Invicti Standard

Improvements

• Added an explanation for the failed requests error.
• Added name variable support for Passive and Singular Custom Security Checks.

Fixes

• Fixed WSDL parse issue for non-defined object types.
• Fixed the deserialization problem when importing the scan session.
• Fixed the CSP analyzer Regex enumeration problem.
• Fixed the null reference exception on HTTP Requester.

New security check

• Added the Text4Shell (CVE-2022-42889) check.

Improvements

• Updated the embedded Chromium browser.
• Improved the importing link to parse the complex example value for RAML.
• Added the support for browser flag.
• Improved the scan failure messages on the issue page.
• Added the URL decode to scanned and crawled URL list reports.

Fixes

• Fixed the issue that deleted the customization folder in the agent’s folder after the update.
• Fixed the knowledge base report format to display information clearly.

NEW FEATURES

• Added auto-GraphQL attack after endpoint is detected.
• Added request wait filter for request wait handler.

NEW SECURITY CHECKS

• Added MongoDB Time-based (Blind) Injection.
• Added SQLite Boolean SQL Injection.
• Added MongoDB Error-based Injection.

IMPROVEMENTS

• Updated the embedded browser.
• Updated the hardcoded scan policy for http://rest.testinvicti.com.
• Added the out-of-scope check for the target website content links.
• Updated the Check for VDB Update status and tooltip when users start the check for update.
• Updated Vulnerability Detection Logic in JWT engine.
• Updated Liferay portal signature and added a mapping for version conversion.

FIXES

• Fixed the web security issue for the origin header problem.
• Fixed the sitemap bug that caused missing information when imported.
• Fixed the bug that threw an error when exporting as SQL script.
• Fixed the bug that threw an error, as HTTP Requester deletes the whole body part of the request which contains the login credentials.
• Fixed multiple headers highlighting for the same value.
• Fixed highlighting CSP Directives in different header issues.
• Fixed duplicate bearer tokens for some requests.
• Fixed the out-of-memory bug at the browser manager.
• Fixed the null reference exception on the custom script screen.
• Fixed the connection time-out issue caused by the RegEx engine.
• Fixed an issue that resulted in false positive Cross-site Scripting (DOM-based).
• Fixed the retest issue that displays zero requests in the repetitive retests.
• Fixed the bug that shows the previous version of VDB.
• Fixed parsable false attack patterns place.

IMPROVEMENTS

• Updated embedded Chromium browser.

SECURITY CHECKS

• Added pattern for XSS via file upload SVG.

IMPROVEMENTS

• Added the Cache By CSS Selector and Max Cache Elements to the scan policies.
• Added the GraphQL endpoints and libraries to the Knowledge Base.
• Updated the Jira tooltip for the access token or password field.
• Removed the target URL health check that lets the scan continue despite getting error messages such as 403.
• Improved the raw scan file expired information message.
• Improved the scan profile test coverage.
  
• Updated regex for Stack Trace Disclosure (Java) – Java.Lang Exceptions.
• Improved the JSON Web Tokens secret list.
• Improved the re-login process when the logout is detected.

FIXES

• Fixed the retest issue.
• Fixed the null reference error thrown during the late confirmation.
• Fixed an issue of using the disposed objects.
• Fixed the exception error when cloning the report policy.
• Fixed the broken links on the report policy.
• Fixed mistaken NIST and DISA classifications.
• Fixed a bug that threw the database locked error when Invicti is restarted after a scan.
• Fixed an issue where a JavaScript Setting option blocks inputs for the single-page applications to be reported in the Web Pages with Inputs node.
• Fixed a bug that caused the scan session failure when the scan is paused and resumed.
• Fixed failed scans where the Target URL is IPv6 and starting with ::1
• Fixed the Postman collection parsing by removing / in front of the query in the URL.
• Fixed the Shark validation issue that threw exceptions while validating.
• Fixed the issue with proxy settings, so Invicti prioritizes the settings in the scan policy.
• Fixed NodeJS RCE-OOB security check.

IMPROVEMENTS

• Improved the Late-Confirmation Storage Mechanism to lower disc usage.
• Improved the Links/API definition to add links with a single click.
• Added the Block navigation on SPAs to built-in scan policies.
• Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

• Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
• Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
• Fixed the bug that throws null reference exception at the link pool.
• Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
• Fixed the bug that resulted in running many Chromium instances when a new scan is started.
• Fixed a null reference error when a new scan is started via the command line.

IMPROVEMENTS

• Improved the Late-Confirmation Storage Mechanism to lower disc usage.
• Improved the Links/API definition to add links with a single click.
• Added the Block navigation on SPAs to built-in scan policies.
• Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

• Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
• Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
• Fixed the bug that throws null reference exception at the link pool.
• Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
• Fixed the bug that resulted in running many Chromium instances when a new scan is started.
• Fixed a null reference error when a new scan is started via the command line.

NEW FEATURES

• Added GraphQL Libraries detection support.
• Added the Shark node to the Knowledge Base.
• Added Acunetix XML to URL Import.
• Added built-in DVWA policies to scan policies.

IMPROVEMENTS

• Updated embedded Chromium browser.
• Added a new IAST vulnerability: Overly Long Session Timeout.
• Added new config vulnerabilities for the IAST Node.js sensor.
• Added new config vulnerabilities for the IAST Java sensor.
• Added support for detecting SQL Injections on HSQLDB.
• Added support for detecting XSS through file upload.
• Updated DISA STIG Classifications.
• Updated Java and Node.js IAST sensors.
• Improved time-based blind SQLi detection checks.
• Improved the Content Security Policy Engine.
• Updated XSS via File Upload vulnerability template.
• Updated License Agreement on the Invicti Standard installer.
• Added Extract Resource default property to DOM simulation.
• Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
• Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
• Added vulnerabilityType filter to add VulnerabilityLookup table.
• Added the agent mode to the authentication request.
• Added a default behavior to scan the login page.
• Added an option to disable anti-CSRF token attacks.
• Added an option to block navigation on SPAs pages.
• Added a default behavior to disable TLS1.3

FIXES

• Fixed basic authorization over HTTP bug.
• Fixed SQL Injection Vulnerability Family Reporting Bug.
• Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
• Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
• Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
• Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
• Fixed a typo bug on GraphQL importing window.
• Fixed the report naming bug that occurs users create a custom report from a base report.
• Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
• Fixed a bug that updates all built-in scan policies instead of edited scan policy.
• Fixed a typo on Skip Crawling & Attacking pop-up.
• Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
• Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
• Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
• Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
• Fixed missing template section migration on report policy.
• Fixed a bug that throws an error when a report is submitted upon error.
• Fixed the LFI Exploiter null reference.
• Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
• Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
• Fixed a bug that occurs when users search the Target URL on the New Scan panel.
• Fixed typo in the timeout error message.
• Fixed a bug that prevents the WSDL files from being imported.
• Fixed reporting “SSL/TLS not implemented” when scanning only TLS 1.3 supported sites.
• Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
• Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.

REMOVAL

• Removed Expect-CT security check.
• Removed the End-of-Text characters in URL rewrite rules.

IMPROVEMENTS

• Updated embedded chromium browser
• Improved JWT confirmation to avoid false positives.

FIXES

• Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
• Fixed an issue that imports global servers as Swagger files.
• Fixed an issue where the OK button disappears during interactive login.
• Fixed an issue that adds interactive login buttons to iframes.
• Fixed a null reference exception at the LFI exploit panel.

NEW SECURITY CHECKS

• Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

IMPROVEMENTS

• Netsparker Standard now Invicti Standard. 
• Added a token matching rule when it is required to get the token from a website other than the target URL.
• Improved the GraphQL attacks to include non-string fields. 

FIXES

• Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities. 
• Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
• Fixed a null reference exception by adding a control whether the current scan policy is empty.
• Fixed a bug that the agent does not continue the scan after a pause.
• Fixed a bug that does not properly show all components detected by a software composition analysis after a retest. 

IMPROVEMENTS

• Implemented new Log4j attack patterns.
• Added the parameter types to exported reports for GraphQL.

FIXES

• Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
• Fixed an issue that results in false positive Cross-site Scripting.
• Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
• Fixed an issue that the page counter goes to zero in the Recent Scans window.
• Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.