Invicti Standard

Read the blog post for more details about this version

NEW FEATURES

• Windows 8/Server 2012 Support.

IMPROVEMENT

• Vulnerability Database Update.

Read the blog post for more details about this version

IMPROVEMENTS

• Vulnerability Database Update

• Configure Authentication user interface enhancements.

BUG FIX

• Fixed issues in Form authentication logout detection.

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• Ruby on Rails Remote Code Execution vulnerability

• Off the shelf Web Application Fingerprinting and detection of known security issues (Such as WordPress, Joomla and Drupal)

• Version disclosure checks for Apache module mod_ssl, Ruby and WEBrick HTTP web server

• Identification of phpMyAdmin and Webalizer

• Detection of SHTML error messages that could disclose sensitive information

• New WebDAV engine that detects WebDAV implementation security issues and vulnerabilities

• Server-Side Includes (SSI) Injection checks.

NEW FEATURES

• Scan Policy Editor that allows you to build own scan policies for more efficient web application security scans.

• Oracle CHR encoding and decoding facility in the Encoder pane

• Support for multiple exclude and include URL patterns which can also be specified in REGEX

• Knowledge base node where additional information about the scanned website is reported to the user

• New PCI Compliance Report template.

IMPROVEMENTS

• Default include and exclude URL pattern has been improved

• DOM Parser now supports proxies and client certification support

• The performance of the Controlled Scan user interface has been improved

• HTTP Response text editor automatically scrolls to the first highlighted text when viewed

• Improved vulnerability classifications

• Vulnerability templates text has been improved

• Updated the look and feel of the vulnerability templates

• Version vulnerability database updated with new web applications version for better finger printing

• Cross-site scripting exploit generation improved

• Improved confirmed vulnerability representation on Detailed Scan Report

• Internal Path Disclosure for Windows and Unix security tests have been improved

• Improved version disclosure security tests for Perl and ASP.NET MVC

• Start a Scan user interface by moving rarely used settings to Invicti general settings

• Improved the performance of security scans which are started using the same Invicti process

• Scope documentation text has been updated

• Updated WASC links to point to the exact threat classification page

• Improved custom 404 detection on sites where the start URL is redirected.

BUG FIXES

• Fixed a bug in XSS report templates where plus char encoding was wrong

• Fixed a bug which causes multibyte unicode characters to be corrupted upon retrieval

• Fixed a bug where “Auto Complete Enabled” isn’t reported

• Fixed a bug where Community Edition was asking for exporting sessions

• Fixed a bug causes redundant responses to be stored on redirects

• Fixed a bug causing a NullReferenceException during reporting

• Fixed a bug where custom cookies are not preserved when an exported session is imported

• Fixed a bug on report templates where extra fields were missing when there are multiple fields

• Fixed the radio button overlap issue on Encoder panel for high DPIs

• Fixed an issue where CSRF tokens weren’t applied for time based (blind) engines in late confirmation

• Fixed an issue where data grids on Settings dialog were preventing to cancel the dialog when an invalid row is present

• Fixed an issue where some logouts occurred on attack phase couldn’t be detected

• Fixed a bug which causes requests to URLs containing text HTMLElementInputClass

• Fixed a bug where the injection request/response could be clipped wrong in the middle of HTML tags

• Fixed the size of the Configure Authentication wizard for higher DPIs

• Fixed an issue with CLI interpretation where built-in profiles couldn’t be specified

• Fixed the COMException thrown on Configure Authentication wizard on pages that contain JavaScript calls to window.close()

• Fixed clipped text issue on scan summary dashboard severity bar chart

• Fixed the anchors to vulnerability details in OWASP Top Ten 2010 report template

• Fixed incorrect buttons sizes on message dialogs on high DPI settings

• Fixed a startup crash which occurs on systems where “Use FIPS compliant algorithms for encryption, hashing, and signing” group policy setting is enabled

• Fixed click sounds on vulnerability view tab

• Fixed an issue where find next button was not working on HTTP Request / Response tab

• Fixed a bug on Configure Authentication wizard occurs when the response contains multiple headers with same names.

Note: Due to major updates to the scan files, Invicti version 3 cannot open scans exported with previous versions of Invicti (.nss files).

Read the blog post for more details about this version

IMPROVEMENTS

• Updated vulnerability database

• Updated fingerprinting tables for WordPress and Movable Type

• Improved the language used in knowledge base templates.

BUG FIXES

• Fixed a bug to prevent auto update message dialog when the auto update setting is disabled

• Fixed a bug in meta tag parser to match the correct generator version.

Read the blog post for more details about this version

IMPROVEMENT

• Updated OWASP Top10 2010 classifications for SVN and CVS vulnerabilities.

BUG FIXES

• Fixed a critical bug where vulnerability templates rendering is broken on systems with IE8

• Fixed a bug where some vulnerabilities is not reported due to a race condition

• Fixed a bug occurs when a scan file is imported and the related scan policy file is missing

• Fixed a syntax error on Cookie Not Marked As Secure vulnerability template

IMPROVEMENT

• Updated vulnerability database.

BUG FIX

• Fixed a critical bug where Possible Path Disclosure (Unix/Linux) was running slowly on large sources.

BUG FIX

Fixed a critical bug where scan was missing scope setting when started from command line and ending prematurely.

IMPROVEMENTS

• Added OWASP Top Ten 2013 Report template

• Updated vulnerability database (MySQL, WordPress, Joomla)

Read the blog post for more details about this version

IMPROVEMENTS

• Updated known web applications vulnerability database (Drupal, PHP)

Read the blog post for more details about this version

IMPROVEMENTS

• Updated vulnerability database (PHP, osCommerce, Python).

BUG FIXES

• Fixed a critical bug where some report templates weren’t printing all vulnerability instances.
• Fixed a bug on DOM/JavaScript Parser that causes some ASP.NET postback links to be not crawled.

Read the blog post for more details about this version

IMPROVEMENTS

• Updated known web applications vulnerability database (Apache, MySQL, WordPress, osCommerce, MediaWiki)

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• Added support for parsing and attacking JSON and XML request payloads

• CSRF engine is added

• HTML5 engine is added

• Updated vulnerability database (MySQL, Apache, PHP, Nginx, Tomcat, WordPress, Joomla, MediaWiki, osCommerce, phpBB, Twiki)

• Added Dynamic Payload – Slash/Backslash LFI patterns

NEW FEATURES

• Added support for new HTML5 input types

• Most of the global settings now moved to scan policy and they can be set per scan basis

• Added a new knowledge base item where all out of scope links in current scan are listed with the reasons

• Added a new knowledge base item where HTML, JavaScript and CSS comments on pages are listed and possible sensitive keywords are highlighted

• Added a new knowledge base item where frames with external URLs are reported

• Added a new knowledge base item where embedded objects such as Adobe Flash movies, Java Applets, ActiveX objects, etc. are reported

• Added support for cookies set by meta tags

• Added support for generating multiple reports at a time using command line

• Added support for updating vulnerability database without requiring to update the application

• Added logging feature to log HTTP requests/responses in Fiddler .saz file format

IMPROVEMENTS

• DOM parser simulation is improved

• Attack possibility calculation is improved

• Rendering in severity bar chart in scan summary dashboard is improved

• Added late confirmation support for Blind Command Injection engine

• DOM parser print dialog prevention improved

• Browser View tab now shows XML responses in a tree view

• Tweaked sleep tolerance value of time based engines

• Improved the impact sections of most of the vulnerability templates

• Improved LFI Exploitation which now is capable of better file content extraction and highlighting on text editor

• Form inputs listed under knowledge base are now grouped by their types

• Improved PHP Source Code Disclosure pattern

• Improved DOM parser to extract textarea elements

• Improved LFI Exploitation to cover case where LFI vulnerable page contains extra HTML tags

• Improved LFI confirmation patterns

• Improved XSS confirmation for Full URL and Full Query String attacks

• Optimized XSS confirmation phase to skip redundant patterns

• Improved binary response detection

• Added limit controls to the knowledge base items to prevent performance degradation of excessive amounts of items

• Default user agent string is set to the one used in IE8

• Improved the importers, manual proxy and Form Authentication Configuration wizard to support JSON, XML and multipart/form-data requests

• Improved multipart/form-data request parsing

• Improved threading code in DOM parser and made DOM parser run in multiple processes

• Improved Knowledge base user interface

• Improved form value pattern for URL inputs

• Add vulnerability database version information to related vulnerability templates

• Configure Form Authentication wizard clears persistent cookies when started

• Added detailed crawling/attacking activity information to Scan Summary Dashboard

• Added activity information to Scan Summary Dashboard for ReCrawling and Extra Confirmation phases

BUG FIXES

• Fixed a bug where sitemap context menu was missing menu items when a scan is imported from a file

• Fixed a bug where reports generated after an auto pilot scan may contain missing items

• Fixed a bug where Invicti was telling “Scan Finished” even though Recrawling was still in progress

• Fixed scrolling issue on HTTP response text editor when the highlighted text spans multi lines

• Fixed a NullReferenceException thrown from Knowledge Base when a scan imported from file

• Fixed an issue where Error dialog was showing in autopilot mode

• Fixed an issue where Auto Update dialog was showing in autopilot mode

• Fixed a bug where DOM parser was failing to trigger click event for button elements

• Fixed a bug where DOM parser was failing to extract value attribute for button elements

• Fixed a bug where Possible LFI is reported for a binary file

• Fixed a bug where LFI Exploitation was combining two files if they were having same names in different folders

• Fixed a DOM parser issue where forms with empty action values are not captured

• Fixed a DOM parser issue where all callback links in an ASP.NET Web Forms page are not clicked

• Fixed typo in “Only Entered Url” section of User Manual

• Fixed a DOM parser issue where a form containing multiple submit buttons is submitted using only one of the buttons

• Fixed a DOM parser issue where button element with empty value is parsed

• Fixed scan policy editor to reject policies with empty names

• Fixed include/exclude URLs list to reject empty patterns

• Fixed wrong URLs for Permanent XSS vulnerabilities shown in Issues panel

• Fixed a scan policy bug where cloning a policy doesn’t copy the database type of Boolean SQL Injection engine

• Fixed Burp importer where rn occurrences were normalized to n chars.

• Fixed Burp importer which was failing to parse headers properly

• Fixed Burp importer which was failing with base64 encoded requests

• Fixed Paros importer which was failing to parse POST request bodies with multiple lines

• Fixed a bug where XSS payload is not executed in javascript context however reported as possible XSS

• Fixed misleading status message in dashboard after file import

• Fixed a bug in fingerprinting which was causing a NullReferenceException

• Fixed an issue where Anti-CSRF token extraction didn’t work in crawling

NOTE: This update has a breaking change due to new Scan Policy settings feature. If you have customized some global settings, they will reset to their default values.