Invicti Standard

NEW FEATURES

• Added GraphQL Libraries detection support.
• Added the Shark node to the Knowledge Base.
• Added Acunetix XML to URL Import.
• Added built-in DVWA policies to scan policies.

IMPROVEMENTS

• Updated embedded Chromium browser.
• Added a new IAST vulnerability: Overly Long Session Timeout.
• Added new config vulnerabilities for the IAST Node.js sensor.
• Added new config vulnerabilities for the IAST Java sensor.
• Added support for detecting SQL Injections on HSQLDB.
• Added support for detecting XSS through file upload.
• Updated DISA STIG Classifications.
• Updated Java and Node.js IAST sensors.
• Improved time-based blind SQLi detection checks.
• Improved the Content Security Policy Engine.
• Updated XSS via File Upload vulnerability template.
• Updated License Agreement on the Invicti Standard installer.
• Added Extract Resource default property to DOM simulation.
• Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
• Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
• Added vulnerabilityType filter to add VulnerabilityLookup table.
• Added the agent mode to the authentication request.
• Added a default behavior to scan the login page.
• Added an option to disable anti-CSRF token attacks.
• Added an option to block navigation on SPAs pages.
• Added a default behavior to disable TLS1.3

FIXES

• Fixed basic authorization over HTTP bug.
• Fixed SQL Injection Vulnerability Family Reporting Bug.
• Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
• Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
• Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
• Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
• Fixed a typo bug on GraphQL importing window.
• Fixed the report naming bug that occurs users create a custom report from a base report.
• Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
• Fixed a bug that updates all built-in scan policies instead of edited scan policy.
• Fixed a typo on Skip Crawling & Attacking pop-up.
• Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
• Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
• Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
• Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
• Fixed missing template section migration on report policy.
• Fixed a bug that throws an error when a report is submitted upon error.
• Fixed the LFI Exploiter null reference.
• Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
• Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
• Fixed a bug that occurs when users search the Target URL on the New Scan panel.
• Fixed typo in the timeout error message.
• Fixed a bug that prevents the WSDL files from being imported.
• Fixed reporting “SSL/TLS not implemented” when scanning only TLS 1.3 supported sites.
• Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
• Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.

REMOVAL

• Removed Expect-CT security check.
• Removed the End-of-Text characters in URL rewrite rules.

IMPROVEMENTS

• Updated embedded chromium browser
• Improved JWT confirmation to avoid false positives.

FIXES

• Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
• Fixed an issue that imports global servers as Swagger files.
• Fixed an issue where the OK button disappears during interactive login.
• Fixed an issue that adds interactive login buttons to iframes.
• Fixed a null reference exception at the LFI exploit panel.

NEW SECURITY CHECKS

• Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

IMPROVEMENTS

• Netsparker Standard now Invicti Standard. 
• Added a token matching rule when it is required to get the token from a website other than the target URL.
• Improved the GraphQL attacks to include non-string fields. 

FIXES

• Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities. 
• Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
• Fixed a null reference exception by adding a control whether the current scan policy is empty.
• Fixed a bug that the agent does not continue the scan after a pause.
• Fixed a bug that does not properly show all components detected by a software composition analysis after a retest. 

IMPROVEMENTS

• Implemented new Log4j attack patterns.
• Added the parameter types to exported reports for GraphQL.

FIXES

• Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
• Fixed an issue that results in false positive Cross-site Scripting.
• Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
• Fixed an issue that the page counter goes to zero in the Recent Scans window.
• Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.

IMPROVEMENTS

• Added the .deploy extension to Default Policy’s extension list.
• Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs.

FIXES

• Fixed a null reference error issue when a user right-clicks the target on the Sitemap. 
• Fixed the URL response error of the main node when Override Target URL check is enabled.
• Fixed the Imported Links date and time value in the body that is cropped. 
• Fixed an issue that opens the vulnerability panel instead of the HTTP Request and Response panel when the email node is selected in the Knowledge Base panel. 
• Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
• Fixed an issue that tries to stop the scan when the What’s New tab is closed.
• Fixed an issue that Invicti Standard starts a retest for a vulnerability randomly. 
• Fixed a payload for the GraphQL.

FIXES

• Fixed a scan policy migration issue that causes selecting all the security checks.

NEW FEATURES

• Added Software Composition Analysis (SCA) feature.
• Added OWASP Top 10 2021 classification and report.
• Added support for scanning GraphQL APIs.

NEW SECURITY CHECKS

• Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira.
• Added Stack Trace Disclosure Signature for Java.
• Added Shopify Identified Security Check.

IMPROVEMENTS

• Updated Invicti Standard .NET Framework version from 4.7.2 to 4.8.
• Allowed to enter hyphens for the proxy address on the Proxy Settings.
• Enabled that all child controlled scan parameters are listed in the Sitemap parent node.
• Changed classification for Cross-site Referrer Leakage and Breach in OWASP Top Ten 2021.
• Changed CryptographicException error log type.
• Added condition that when the max crawling link is reached, the DOM simulation stops.
• Updated Version Disclosure Signature for Apache Coyote.
• Added callback flag to prevent multi trigger of DOM parser view callback
• Improved the importing of RAML files includes other files.
• Added tags property to the Kenna Send to Action.
• Updated Freshservice integration not to send user agent header.
• Updated Version Disclosure Signature for Jolokia.
• Improved the Form Values to be entered into the relevant sections during the form authentication process in the React environment.
• Improved the login verification process by detecting page load properly.

FIXES

• Fixed an issue that created an incorrect issue link in Bitbucket Integration.
• Fixed an issue that occurred when the proxy information from the Proxy Auto-Configuration file cannot be transmitted in requests made by the browser.
• Fixed the null reference error (NRE) that occurred during importing the paused or canceled scan files.
• Fixed an issue that calculated total response time incorrectly.
• Fixed the bug related to Send To action of Kenna integration.
• Fixed the Jolokia version disclosure report to properly highlight the related lines.
• Fixed the OWASP classification links.
• Fixed an issue that does not show a vulnerability when sorted by the Vulnerability Type although it shows when sorted by Severity.
• Fixed the misleading tooltip in Scan Policy – Security Checks.
• Fixed the misaligned text on the PDF version of Executive Summary Report.
• Fixed an issue that Invicti Standard doesn’t show out-of-scope warning when out-of-scope link is imported.
• Fixed the inconsistent vulnerability count between reports and status bar.
• Fixed the manual authentication issue when links are imported from URL.
• Fixed the Sitemap multilevel group count.
• Fixed Scan Policy security check count.
• Fixed a naming issue that occurred when a new custom report name contains a dot.
• Fixed an issue while changing the Data Directory option on Storage tab.
• Fixed the issue that external references were not rendered correctly.

NEW SECURITY CHECKS

• Added Out of Band Code Evaluation (Log4j – CVE-2021-44228) a.k.a. Log4Shell detection support.

NEW FEATURES

• Added Node.js sensor for Invicti Shark (IAST).
• Added OWASP API Top 10 classification and report template.

NEW SECURITY CHECKS

• Added signature matching to Web app fingerprint checker.
• Added patterns for Base64 encoded DOM Cross-site Scripting.
• Added phpMyAdmin Version Disclosure security check.
• Added Atlassian Confluence Version disclosure and Out-of-date security checks.
• Added exclusion feature to JavaScript Library detection.
• Added PHP Version Detection via phpinfo() call.
• Added the Shopify Identified security check.

IMPROVEMENTS

• Added the Bridge URL and Shark token support for Invicti Shark (IAST).
• Added setting to configure Session Cookie Names.
• Updated CWE classification category orders for Out-of-date templates.
• Improved Cross-site Scripting attack pattern.
• Added support for exploiting local storage and session storage in the DOM XSS security checks.
• Added highlighting support for custom scripts.
• Added Web Application Firewall to the site profile.
• Changed the default ignored parameter comparison to case insensitive.
• Added ‘Is Encoded’ option to OAuth2 parameters.
• Added JWT Token pre-request script template.
• Added the CSP Not Implemented that will be reported as confirmed.
• Added the Subresource integrity not implemented that will be reported as confirmed.

FIXES

• Fixed the issue that Content-Type header missing was reported when there was no content in the response.
• Fixed the issue FP JWT was reported in a not found response.
• Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
• Marked weak TLS ciphers.
• Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
• Fixed FP WAF Identified.
• Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
• Fixed the issue source code disclosure is reported in binary responses.
• Fixed the issue fingerprint checker crashes when an applications file could not be found.
• Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
• Fixed the issue that some cipher suites are not reported as weak.
• Fixed the issue classification links were not rendered correctly when there are multiple values.
• Fixed the issue proof prefix was added when there were no more characters to be found.

NEW FEATURES

• Added Authentication Profiles
• Added the Overall Latest Version field to out-of-date vulnerabilities
• Added multiple vulnerabilities reporting support to passive and singular custom scripts
• Added Acunetix 360 integration

NEW SECURITY CHECKS

• Implemented JSON Web Token (JWT) security check
• Added the SSL Certificate is About to Expire security check
• Added StackPath Web Application Firewall (WAF) detection.
• Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Proxy Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for JavaServer Pages
• Added Identified, Version Disclosure, and Out-of-date security checks for Kong Server
• Added Identified, Version Disclosure, and Out-of-date security checks for Liferay Digital Experience Platform.
• Added Identified, Version Disclosure, and Out-of-date security checks for Taleo Web Server
• Added Version Disclosure and Out-of-date security checks for Sugar Customer Relationship Management (CRM)
• Added Version Disclosure and Out-of-date security checks for Squid
• Added Identified and Out-of-date security checks for Magento
• Added Out-of-date security check for Daiquiri
• Added Identified security check for Plesk (Windows)
• Added Identified security check for Vegur
• Added Identified security check for HupSpot
• Added Identified security check for DataDome
• Added Identified security check for Craft CMS
• Added Identified security check for Windows Azure Web Apps
• Added Identified security check for OpenVPN Access Server
• Added Identified security check for Squarespace
• Added Identified security check for Plesk (Linux)
• Added Identified security check for Lighthouse
• Added Identified security check for BitNinja Captcha Server
• Added Identified security check for Pardot Server

IMPROVEMENTS

• Added Scan Paused, Scan Resumed, Scan Canceled, and Scan Finished states to the log category.
• Send to Request Builder option is now visible for Issue Group Nodes
• Added page type field to vulnerability reports
• Added Authentication Profile name to reports
• Improved RAML Importer to import the ZIP files
• Added application name and version information to a vulnerability report
• Implemented Swagger path parameter default value
• Fixed a Dom XSS scan stuck issue
• Fixed Daiquiri Identified reporting redundant custom field issue.
• Improved Common Weakness Enumeration (CWE) classifications for Out-of-Date Version vulnerabilities
• Added a new Akamai Content Delivery Network (CDN) detection signature
• Added a new Varnish Cache detection signature
• Added missing Identified security checks for the existing technologies
• Improved the summary section of the Version Disclosure template for SharePoint
• Improved TRACE/TRACK Method Detected security check
• Improved SVN Detected security check
• Improved Version Disclosure security check and report template for Phusion Passenger
• Improved Caddy Web Server Identified security check.
• Improved WAF Identifier security check.
• Added Blind SQL Injection security check with a new XOR payload for MySQL
• Proxy credential passed to Chrome page authentication
• Vulnerabilities ordered by severity in the Comparison Report

FIXES

• Fixed Invicti license decrypt problem
• HTTPS Requests are recorded as HTTP
• Fixed the requested security protocol is not supported error
• Fixed handling Protocol Buffers encoding type
• Fixed miswritten product name
• Fixed Phusion Passenger version disclosure template and added Out-of-Date mapping
• Fixed analyzing headers even if the identification source is the crawler
• Fixed an issue that may cause deadlock during adding items to Sitemap
• Fixed an issue that caused out-of-scope URLs to be scanned when the override target URL option is enabled and the authentication is failed while scanning.
• Fixed issue where headers in Postman collection were not replaced with variables
• Fixed an issue that cause SSL validation callback returns invalid SSL certificates as out-of-scope links
• Added disable-feature flag to the browser manager
• Fixed a null reference exception while generating Knowledge Base report
• Rare error when loading overlay window showed was ignored
• Fixed out-of-scope imported links showing in Knowledge Base Rest API List
• Fixed a detection issue with the Akamai CDN signature.
• Fixed a detection issue with Tomcat Identified security check.
• Fixed the signatures of phpMyAdmin Identified security check
• Fixed big size upload error
• The Exclude Authentication Page option will be checked if there is a selected authentication profile
• Fixed DPI settings at Custom Script Dialog
• Disabled GPU acceleration to prevent rendering errors and black bars
• Fixed UI bugs at General Scan Profile Settings
• Fixed issue max page visit was not received but showing in Knowledge Base because of max signature limit
• Fixed Custom 404 Regex in Invicti Enterprise scan data is shown as Auto 404 at Invicti Standard
• Fixed malformed VDB exception while getting the latest version of the application
• Severity null control added to the Vulnerability Profile dialog
• Fixed a non-recurring parameter while logging in with auto-authenticator
• Fixed Scan Policy Report migration primary key error
• Fixed saving Crawl & Attack option to the Scan Profile
• Fixed Logout detection window shows first entered URL for every login simulation error
• Fixed reporting false positive HSTS vulnerability

NEW FEATURES

• Added TLS 1.3 support
• Added the character limit setting for Blind SQL Injection proof generation and enabled proof generation by default
• Added the Common Vulnerability Scoring System field to the known vulnerabilities
• Added the Vulnerability Database version to the scan logs

IMPROVEMENTS

• Improved IPv6 support to cover all SSL checks
• Added an advanced setting option to turn on/off the “disable-web-security” command line option while launching chromium
• Added the redirect navigation support for DOM Parser
• Fixed Ghost Chromium problems and DOM simulation leaks
• Added multiple ISO Classification support
• Added alphabetical order to the Knowledge Base nodes
• Updated Invicti Shark (IAST) licensing
• Improved WAF Identification checks to prevent false positives
• Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled
• Improved Open Redirection checks
• Updated Capture Group for OpenResty Version Disclosure
• Updated DS_Store File Found Report Template
• Changed the Referrer-Policy Report Template names to be more accurate
• Refined Possible Stored XSS Vulnerability template
• Added missing external references to SSL Templates that are removed after the merge
• Added IAST suffix to titles of vulnerability detected by Invicti Shark
• Updated OpenSSL regex
• Updated OpenSSL version disclosure regex
• Updated SSTI patterns to use specific type to match code execution patterns

NEW SECURITY CHECKS

• Added Short XSS Attack to bypass character limit checks
• Added Revoked SSL Certificate check
• Added SSL Certificate’s Name and Hostname Mismatch security check
• Added SSL Certificate is not signed by a trusted root certification authority security check
• Added Daiquiri Identified security check
• Added Expired SSL Certificate security check
• Added ZSH History File Detected
• Added DOM XSS pattern for the script SRC Injection

FIXES

• Fixed an issue with simultaneous access to the same object while updating the sitemap during scanning
• Fixed unexpected error when saving parse from URL in form values screen
• Fixed the Chrome address bar displaying in different resolutions on the verify login form
• Fixed the detected logout status when an unreachable link is given
• Fixed the customization menu at the form authentication’s custom script dialog
• Fixed unsupported browser issue for Headless Chromium
• Fixed weak ciphers not reported for additional websites issue
• Fixed ignoring weak ciphers check because of the ROBOT attack
• Fixed logging HTTPS requests as HTTP when LogHttpRequests option is enabled
• Updated Invicti Updater icons
• Fixed an issue where the Postman Importer ignores the authorization header that is defined in a request item
• Updated requester not to send Accept-Language header if it is not enabled in a scan policy
• Fixed an issue that occurred when exporting custom reports generated from Compliance, Detailed Scan, and Executive Summary report
• Fixed a synchronization problem while creating puppeteer instances
• Fixed an issue where external schema was not added when importing WSDL
• Fixed the Write Lock Leak in LinkPool
• Disabled mouse wheel on the Include/Exclude URLs with Regex radio group
• Fixed the typo in the jQuery validation out-of-date vulnerability type
• Fixed the issue Untrusted Root certificate was not reported on the self-signed certificates
• Fixed the issue that the wrong version was reported in the web app fingerprinting
• Fixed False Positive weak credentials vulnerability
• Fixed the issue that logs were not correctly formatted in the Logs panel
• Fixed the issue that SSL vulnerabilities found in additional sites might be reported in the wrong URL
• Fixed the issue that authenticated link was not crawled
• Fixed the issue that the proof URL was not added to XSS
• Fixed word-wrapping in Tags label in the Azure DevOps Send to Action Configuration Wizard
• Removed the logging for the replacing control characters in headers
• Changed the log level of DOM simulation timeout from Error to Warning
• Fixed the issue that another hash was appended to URLs with a fragment on DOM XSS attacks
• Fixed the issue that SSL certificates were not analyzed for each website when there are additional websites
• Fixed the issue that URI fragment was parsed incorrectly
• Fixed OpenSSL version disclosure regex
• Fixed WS_FTP Log check
• Fixed F5 BIG-IP WAF detection
• Fixed the typo in the jQuery Validation Out-of-date Vulnerability type
• Fixed Extractor for Lodash in repository.json by adding a new function
• Fixed WildFly regex for the WildFly Application Server Identified
• Fixed Whoops Error Handling framework signature
• Fixed the signature for Liferay Portal Identified
• Fixed Version Disclosure for Artifactory by adding missing custom field tag
• Fixed regex of Grafana Version Disclosure
• Fixed OpenResty regex for Version Disclosure
• Fixed the regex of Liferay Portal Version Disclosure pattern