Changelogs

Invicti Standard

RSS Feed

v6.6.0.36485 - 14 Jun 2022

NEW FEATURES Added GraphQL Libraries detection support. Added the Shark node to the Knowledge Base. Added Acunetix XML to URL Import. Added built-in DVWA policies to scan policies. IMPROVEMENTS Updated embedded Chromium browser. Added a new IAST vulnerability: Overly Long Session Timeout. Added new config vulnerabilities for the IAST Node.js sensor. Added new config vulnerabilities for …

NEW FEATURES

IMPROVEMENTS

  • Updated embedded Chromium browser.
  • Added a new IAST vulnerability: Overly Long Session Timeout.
  • Added new config vulnerabilities for the IAST Node.js sensor.
  • Added new config vulnerabilities for the IAST Java sensor.
  • Added support for detecting SQL Injections on HSQLDB.
  • Added support for detecting XSS through file upload.
  • Updated DISA STIG Classifications.
  • Updated Java and Node.js IAST sensors.
  • Improved time-based blind SQLi detection checks.
  • Improved the Content Security Policy Engine.
  • Updated XSS via File Upload vulnerability template.
  • Updated License Agreement on the Invicti Standard installer.
  • Added Extract Resource default property to DOM simulation.
  • Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
  • Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
  • Added vulnerabilityType filter to add VulnerabilityLookup table.
  • Added the agent mode to the authentication request.
  • Added a default behavior to scan the login page.
  • Added an option to disable anti-CSRF token attacks.
  • Added an option to block navigation on SPAs pages.
  • Added a default behavior to disable TLS1.3

FIXES

  • Fixed basic authorization over HTTP bug.
  • Fixed SQL Injection Vulnerability Family Reporting Bug.
  • Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
  • Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
  • Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
  • Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
  • Fixed a typo bug on GraphQL importing window.
  • Fixed the report naming bug that occurs users create a custom report from a base report.
  • Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
  • Fixed a bug that updates all built-in scan policies instead of edited scan policy.
  • Fixed a typo on Skip Crawling & Attacking pop-up.
  • Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
  • Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
  • Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
  • Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
  • Fixed missing template section migration on report policy.
  • Fixed a bug that throws an error when a report is submitted upon error.
  • Fixed the LFI Exploiter null reference.
  • Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
  • Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
  • Fixed a bug that occurs when users search the Target URL on the New Scan panel.
  • Fixed typo in the timeout error message.
  • Fixed a bug that prevents the WSDL files from being imported.
  • Fixed reporting “SSL/TLS not implemented” when scanning only TLS 1.3 supported sites.
  • Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
  • Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.

REMOVAL

  • Removed Expect-CT security check.
  • Removed the End-of-Text characters in URL rewrite rules.

v6.5 - 29 Apr 2022

IMPROVEMENTS Updated embedded chromium browser Improved JWT confirmation to avoid false positives. FIXES Fixed an issue that passive vulnerabilities were reported as out-of-scope links. Fixed an issue that imports global servers as Swagger files. Fixed an issue where the OK button disappears during interactive login. Fixed an issue that adds interactive login buttons to iframes. …

IMPROVEMENTS

  • Updated embedded chromium browser
  • Improved JWT confirmation to avoid false positives.

FIXES

  • Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
  • Fixed an issue that imports global servers as Swagger files.
  • Fixed an issue where the OK button disappears during interactive login.
  • Fixed an issue that adds interactive login buttons to iframes.
  • Fixed a null reference exception at the LFI exploit panel.

v6.4.3.35616 - 04 Apr 2022

NEW SECURITY CHECKS Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

NEW SECURITY CHECKS

  • Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

v6.4.0.35166 - 08 Mar 2022

IMPROVEMENTS Netsparker Standard now Invicti Standard.  Added a token matching rule when it is required to get the token from a website other than the target URL. Improved the GraphQL attacks to include non-string fields.  FIXES Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities.  Fixed a bug …

IMPROVEMENTS

  • Netsparker Standard now Invicti Standard
  • Added a token matching rule when it is required to get the token from a website other than the target URL.
  • Improved the GraphQL attacks to include non-string fields. 

FIXES

  • Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities. 
  • Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
  • Fixed a null reference exception by adding a control whether the current scan policy is empty.
  • Fixed a bug that the agent does not continue the scan after a pause.
  • Fixed a bug that does not properly show all components detected by a software composition analysis after a retest. 

v6.3.3.34686 - 14 Feb 2022

IMPROVEMENTS Implemented new Log4j attack patterns. Added the parameter types to exported reports for GraphQL. FIXES Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links. Fixed an issue that results in false positive Cross-site Scripting. Fixed an issue that prevents the scan policy migration when a …

IMPROVEMENTS

FIXES

  • Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
  • Fixed an issue that results in false positive Cross-site Scripting.
  • Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
  • Fixed an issue that the page counter goes to zero in the Recent Scans window.
  • Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.

v6.3.2.34187 - 20 Jan 2022

IMPROVEMENTS Added the .deploy extension to Default Policy’s extension list. Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs. FIXES Fixed a null reference error issue when a user right-clicks the target on the Sitemap.  Fixed the URL response error of the main …

IMPROVEMENTS

  • Added the .deploy extension to Default Policy’s extension list.
  • Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs.

FIXES

  • Fixed a null reference error issue when a user right-clicks the target on the Sitemap. 
  • Fixed the URL response error of the main node when Override Target URL check is enabled.
  • Fixed the Imported Links date and time value in the body that is cropped. 
  • Fixed an issue that opens the vulnerability panel instead of the HTTP Request and Response panel when the email node is selected in the Knowledge Base panel. 
  • Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
  • Fixed an issue that tries to stop the scan when the What’s New tab is closed.
  • Fixed an issue that Invicti Standard starts a retest for a vulnerability randomly. 
  • Fixed a payload for the GraphQL.

v6.3.1.33855 - 29 Dec 2021

FIXES Fixed a scan policy migration issue that causes selecting all the security checks.

FIXES

  • Fixed a scan policy migration issue that causes selecting all the security checks.

v6.3.033782 - 23 Dec 2021

NEW FEATURES Added Software Composition Analysis (SCA) feature. Added OWASP Top 10 2021 classification and report. Added support for scanning GraphQL APIs. NEW SECURITY CHECKS Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira. Added Stack Trace Disclosure Signature for Java. Added Shopify Identified Security Check. IMPROVEMENTS Updated Invicti Standard .NET Framework version from 4.7.2 …

NEW FEATURES

NEW SECURITY CHECKS

  • Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira.
  • Added Stack Trace Disclosure Signature for Java.
  • Added Shopify Identified Security Check.

IMPROVEMENTS

  • Updated Invicti Standard .NET Framework version from 4.7.2 to 4.8.
  • Allowed to enter hyphens for the proxy address on the Proxy Settings.
  • Enabled that all child controlled scan parameters are listed in the Sitemap parent node.
  • Changed classification for Cross-site Referrer Leakage and Breach in OWASP Top Ten 2021.
  • Changed CryptographicException error log type.
  • Added condition that when the max crawling link is reached, the DOM simulation stops.
  • Updated Version Disclosure Signature for Apache Coyote.
  • Added callback flag to prevent multi trigger of DOM parser view callback
  • Improved the importing of RAML files includes other files.
  • Added tags property to the Kenna Send to Action.
  • Updated Freshservice integration not to send user agent header.
  • Updated Version Disclosure Signature for Jolokia.
  • Improved the Form Values to be entered into the relevant sections during the form authentication process in the React environment.
  • Improved the login verification process by detecting page load properly.

FIXES

  • Fixed an issue that created an incorrect issue link in Bitbucket Integration.
  • Fixed an issue that occurred when the proxy information from the Proxy Auto-Configuration file cannot be transmitted in requests made by the browser.
  • Fixed the null reference error (NRE) that occurred during importing the paused or canceled scan files.
  • Fixed an issue that calculated total response time incorrectly.
  • Fixed the bug related to Send To action of Kenna integration.
  • Fixed the Jolokia version disclosure report to properly highlight the related lines.
  • Fixed the OWASP classification links.
  • Fixed an issue that does not show a vulnerability when sorted by the Vulnerability Type although it shows when sorted by Severity.
  • Fixed the misleading tooltip in Scan Policy – Security Checks.
  • Fixed the misaligned text on the PDF version of Executive Summary Report.
  • Fixed an issue that Invicti Standard doesn’t show out-of-scope warning when out-of-scope link is imported.
  • Fixed the inconsistent vulnerability count between reports and status bar.
  • Fixed the manual authentication issue when links are imported from URL.
  • Fixed the Sitemap multilevel group count.
  • Fixed Scan Policy security check count.
  • Fixed a naming issue that occurred when a new custom report name contains a dot.
  • Fixed an issue while changing the Data Directory option on Storage tab.
  • Fixed the issue that external references were not rendered correctly.

v6.2.1.33642 - 14 Dec 2021

NEW SECURITY CHECKS Added Out of Band Code Evaluation (Log4j – CVE-2021-44228) a.k.a. Log4Shell detection support.

NEW SECURITY CHECKS

  • Added Out of Band Code Evaluation (Log4j – CVE-2021-44228) a.k.a. Log4Shell detection support.

v6.2 - 16 Nov 2021

NEW FEATURES Added Node.js sensor for Invicti Shark (IAST). Added OWASP API Top 10 classification and report template. NEW SECURITY CHECKS Added signature matching to Web app fingerprint checker. Added patterns for Base64 encoded DOM Cross-site Scripting. Added phpMyAdmin Version Disclosure security check. Added Atlassian Confluence Version disclosure and Out-of-date security checks. Added exclusion feature to JavaScript …

NEW FEATURES

NEW SECURITY CHECKS

  • Added signature matching to Web app fingerprint checker.
  • Added patterns for Base64 encoded DOM Cross-site Scripting.
  • Added phpMyAdmin Version Disclosure security check.
  • Added Atlassian Confluence Version disclosure and Out-of-date security checks.
  • Added exclusion feature to JavaScript Library detection.
  • Added PHP Version Detection via phpinfo() call.
  • Added the Shopify Identified security check.

IMPROVEMENTS

  • Added the Bridge URL and Shark token support for Invicti Shark (IAST).
  • Added setting to configure Session Cookie Names.
  • Updated CWE classification category orders for Out-of-date templates.
  • Improved Cross-site Scripting attack pattern.
  • Added support for exploiting local storage and session storage in the DOM XSS security checks.
  • Added highlighting support for custom scripts.
  • Added Web Application Firewall to the site profile.
  • Changed the default ignored parameter comparison to case insensitive.
  • Added ‘Is Encoded’ option to OAuth2 parameters.
  • Added JWT Token pre-request script template.
  • Added the CSP Not Implemented that will be reported as confirmed.
  • Added the Subresource integrity not implemented that will be reported as confirmed.

FIXES

  • Fixed the issue that Content-Type header missing was reported when there was no content in the response.
  • Fixed the issue FP JWT was reported in a not found response.
  • Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
  • Marked weak TLS ciphers.
  • Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
  • Fixed FP WAF Identified.
  • Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
  • Fixed the issue source code disclosure is reported in binary responses.
  • Fixed the issue fingerprint checker crashes when an applications file could not be found.
  • Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
  • Fixed the issue that some cipher suites are not reported as weak.
  • Fixed the issue classification links were not rendered correctly when there are multiple values.
  • Fixed the issue proof prefix was added when there were no more characters to be found.

v6.1 - 01 Jul 2021

NEW FEATURES Added Authentication Profiles Added the Overall Latest Version field to out-of-date vulnerabilities Added multiple vulnerabilities reporting support to passive and singular custom scripts Added Acunetix 360 integration NEW SECURITY CHECKS Implemented JSON Web Token (JWT) security check Added the SSL Certificate is About to Expire security check Added StackPath Web Application Firewall (WAF) …

NEW FEATURES

NEW SECURITY CHECKS

  • Implemented JSON Web Token (JWT) security check
  • Added the SSL Certificate is About to Expire security check
  • Added StackPath Web Application Firewall (WAF) detection.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Proxy Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for JavaServer Pages
  • Added Identified, Version Disclosure, and Out-of-date security checks for Kong Server
  • Added Identified, Version Disclosure, and Out-of-date security checks for Liferay Digital Experience Platform.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Taleo Web Server
  • Added Version Disclosure and Out-of-date security checks for Sugar Customer Relationship Management (CRM)
  • Added Version Disclosure and Out-of-date security checks for Squid
  • Added Identified and Out-of-date security checks for Magento
  • Added Out-of-date security check for Daiquiri
  • Added Identified security check for Plesk (Windows)
  • Added Identified security check for Vegur
  • Added Identified security check for HupSpot
  • Added Identified security check for DataDome
  • Added Identified security check for Craft CMS
  • Added Identified security check for Windows Azure Web Apps
  • Added Identified security check for OpenVPN Access Server
  • Added Identified security check for Squarespace
  • Added Identified security check for Plesk (Linux)
  • Added Identified security check for Lighthouse
  • Added Identified security check for BitNinja Captcha Server
  • Added Identified security check for Pardot Server

IMPROVEMENTS

  • Added Scan Paused, Scan Resumed, Scan Canceled, and Scan Finished states to the log category.
  • Send to Request Builder option is now visible for Issue Group Nodes
  • Added page type field to vulnerability reports
  • Added Authentication Profile name to reports
  • Improved RAML Importer to import the ZIP files
  • Added application name and version information to a vulnerability report
  • Implemented Swagger path parameter default value
  • Fixed a Dom XSS scan stuck issue
  • Fixed Daiquiri Identified reporting redundant custom field issue.
  • Improved Common Weakness Enumeration (CWE) classifications for Out-of-Date Version vulnerabilities
  • Added a new Akamai Content Delivery Network (CDN) detection signature
  • Added a new Varnish Cache detection signature
  • Added missing Identified security checks for the existing technologies
  • Improved the summary section of the Version Disclosure template for SharePoint
  • Improved TRACE/TRACK Method Detected security check
  • Improved SVN Detected security check
  • Improved Version Disclosure security check and report template for Phusion Passenger
  • Improved Caddy Web Server Identified security check.
  • Improved WAF Identifier security check.
  • Added Blind SQL Injection security check with a new XOR payload for MySQL
  • Proxy credential passed to Chrome page authentication
  • Vulnerabilities ordered by severity in the Comparison Report

FIXES

  • Fixed Invicti license decrypt problem
  • HTTPS Requests are recorded as HTTP
  • Fixed the requested security protocol is not supported error
  • Fixed handling Protocol Buffers encoding type
  • Fixed miswritten product name
  • Fixed Phusion Passenger version disclosure template and added Out-of-Date mapping
  • Fixed analyzing headers even if the identification source is the crawler
  • Fixed an issue that may cause deadlock during adding items to Sitemap
  • Fixed an issue that caused out-of-scope URLs to be scanned when the override target URL option is enabled and the authentication is failed while scanning.
  • Fixed issue where headers in Postman collection were not replaced with variables
  • Fixed an issue that cause SSL validation callback returns invalid SSL certificates as out-of-scope links
  • Added disable-feature flag to the browser manager
  • Fixed a null reference exception while generating Knowledge Base report
  • Rare error when loading overlay window showed was ignored
  • Fixed out-of-scope imported links showing in Knowledge Base Rest API List
  • Fixed a detection issue with the Akamai CDN signature.
  • Fixed a detection issue with Tomcat Identified security check.
  • Fixed the signatures of phpMyAdmin Identified security check
  • Fixed big size upload error
  • The Exclude Authentication Page option will be checked if there is a selected authentication profile
  • Fixed DPI settings at Custom Script Dialog
  • Disabled GPU acceleration to prevent rendering errors and black bars
  • Fixed UI bugs at General Scan Profile Settings
  • Fixed issue max page visit was not received but showing in Knowledge Base because of max signature limit
  • Fixed Custom 404 Regex in Invicti Enterprise scan data is shown as Auto 404 at Invicti Standard
  • Fixed malformed VDB exception while getting the latest version of the application
  • Severity null control added to the Vulnerability Profile dialog
  • Fixed a non-recurring parameter while logging in with auto-authenticator
  • Fixed Scan Policy Report migration primary key error
  • Fixed saving Crawl & Attack option to the Scan Profile
  • Fixed Logout detection window shows first entered URL for every login simulation error
  • Fixed reporting false positive HSTS vulnerability

v6.0.2.30446 - 07 Apr 2021

NEW FEATURES Added TLS 1.3 support Added the character limit setting for Blind SQL Injection proof generation and enabled proof generation by default Added the Common Vulnerability Scoring System field to the known vulnerabilities Added the Vulnerability Database version to the scan logs IMPROVEMENTS Improved IPv6 support to cover all SSL checks Added an advanced …

NEW FEATURES

  • Added TLS 1.3 support
  • Added the character limit setting for Blind SQL Injection proof generation and enabled proof generation by default
  • Added the Common Vulnerability Scoring System field to the known vulnerabilities
  • Added the Vulnerability Database version to the scan logs

IMPROVEMENTS

  • Improved IPv6 support to cover all SSL checks
  • Added an advanced setting option to turn on/off the “disable-web-security” command line option while launching chromium
  • Added the redirect navigation support for DOM Parser
  • Fixed Ghost Chromium problems and DOM simulation leaks
  • Added multiple ISO Classification support
  • Added alphabetical order to the Knowledge Base nodes
  • Updated Invicti Shark (IAST) licensing
  • Improved WAF Identification checks to prevent false positives
  • Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled
  • Improved Open Redirection checks
  • Updated Capture Group for OpenResty Version Disclosure
  • Updated DS_Store File Found Report Template
  • Changed the Referrer-Policy Report Template names to be more accurate
  • Refined Possible Stored XSS Vulnerability template
  • Added missing external references to SSL Templates that are removed after the merge
  • Added IAST suffix to titles of vulnerability detected by Invicti Shark
  • Updated OpenSSL regex
  • Updated OpenSSL version disclosure regex
  • Updated SSTI patterns to use specific type to match code execution patterns

NEW SECURITY CHECKS

  • Added Short XSS Attack to bypass character limit checks
  • Added Revoked SSL Certificate check
  • Added SSL Certificate’s Name and Hostname Mismatch security check
  • Added SSL Certificate is not signed by a trusted root certification authority security check
  • Added Daiquiri Identified security check
  • Added Expired SSL Certificate security check
  • Added ZSH History File Detected
  • Added DOM XSS pattern for the script SRC Injection

FIXES

  • Fixed an issue with simultaneous access to the same object while updating the sitemap during scanning
  • Fixed unexpected error when saving parse from URL in form values screen
  • Fixed the Chrome address bar displaying in different resolutions on the verify login form
  • Fixed the detected logout status when an unreachable link is given
  • Fixed the customization menu at the form authentication’s custom script dialog
  • Fixed unsupported browser issue for Headless Chromium
  • Fixed weak ciphers not reported for additional websites issue
  • Fixed ignoring weak ciphers check because of the ROBOT attack
  • Fixed logging HTTPS requests as HTTP when LogHttpRequests option is enabled
  • Updated Invicti Updater icons
  • Fixed an issue where the Postman Importer ignores the authorization header that is defined in a request item
  • Updated requester not to send Accept-Language header if it is not enabled in a scan policy
  • Fixed an issue that occurred when exporting custom reports generated from Compliance, Detailed Scan, and Executive Summary report
  • Fixed a synchronization problem while creating puppeteer instances
  • Fixed an issue where external schema was not added when importing WSDL
  • Fixed the Write Lock Leak in LinkPool
  • Disabled mouse wheel on the Include/Exclude URLs with Regex radio group
  • Fixed the typo in the jQuery validation out-of-date vulnerability type
  • Fixed the issue Untrusted Root certificate was not reported on the self-signed certificates
  • Fixed the issue that the wrong version was reported in the web app fingerprinting
  • Fixed False Positive weak credentials vulnerability
  • Fixed the issue that logs were not correctly formatted in the Logs panel
  • Fixed the issue that SSL vulnerabilities found in additional sites might be reported in the wrong URL
  • Fixed the issue that authenticated link was not crawled
  • Fixed the issue that the proof URL was not added to XSS
  • Fixed word-wrapping in Tags label in the Azure DevOps Send to Action Configuration Wizard
  • Removed the logging for the replacing control characters in headers
  • Changed the log level of DOM simulation timeout from Error to Warning
  • Fixed the issue that another hash was appended to URLs with a fragment on DOM XSS attacks
  • Fixed the issue that SSL certificates were not analyzed for each website when there are additional websites
  • Fixed the issue that URI fragment was parsed incorrectly
  • Fixed OpenSSL version disclosure regex
  • Fixed WS_FTP Log check
  • Fixed F5 BIG-IP WAF detection
  • Fixed the typo in the jQuery Validation Out-of-date Vulnerability type
  • Fixed Extractor for Lodash in repository.json by adding a new function
  • Fixed WildFly regex for the WildFly Application Server Identified
  • Fixed Whoops Error Handling framework signature
  • Fixed the signature for Liferay Portal Identified
  • Fixed Version Disclosure for Artifactory by adding missing custom field tag
  • Fixed regex of Grafana Version Disclosure
  • Fixed OpenResty regex for Version Disclosure
  • Fixed the regex of Liferay Portal Version Disclosure pattern