Invicti Standard

New features

• Added an option under New Scan Policy > Ignored Parameters to allow customers to set ‘Cookie’ as a type of ignored parameter

New security checks

• Added new checks for the WordPress Login with Phone Number Plugin: CVE-2023-23492
• Added new checks for the WordPress JupiterX Core Plugin: CVE-2023-38389, CVE-2023-38388

Improvements

• Added support for custom authentication tokens without token type
• Improved LFI attack patterns for better accuracy
• Fixed some vulnerabilities in the Docker image
• Stricter sensitive data rules
• Improved bot detection bypass scenarios

Fixes

• Fixed custom header values in scan profiles so that they are masked
• Docker Cloud Stack check has been updated to reduce noise
• Fixed an issue with adding configuration files to scan profiles
• SSL/TLS classification updated from CWE-311 to CWE-319

Improvements

• Added a MaxAuthenticationTime configuration and set the default value as 480 seconds

Fixes

• Fixed a bug that was preventing the import of WSDL files to Invicti Standard
• Fixed version information reported in Web App Fingerprint Vulnerabilities

New features

• Added encoding for sensitive data
• Added the option to enable CSRF checks for authenticated scans only
• Added a sensitive data (password, session cookie, token etc.) encoder

New security checks

• Added JQuery placeholder detection methods
• Added a new security check for the Missing X-Content-Type-Options vulnerability

Improvements

• Improved the JS Delivery CDN disclosure check to increase stability
• Improved the remediation part for the Weak Ciphers Enabled vulnerability
• Reduced the certainty value to 90 for the Robot Attack Detected vulnerability
• Improved the detection method for CSP
• Improved the detection method for the Dockerignore File Detected vulnerability
• Improved the detection method for the Docker Cloud Stack File Detected vulnerability

Fixes

• Improved our XSS capabilities
• Fixed an NTLM login issue
• Fixed a bug that was overwriting proxy settings in scan policies
• Fixed a unique analyzer bug for the WSDL importer
• Fixed a custom proxy bypass list issue

New feature

• We’ve added the ability to set proxy configurations to Docker Agent as an environment variable when creating a container

Improvements

• Disabled caching from the boolean-based MongoDB security engine to avoid possible false positives
• Improved the content-type exemption for non-HTML content types in the CSP engine
• Improved the typehead.js check to increase stability
• Removed the X-XSS-Protection header check because it is deprecated by modern browsers
• Fixed a scan coverage issue
• Improved the remediation part for the JetBrains .idea detected vulnerability
• Added functionalities to prevent bot detection and fixed an issue that was causing cookie loss after authentication

Fixes

• Fixed the update agent command that was not working correctly
• Fixed the internal Linux v23.7 AV agent that wasn’t sending header configurations
• Encrypted the proxy password used in the scan policy file
• Fixed an issue with missing links when importing a .nss file from Invicti into Acunetix 360
• Fixed the external SOAP web service import problem
• Fixed a custom script issue so that now passwords written to the logs are encrypted
• Fixed an issue that might cause broken functionality for popup pages
• Fixed an issue where vulnerabilities could not be generated as CloudFlare WAF rules via API
• Fixed a bug with Multiple Declarations in the X-Frame-Options Header
• Fixed a localized time issue in the Files area
• Fixed a problem that was causing default values to be filled incorrectly, resulting in false negatives

New security checks

• Added new patterns to detect XSS

Improvements

• Improved detection and reporting of File Inclusion vulnerabilities
• Improved detection and reporting of Sensitive Data Exposure vulnerabilities
• Improved detection and reporting of Dockerfiles
• Added a custom authentication support header to scan policy

Fixes

• Fixed incorrect reporting of outdated technology versions
• Fixed a bug that was preventing reports from being saved
• Fixed the navigation check error on the dom parsing phase
• Fixed an issue that can cause too much browser user data to be left in the temp folder
• Fixed a custom script that was preventing successful basic authentication in some scenarios

Features

• Added Diana.jl support for GraphQL Library Detection
• Added Hot Chocolate support for GraphQL Library Detection
• Added Zero Day Vulnerability for MOVEit Software

Improvements

• Improved logout detection for OAuth2 authenticated websites
• Improved detection of IT Hit WebDav Server .Net versions
• Improved Internal Path Disclosure detection
• Improved Remediation Advice for Autocomplete Enabled vulnerability
• Improved detection logic for LFI vulnerability
• Improved identification and version disclosure for PopperJS, CanvasJS, and Next.js
• Improved WAF Detection for F5 BIG IP

Fixes

• Fixed issue with scans stopping with the Find & Follow New Links option enabled
• Fixed issue with agent compression of chromium and node files
• Fixed InvalidCastException with REST API
• Fixed ArgumentNullException with Custom Security Checks
• Fixed BLR cannot fill address fields
• Fixed adding some MongoDB vulnerabilities to Knowledge Base report
• Fixed scans unauthenticated after successful authentication verification
• Fixed rare stuck scan issue
• Fixed false positive due to TLS v1.3 not enabled
• Fixed ArgumentNullException during scan launch
• Fixed Authentication Verifier fails creating a new scan while another scan is running
• Fixed GraphQL import OutOfMemoryException

New security checks

• Added the check for Boolean-based MongoDB injection.
• Added the check for MongoDB Operator Injector.
• Implemented the XML external entity check for IAST.
• Added the ISO/IEC27001:2022 Classification.
• Added the report template and attack pattern to the Out-of-band RCE.
• Added passive check for Lua.
• Added a security check to detect public Docker files.
• Implemented a new engine to identify WordPress themes and Plugins.
• Added new security checks for SAML.
• Added security check for IT Hit WebDAV Server .Net Version Disclosure.
• Added security check for MS Exchange Version Disclosure.
• Added new payloads for Command Injection.
• Added support for PopperJS.
• Added support for CanvasJS.
• Added new security check for the SQLite Database Detection.
• Added new payloads for Header Injection.
• Added new security check for Spring Boot Actuator Detection.
• Added security check for NodeJS Stack Trace Disclosure.
• Added security check for SailsJS and ActionHero Identified.
• Added security check for JetBrains .idea Detected.
• Added security check for GraphQL Stack Trace Disclosure.
• Added security checks for Javascript Libraries.
• Added security checks for Web Application Fingerprinter Engine.
• Added new security checks for WordPress Hello Elementor Theme Detection.
• Added new security checks for WordPress Twenty Twenty-Three Theme Detection.
• Added new security checks for WordPress Twenty Twenty-Two Theme Detection.
• Added new security checks for WordPress Astra Theme Detection.
• Added new security checks for WordPress Twenty Twenty-One Theme Detection.
• Added new security checks for WordPress Twenty Twenty Theme Detection.
• Added new security checks for WordPress OceanWP Theme Detection.
• Added new security checks for WordPress Twenty Seventeen Theme Detection.
• Added new security checks for WordPress Kadence Theme Detection.
• Added new security checks for WordPress Twenty-Sixteen Theme Detection.
• Added new security checks for WordPress Twenty Nineteen Theme Detection.
• Added new security checks for WordPress PopularFX Theme Detection.
• Added new security checks for WordPress GeneratePress Theme Detection.
• Added new security checks for WordPress Inspiro Theme Detection.
• Added new security checks for WordPress Go Theme Detection.
• Added new security checks for WordPress Smash Balloon Social Photo Feed Plugin Detection.
• Added new security checks for WordPress Contact Form 7 Plugin Detection.
• Added new security checks for WordPress Yoast SEO Plugin Detection.
• Added new security checks for WordPress Elementor Website Builder Plugin Detection.
• Added new security checks for WordPress Classic Editor Plugin Detection.
• Added new security checks for WordPress Akismet Spam Protection Plugin Detection.
• Added new security checks for WordPress WooCommerce Plugin Detection.
• Added new security checks for WordPress Contact Form by WPForms Plugin Detection.
• Added new security checks for WordPress Really Simple SSL Plugin Detection.
• Added new security checks for WordPress Jetpack Plugin Detection.
• Added new security checks for WordPress All-in-One WP Migration Plugin Detection.
• Added new security checks for WordPress Wordfence Security Plugin Detection.
• Added new security checks for WordPress Yoast Duplicate Post Plugin Detection.
• Added new security checks for WordPress WordPress Importer Plugin Detection.
• Added new security checks for WordPress LiteSpeed Cache Plugin Detection.
• Added new security checks for WordPress UpdraftPlus WordPress Backup Plugin Plugin Detection.
• Added new security check for EZProxy Identified.

Improvements

• Updated the Signature Detection pattern.
• Improved the wordlist for Forced Browsing checks.
• Changed the Session Cookie not marked as Secure severity from High to Medium.
• Improved the task queue by optimizing code.
• Improved Drupal and Joomla detection.
• Improved the Next.js version detection.
• Improved Django debug mode enabled.
• Updated the SSL/TLS report template.

Fixes

• Fixed the navigational error by ignoring initial requests other than the document-type resources.
• Fixed an issue about HTTP Status codes on the crawler performance in the Knowledge Base Report.
• Fixed the importing GraphQL introspection issue.
• Fixed the weak Nonce detection in Content Security Policy.

New security checks

• Added new security check for LDAP injection for IAST.
• Added new security check for MongoDB injection.
• Added new security check for Server-side Template Injection for IAST.
• Added new security check for XPath injection for IAST.
• Implemented security check for Sensitive Data Exposure.

Improvements

• Improved the text parser to check URI before parsing.
• Added the Response Receiver information event to remove waiting time for requests.
• Improved the GraphQL Introspection query.

Fixes

• Fixed an issue that caused a bad CSRF token when confirming Cross-site Scripting.
• Fixed an issue that caused an argument null exception when the browser context was closed.
• Fixed the issue that is filling out the login form on the logout page during the login verification.
• Fixed the issue of changing the order of API parameters while importing the JSON file.
• Fixed the dark template issue that displayed the What’s New section in the light template.
• Fixed the vulnerability signature types for Cloudflare and Cdnjs.

Version information: 23.4.0.40376

New security checks

• Added new patterns for GrapQL attack usage.
• Added new attack pattern to CommandInjection.xml.
• Implemented Bootstrap Libraries Detection.
• Added Out-of-Date vulnerability for mod_ssl.
• Added a report template and vulnerability type for Spring Framework Identified.
• Added JavaMelody Interface Detected Signature.
• Changed WAF Identification Signature for F5 Big IP.
• Added the support for Nested objects for GraphQL attacks.

Improvements

• Updated Invicti Standard with new brand logo.
• Added external schema import to solve a WSDL file importing another WSDL file.
• Removed the interactive login button from the verifier dialog.
• Added the Retest All Subitems in the Sitemap to prevent non-retestable issues from being retested.
• Added a null check for HAR files imported.
• Improved the cookie importing process in order for cookies to be compatible with RFC.
• Updated IAST NuGet PHP package.
• Updated StaticDetection.xml & StaticResourceFinder.xml.
• Added service worker request support for authentication, login simulation, and crawling.

Fixes

• Fixed an issue that caused high memory usage while collecting form values.
• Fixed the untrusted certificate error for internal proxies.
• Fixed the issue that caused the change in the date and time format during the Postman file importing.
• Fixed the Linux agents problem that failed to work in the FIPS-enabled environment.
• Fixed the untrusted certificate error for internal proxies.
• Fixed the “Catastrophic Backtracking” in Whoops Debugging detection.

Version information: 23.3.0.39944

New security checks

• Added package.json Configuration File attack pattern.
• Added new File Upload Injection pattern.
• Added SSRF (Equinix) vulnerability.
• Added Swagger user interface Out-of-Date vulnerability.
• Added a file upload injection pattern.
• Added StackPath CDN Identified vulnerability.
• Added Insecure Usage of Version 1 GUID vulnerability.
• Added JBoss Web Console JMX Invoker check.
• Added Windows Server check.
• Added Windows CE check.
• Added Cloudflare Identified, Cloudflare Bot Management, Cloudflare Browser Insights, and cdnjs checks.
• Added Varnish Version Disclosure vulnerability check.
• Added Stack Trace Disclosure (Apache Shiro) vulnerability check.
• Added Java Servlet Ouf-of-Date vulnerability check.
• Added AEM Detected vulnerability check.
• Added CDN Detected(JsDelivr) vulnerability check.

Improvements

• Improved the scan compression algorithm to lower the size of the scan data.
• Improved WS_FTP Log vulnerability test pattern.
• Improved X-XSS-Protection Header Issue vulnerability template.
• Improved MySQL Database Error Message attack pattern.
• Improved XML External Entity Injection vulnerability test pattern.
• Improved Forced Browsing List.
• Added CWE classification for Insecure HTTP Usage.
• Added GraphQL Attack Usage to existing test patterns by default.

Fixes

• Fixed an issue that may cause out-of-memory when cloning callbacks of the browser.
• Fixed the update issue in the Proof node in the Knowledge Base panel.

Version information: 23.2.0.39705

New security checks

• Added JWT Forgery through Kid by using static files.
• Added the JSON Web Tokens detected check.

Improvements

• Improved the default browser settings to be reflected in the business logic recorder (BLR).
• Improved the JWT Finder Regex in the JWT engine.
• Extended excluded header names with new headers.
• Updated JWT Forgery check condition.
• Improved the JSON Web Tokens’ vulnerability detection logic.
• Added the link scope check for the user-controllable cookie vulnerability.

Fixes

• Fixed an issue that caused unhandled exceptions when there is no service endpoint definition in the WSDL file.
• Fixed “file in use error” while archiving scan logs.
• Fixed the OAuth 2.0 authentication problem caused by the failure to get code information and certification validation in out-of-scope links.
• Fixed missing cookies for the JSON Web Tokens attack requests.
• Fixed the vulnerability family issue that caused the Hawk not to detect issues.
• Fixed the vulnerability serialization issue that caused the out-of-memory error.

Improvements

• Added control for login and logout during vulnerability retest.
• Added auto responder for images to escape the onerror issue.

Fixes

• Fixed an issue that overrode TLS settings available in the scan policy when the Ignore SSL Certificate Errors is set to True in the Appsetting.json file.
• Fixed a bug that throws a null reference exception at the authentication.
• Fixed missing CSP 3 Directive.
• Fixed an issue about 3-legged OAuth which cause failed authentication at scan.
• Fixed the scheduled scans not being exported issue to Invicti Enterprise.
• Fixed an issue about header encoding that cause false positive CSP reporting.
• Fixed the bug on the Interactive Login page where the Ok and Pause buttons are not available.
• Fixed case sensitivity when checking HTTP headers for JSON Web Tokens.
• Fixed the IPv6 registered website resolution issue thrown before scanning.
• Improved the vulnerability database updating process to enable it to use a proxy.
• Fixed a bug that prevents the scanner from attacking to login and logout pages.
• Fixed the bug in which OAuth2 settings were not transferred properly from the web application to the agent.