyte unicode characters to be corrupted upon retrieval
-
Fixed a bug where “Auto Complete Enabled” isn’t reported
-
Fixed a bug where Community Edition was asking for exporting sessions
-
Fixed a bug causes redundant responses to be stored on redirects
-
Fixed a bug causing a NullReferenceException during reporting
-
Fixed a bug where custom cookies are not preserved when an exported session is imported
-
Fixed a bug on report templates where extra fields were missing when there are multiple fields
-
Fixed the radio button overlap issue on Encoder panel for high DPIs
-
Fixed an issue where CSRF tokens weren’t applied for time based (blind) engines in late confirmation
-
Fixed an issue where data grids on Settings dialog were preventing to cancel the dialog when an invalid row is present
-
Fixed an issue where some logouts occurred on attack phase couldn’t be detected
-
Fixed a bug which causes requests to URLs containing text HTMLElementInputClass
-
Fixed a bug where the injection request/response could be clipped wrong in the middle of HTML tags
-
Fixed the size of the Configure Authentication wizard for higher DPIs
-
Fixed an issue with CLI interpretation where built-in profiles couldn’t be specified
-
Fixed the COMException thrown on Configure Authentication wizard on pages that contain JavaScript calls to window.close()
-
Fixed clipped text issue on scan summary dashboard severity bar chart
-
Fixed the anchors to vulnerability details in OWASP Top Ten 2010 report template
-
Fixed incorrect buttons sizes on message dialogs on high DPI settings
-
Fixed a startup crash which occurs on systems where “Use FIPS compliant algorithms for encryption, hashing, and signing” group policy setting is enabled
-
Fixed click sounds on vulnerability view tab
-
Fixed an issue where find next button was not working on HTTP Request / Response tab
-
Fixed a bug on Configure Authentication wizard occurs when the response contains multiple headers with same names.
Note: Due to major updates to the scan files, Invicti version 3 cannot open scans exported with previous versions of Invicti (.nss files).
18 Mar 2015
Read the blog post for more details about this version
IMPROVEMENTS
-
Updated vulnerability database
-
Updated fingerprinting tables for WordPress and Movable Type
-
Improved the language used in knowledge base templates.
BUG FIXES
-
Fixed a bug to prevent auto update message dialog when the auto update setting is disabled
- Fixed a bug in meta tag parser to match the correct generator version.
18 Mar 2015
Read the blog post for more details about this version
IMPROVEMENT
-
Updated OWASP Top10 2010 classifications for SVN and CVS vulnerabilities.
BUG FIXES
-
Fixed a critical bug where vulnerability templates rendering is broken on systems with IE8
-
Fixed a bug where some vulnerabilities is not reported due to a race condition
-
Fixed a bug occurs when a scan file is imported and the related scan policy file is missing
- Fixed a syntax error on Cookie Not Marked As Secure vulnerability template
18 Mar 2015
IMPROVEMENT
-
Updated vulnerability database.
BUG FIX
- Fixed a critical bug where Possible Path Disclosure (Unix/Linux) was running slowly on large sources.
18 Mar 2015
BUG FIX
Fixed a critical bug where scan was missing scope setting when started from command line and ending prematurely.
18 Mar 2015
IMPROVEMENTS
-
Added OWASP Top Ten 2013 Report template
- Updated vulnerability database (MySQL, WordPress, Joomla)
18 Mar 2015
Read the blog post for more details about this version
IMPROVEMENTS
- Updated known web applications vulnerability database (Drupal, PHP)
18 Mar 2015
Read the blog post for more details about this version
IMPROVEMENTS
- Updated vulnerability database (PHP, osCommerce, Python).
BUG FIXES
- Fixed a critical bug where some report templates weren’t printing all vulnerability instances.
- Fixed a bug on DOM/JavaScript Parser that causes some ASP.NET postback links to be not crawled.
18 Mar 2015
Read the blog post for more details about this version
IMPROVEMENTS
-
Updated known web applications vulnerability database (Apache, MySQL, WordPress, osCommerce, MediaWiki)
18 Mar 2015
Read the blog post for more details about this version
NEW WEB SECURITY TESTS
-
Added support for parsing and attacking JSON and XML request payloads
-
CSRF engine is added
-
HTML5 engine is added
-
Updated vulnerability database (MySQL, Apache, PHP, Nginx, Tomcat, WordPress, Joomla, MediaWiki, osCommerce, phpBB, Twiki)
-
Added Dynamic Payload – Slash/Backslash LFI patterns
NEW FEATURES
-
Added support for new HTML5 input types
-
Most of the global settings now moved to scan policy and they can be set per scan basis
-
Added a new knowledge base item where all out of scope links in current scan are listed with the reasons
-
Added a new knowledge base item where HTML, JavaScript and CSS comments on pages are listed and possible sensitive keywords are highlighted
-
Added a new knowledge base item where frames with external URLs are reported
-
Added a new knowledge base item where embedded objects such as Adobe Flash movies, Java Applets, ActiveX objects, etc. are reported
-
Added support for cookies set by meta tags
-
Added support for generating multiple reports at a time using command line
-
Added support for updating vulnerability database without requiring to update the application
-
Added logging feature to log HTTP requests/responses in Fiddler .saz file format
IMPROVEMENTS
-
DOM parser simulation is improved
-
Attack possibility calculation is improved
-
Rendering in severity bar chart in scan summary dashboard is improved
-
Added late confirmation support for Blind Command Injection engine
-
DOM parser print dialog prevention improved
-
Browser View tab now shows XML responses in a tree view
-
Tweaked sleep tolerance value of time based engines
-
Improved the impact sections of most of the vulnerability templates
-
Improved LFI Exploitation which now is capable of better file content extraction and highlighting on text editor
-
Form inputs listed under knowledge base are now grouped by their types
-
Improved PHP Source Code Disclosure pattern
-
Improved DOM parser to extract textarea elements
-
Improved LFI Exploitation to cover case where LFI vulnerable page contains extra HTML tags
-
Improved LFI confirmation patterns
-
Improved XSS confirmation for Full URL and Full Query String attacks
-
Optimized XSS confirmation phase to skip redundant patterns
-
Improved binary response detection
-
Added limit controls to the knowledge base items to prevent performance degradation of excessive amounts of items
-
Default user agent string is set to the one used in IE8
-
Improved the importers, manual proxy and Form Authentication Configuration wizard to support JSON, XML and multipart/form-data requests
-
Improved multipart/form-data request parsing
-
Improved threading code in DOM parser and made DOM parser run in multiple processes
-
Improved Knowledge base user interface
-
Improved form value pattern for URL inputs
-
Add vulnerability database version information to related vulnerability templates
-
Configure Form Authentication wizard clears persistent cookies when started
-
Added detailed crawling/attacking activity information to Scan Summary Dashboard
-
Added activity information to Scan Summary Dashboard for ReCrawling and Extra Confirmation phases
BUG FIXES
-
Fixed a bug where sitemap context menu was missing menu items when a scan is imported from a file
-
Fixed a bug where reports generated after an auto pilot scan may contain missing items
-
Fixed a bug where Invicti was telling “Scan Finished” even though Recrawling was still in progress
-
Fixed scrolling issue on HTTP response text editor when the highlighted text spans multi lines
-
Fixed a NullReferenceException thrown from Knowledge Base when a scan imported from file
-
Fixed an issue where Error dialog was showing in autopilot mode
-
Fixed an issue where Auto Update dialog was showing in autopilot mode
-
Fixed a bug where DOM parser was failing to trigger click event for button elements
-
Fixed a bug where DOM parser was failing to extract value attribute for button elements
-
Fixed a bug where Possible LFI is reported for a binary file
-
Fixed a bug where LFI Exploitation was combining two files if they were having same names in different folders
-
Fixed a DOM parser issue where forms with empty action values are not captured
-
Fixed a DOM parser issue where all callback links in an ASP.NET Web Forms page are not clicked
-
Fixed typo in “Only Entered Url” section of User Manual
-
Fixed a DOM parser issue where a form containing multiple submit buttons is submitted using only one of the buttons
-
Fixed a DOM parser issue where button element with empty value is parsed
-
Fixed scan policy editor to reject policies with empty names
-
Fixed include/exclude URLs list to reject empty patterns
-
Fixed wrong URLs for Permanent XSS vulnerabilities shown in Issues panel
-
Fixed a scan policy bug where cloning a policy doesn’t copy the database type of Boolean SQL Injection engine
-
Fixed Burp importer where rn occurrences were normalized to n chars.
-
Fixed Burp importer which was failing to parse headers properly
-
Fixed Burp importer which was failing with base64 encoded requests
-
Fixed Paros importer which was failing to parse POST request bodies with multiple lines
-
Fixed a bug where XSS payload is not executed in javascript context however reported as possible XSS
-
Fixed misleading status message in dashboard after file import
-
Fixed a bug in fingerprinting which was causing a NullReferenceException
-
Fixed an issue where Anti-CSRF token extraction didn’t work in crawling
NOTE: This update has a breaking change due to new Scan Policy settings feature. If you have customized some global settings, they will reset to their default values.