Invicti Standard

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• OpenSSL Heartbleed checks added

BUG FIX

• Fixed SocketException error which occurs during Heartbleed check

BUG FIXES

• Fixed a bug where application hangs in Heartbleed engine

• Fixed SOAP WSDL parser to parse web services containing .NET System.Data references

• Fixed SOAP WSDL parser to parse web services containing array parameters

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

• DOM based cross-site scripting vulnerability scanning

• Scanning of parameters in URLs

• Nginx web server Out-of-date version check

• Perl possible source code disclosure

• Python possible source code disclosure

• Ruby possible source code disclosure

• Java possible source code disclosure

• Nginx Web Server identification

• Apache Web Server identification

• Java stack trace disclosure

NEW FEATURES

• Chrome based web browser engine for DOM parsing

• URL rewrite rules configuration wizard to scan parameters in URLs

• “Ignore Vulnerability from Scan” option to exclude vulnerabilities from reports

IMPROVEMENTS

• Improved the correctness and coverage of Remote Code Execution via Local File Inclusion vulnerabilities

• Improved cross-site scripting vulnerability confirmation patterns

• Added support for viewing JSON arrays in document roots in request/response viewers

• Added support for Microsoft Office ACCDB database file detection

• Improved DOM parser to exclude non-HTML files

• Improved PHP Source Code Disclosure vulnerability detection

• Improved Nginx Version Disclosure vulnerability template

• Improved IIS 8 Default Page detection

• Improved Email List knowledgebase report to include generic email addresses

• Improved Configure Form Authentication wizard by replacing embedded record browser with a Chrome based browser

• Improved the form authentication configuration wizard to handle cases where Basic/NTLM/Digest is used in conjunction with Form Authentication

• Added a cross-site scripting attack pattern which constructs a valid XHTML in order to trigger the XSS

• Added double encoded attack groups in order to reduce local file inclusion vulnerability confirmation requests

• Added status bar label which displays current VDB version and VDB version update notifications

• Added login activity indicator to Scan Summary Dashboard

• Added a new knowledgebase out-of-scope reason for links which exceed maximum depth

• Updated external references in cross-site scripting vulnerability templates

• Improved DOM parser by providing current cookies and referer to DOM/JavaScript context

• Added several new DOM events to simulate including keyboard events

• Improved the parsing of “Anti-CSRF token field names” setting by trimming each individual token name pattern

• Added support for simulating DOM events inside HTML frames/iframes

• Consolidated XSS exploitation function name (invicti()) throughout all the areas reported

• Removed redundant semicolon followed by waitfor delay statements from time based SQLi attack patterns to bypass more blacklistings

• Changed default user-agent string to mimic a Chrome based browser

• Improved LFI extraction file list to extract files from target system according to detected OS

• Removed outdated PCI 1.2 classifications

BUG FIXES

• Fixed indentation problem of bullets in knowledgebase reports

• Fixed path disclosure reports in MooTools JavaScript file

• Fixed KeyNotFoundException occurs when a node from Sitemap tree is clicked

• Fixed NullReferenceException thrown from Boolean SQL Injection Engine

• Fixed an issue in WebDav Engine where an extra parameter is added when requesting with Options method

• Fixed a bug where LFI exploitation does not work for double encoded paths

• Fixed a bug in Export file dialog where .nss extension isn’t appended if file name ends with a known file extension

• Fixed a bug in Configure Form Authentication wizard where the number of scripts loaded shows incorrectly

• Fixed a bug which occurs while retesting with CSRF engine

• Fixed a bug where retest does not work after loading a saved scan session

• Fixed a bug where Invicti reports out of date PHP even though PHP is up to date

• Fixed a UI hang where Invicti tries to display a binary response in Browser View tab

• Fixed an ArgumentNullException thrown when clicking Heartbleed vulnerability

• Fixed a bug where Invicti makes requests to DTD URIs in XML documents

• Fixed a bug in Scan Policy settings dialog where list of user agents are duplicated

• Fixed a typo in ViewState MAC Not Enabled vulnerability template

• Fixed a bug in auto updater where the updater doesn’t honour the AutoPilot and Silent command line switches

• Fixed XSS exploit generation code to handle cases where input name is “submit”

• Fixed a bug that prevents invicti.exe process from closing if you try to close Invicti immediately after starting a new scan

• Fixed a UI hang happens when the highlighted text is huge in response source code

• Fixed issues with decoded HTML attribute values in text parser

• Fixed session cookie path issues according to how they are implemented in modern browsers

• Fixed scan stuck at re-crawling issue for imported scan sessions

• Fixed highlighting issues for possible XSS vulnerabilities

• Fixed a crash due to empty/missing URL value for form authentication macro requests

• Fixed a NullReferenceException in Open Redirect Engine which occurs if redirect response is missing Location header

• Fixed an error in authentication macro sequence player happens when the request URI is wrong or missing

Read the blog post for more details about this version

NEW FEATURE

• New option available to specify the type of parameter when configuring URL rewrite rules, e.g. numeric, date, alphanumeric

IMPROVEMENTS

• Improved the performance of the DOM Parser

• Improved the performance of the DOM cross-site scripting scanner

• Optimized DOM XSS Scanner to avoid scanning pages with same source code

• Changed the default HTTP User agent string of built-in policies to Chrome web browser User agent string

• Improved selected element simulation for select HTML elements

• Added new patterns for Open Redirect engine

BUG FIXES

• Fixed a bug in WSDL parser which prevents web service detection if XML comments are present before the definitions tag

• Fixed a bug in WSDL parser which prevents web service detection if an external schema request gets a 404 not found response

• Fixed a bug that occurs when custom URL rewrite rules do not match the URL with injected attack pattern and request is not performed

• Fixed a configure form authentication wizard problem where the web browser does not load the page if the target site uses client certificates

• Fixed a crash in configure form authentication wizard that occurs when HTML source code contains an object element with data: URL scheme is requested

• Fixed a bug in DOM Parser where events are not simulated for elements inside frames

• Fixed a cookie parsing bug where a malformed cookie was causing an empty HTTP response

NEW WEB SECURITY TEST

• Added Bash Command Injection Vulnerability (Shellshock Bug) check.

NEW FEATURE

• Added exploitation support for Remote Code Evaluation and Command Injection engines.

FIX

• Fixed a bug in WSDL parser that crashes application when a type is recursively referenced.

NEW WEB SECURITY TEST

• Added Insecure Transportation Security Protocol Supported (SSLv3) vulnerability check (POODLE vulnerability)

BUG FIXES

• Fixed a specific issue where generic email addresses were not being reported.

• Fixed form authentication configuration wizard problem where it couldn’t handle pages with popups.

• Fixed an issue where Invicti was crashing when the application is closed during report generation.

• Fixed a crash which occurs on systems where Trebuchet MS font is missing

• Fixed 2 Heartbleed engine bugs.

BUG FIXES

• Fixed a bug in custom URL rewrite detection where encoded URL paths are not matched with the provided patterns.

• Fixed a bug that occurs while displaying details of an XSS vulnerability discovered on a redirected page.

BUG FIXES

• Fixed a critical bug which crashes DOM Parser and DOM XSS processes on Windows 8.1 systems with KB3000850 update installed

• Fixed a bug in recrawler where the current concurrent connection count isn’t honored

• Fixed a bug in multipart/form-data parser to read parameter names with semicolons correctly

• Fixed a bug in multipart/form-data parser to recognize the request body even if there are no parameters present

• Fixed a bug where a form with multipart/form-data encoding type is incorrectly parsed with a POST method rather than a GET

• Fixed an issue with DOM Parser to better simulate radio/check boxes with click event handlers attached

• Fixed an issue with HTTP request parser to recognize the correct HTTP method with POST requests containing an empty request body

• Fixed an issue where Content-Length header is not set to 0 with empty request bodies

• Fixed an issue where some requests discovered using DOM Parser with POST HTTP method are recognized as GET requests

• Fixed an issue with ASP.NET View State response viewer to show the View State data on cases where id attribute of input tag is missing

• Fixed an ASP.NET View State parser issue occurs while reading .NET 1.x View States