v23.2.0 - 22 Feb 2023
This release includes security checks, improvements, and fixes. We added checks for JWT. We improved JWT security checks and the business logic recorder. We also fixed some bugs.
Version information: 23.2.0.39705
New security checks
- Added JWT Forgery through Kid by using static files.
- Added the JSON Web Tokens detected check.
Improvements
- Improved the default browser settings to be reflected in the business logic recorder (BLR).
- Improved the JWT Finder Regex in the JWT engine.
- Extended excluded header names with new headers.
- Updated JWT Forgery check condition.
- Improved the JSON Web Tokens’ vulnerability detection logic.
- Added the link scope check for the user-controllable cookie vulnerability.
Fixes
- Fixed an issue that caused unhandled exceptions when there is no service endpoint definition in the WSDL file.
- Fixed “file in use error” while archiving scan logs.
- Fixed the OAuth 2.0 authentication problem caused by the failure to get code information and certification validation in out-of-scope links.
- Fixed missing cookies for the JSON Web Tokens attack requests.
- Fixed the vulnerability family issue that caused the Hawk not to detect issues.
- Fixed the vulnerability serialization issue that caused the out-of-memory error.
v23.1.0 - 17 Jan 2023
This release includes improvements and fixes. We fixed issues with TLS, authentications, and IPv6.
Improvements
- Added control for login and logout during vulnerability retest.
- Added auto responder for images to escape the onerror issue.
Fixes
- Fixed an issue that overrode TLS settings available in the scan policy when the Ignore SSL Certificate Errors is set to True in the Appsetting.json file.
- Fixed a bug that throws a null reference exception at the authentication.
- Fixed missing CSP 3 Directive.
- Fixed an issue about 3-legged OAuth which cause failed authentication at scan.
- Fixed the scheduled scans not being exported issue to Invicti Enterprise.
- Fixed an issue about header encoding that cause false positive CSP reporting.
- Fixed the bug on the Interactive Login page where the Ok and Pause buttons are not available.
- Fixed case sensitivity when checking HTTP headers for JSON Web Tokens.
- Fixed the IPv6 registered website resolution issue thrown before scanning.
- Improved the vulnerability database updating process to enable it to use a proxy.
- Fixed a bug that prevents the scanner from attacking to login and logout pages.
- Fixed the bug in which OAuth2 settings were not transferred properly from the web application to the agent.
v22.12.0 - 07 Dec 2022
This release includes improvements and fixes. We improved the failed requests error message. We also fixed some bugs.
Improvements
- Added an explanation for the failed requests error.
- Added name variable support for Passive and Singular Custom Security Checks.
Fixes
- Fixed WSDL parse issue for non-defined object types.
- Fixed the deserialization problem when importing the scan session.
- Fixed the CSP analyzer Regex enumeration problem.
- Fixed the null reference exception on HTTP Requester.
v22.11.0 - 09 Nov 2022
This release includes new security check, improvements, and fixes. We added a security check for Text4Shell and improved the importing link. We also fixed some bugs.
New security check
- Added the Text4Shell (CVE-2022-42889) check.
Improvements
- Updated the embedded Chromium browser.
- Improved the importing link to parse the complex example value for RAML.
- Added the support for browser flag.
- Improved the scan failure messages on the issue page.
- Added the URL decode to scanned and crawled URL list reports.
Fixes
- Fixed the issue that deleted the customization folder in the agent’s folder after the update.
- Fixed the knowledge base report format to display information clearly.
v6.8.0.38168 - 13 Oct 2022
This release includes new features, new security checks, improvements, and fixes. We added an auto-GraphQL attack. We added MongoDB-related security checks. We improved the embedded browser and vulnerability detection in the JWT engine. We also fixed some bugs.
NEW FEATURES
- Added auto-GraphQL attack after endpoint is detected.
- Added request wait filter for request wait handler.
NEW SECURITY CHECKS
- Added MongoDB Time-based (Blind) Injection.
- Added SQLite Boolean SQL Injection.
- Added MongoDB Error-based Injection.
IMPROVEMENTS
- Updated the embedded browser.
- Updated the hardcoded scan policy for http://rest.testinvicti.com.
- Added the out-of-scope check for the target website content links.
- Updated the Check for VDB Update status and tooltip when users start the check for update.
- Updated Vulnerability Detection Logic in JWT engine.
- Updated Liferay portal signature and added a mapping for version conversion.
FIXES
- Fixed the web security issue for the origin header problem.
- Fixed the sitemap bug that caused missing information when imported.
- Fixed the bug that threw an error when exporting as SQL script.
- Fixed the bug that threw an error, as HTTP Requester deletes the whole body part of the request which contains the login credentials.
- Fixed multiple headers highlighting for the same value.
- Fixed highlighting CSP Directives in different header issues.
- Fixed duplicate bearer tokens for some requests.
- Fixed the out-of-memory bug at the browser manager.
- Fixed the null reference exception on the custom script screen.
- Fixed the connection time-out issue caused by the RegEx engine.
- Fixed an issue that resulted in false positive Cross-site Scripting (DOM-based).
- Fixed the retest issue that displays zero requests in the repetitive retests.
- Fixed the bug that shows the previous version of VDB.
- Fixed parsable false attack patterns place.
v6.7.1.37730 - 15 Sep 2022
IMPROVEMENTS Updated embedded Chromium browser.
IMPROVEMENTS
- Updated embedded Chromium browser.
v6.7.0.37625 - 31 Aug 2022
SECURITY CHECKS Added pattern for XSS via file upload SVG. IMPROVEMENTS Added the Cache By CSS Selector and Max Cache Elements to the scan policies. Added the GraphQL endpoints and libraries to the Knowledge Base. Updated the Jira tooltip for the access token or password field. Removed the target URL health check that lets the …
SECURITY CHECKS
- Added pattern for XSS via file upload SVG.
IMPROVEMENTS
- Added the Cache By CSS Selector and Max Cache Elements to the scan policies.
- Added the GraphQL endpoints and libraries to the Knowledge Base.
- Updated the Jira tooltip for the access token or password field.
- Removed the target URL health check that lets the scan continue despite getting error messages such as 403.
- Improved the raw scan file expired information message.
- Improved the scan profile test coverage.
- Updated regex for Stack Trace Disclosure (Java) – Java.Lang Exceptions.
- Improved the JSON Web Tokens secret list.
- Improved the re-login process when the logout is detected.
FIXES
- Fixed the retest issue.
- Fixed the null reference error thrown during the late confirmation.
- Fixed an issue of using the disposed objects.
- Fixed the exception error when cloning the report policy.
- Fixed the broken links on the report policy.
- Fixed mistaken NIST and DISA classifications.
- Fixed a bug that threw the database locked error when Invicti is restarted after a scan.
- Fixed an issue where a JavaScript Setting option blocks inputs for the single-page applications to be reported in the Web Pages with Inputs node.
- Fixed a bug that caused the scan session failure when the scan is paused and resumed.
- Fixed failed scans where the Target URL is IPv6 and starting with ::1
- Fixed the Postman collection parsing by removing / in front of the query in the URL.
- Fixed the Shark validation issue that threw exceptions while validating.
- Fixed the issue with proxy settings, so Invicti prioritizes the settings in the scan policy.
- Fixed NodeJS RCE-OOB security check.
v6.6.1 - 12 Aug 2022
IMPROVEMENTS Improved the Late-Confirmation Storage Mechanism to lower disc usage. Improved the Links/API definition to add links with a single click. Added the Block navigation on SPAs to built-in scan policies. Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3. …
IMPROVEMENTS
- Improved the Late-Confirmation Storage Mechanism to lower disc usage.
- Improved the Links/API definition to add links with a single click.
- Added the Block navigation on SPAs to built-in scan policies.
- Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.
FIXES
- Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
- Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
- Fixed the bug that throws null reference exception at the link pool.
- Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
- Fixed the bug that resulted in running many Chromium instances when a new scan is started.
- Fixed a null reference error when a new scan is started via the command line.
v6.6.1.36926 - 19 Jul 2022
IMPROVEMENTS Improved the Late-Confirmation Storage Mechanism to lower disc usage. Improved the Links/API definition to add links with a single click. Added the Block navigation on SPAs to built-in scan policies. Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3. …
IMPROVEMENTS
- Improved the Late-Confirmation Storage Mechanism to lower disc usage.
- Improved the Links/API definition to add links with a single click.
- Added the Block navigation on SPAs to built-in scan policies.
- Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.
FIXES
- Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
- Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
- Fixed the bug that throws null reference exception at the link pool.
- Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
- Fixed the bug that resulted in running many Chromium instances when a new scan is started.
- Fixed a null reference error when a new scan is started via the command line.
v6.6.0.36485 - 14 Jun 2022
NEW FEATURES Added GraphQL Libraries detection support. Added the Shark node to the Knowledge Base. Added Acunetix XML to URL Import. Added built-in DVWA policies to scan policies. IMPROVEMENTS Updated embedded Chromium browser. Added a new IAST vulnerability: Overly Long Session Timeout. Added new config vulnerabilities for the IAST Node.js sensor. Added new config vulnerabilities for …
NEW FEATURES
- Added GraphQL Libraries detection support.
- Added the Shark node to the Knowledge Base.
- Added Acunetix XML to URL Import.
- Added built-in DVWA policies to scan policies.
IMPROVEMENTS
- Updated embedded Chromium browser.
- Added a new IAST vulnerability: Overly Long Session Timeout.
- Added new config vulnerabilities for the IAST Node.js sensor.
- Added new config vulnerabilities for the IAST Java sensor.
- Added support for detecting SQL Injections on HSQLDB.
- Added support for detecting XSS through file upload.
- Updated DISA STIG Classifications.
- Updated Java and Node.js IAST sensors.
- Improved time-based blind SQLi detection checks.
- Improved the Content Security Policy Engine.
- Updated XSS via File Upload vulnerability template.
- Updated License Agreement on the Invicti Standard installer.
- Added Extract Resource default property to DOM simulation.
- Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
- Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
- Added vulnerabilityType filter to add VulnerabilityLookup table.
- Added the agent mode to the authentication request.
- Added a default behavior to scan the login page.
- Added an option to disable anti-CSRF token attacks.
- Added an option to block navigation on SPAs pages.
- Added a default behavior to disable TLS1.3
FIXES
- Fixed basic authorization over HTTP bug.
- Fixed SQL Injection Vulnerability Family Reporting Bug.
- Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
- Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
- Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
- Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
- Fixed a typo bug on GraphQL importing window.
- Fixed the report naming bug that occurs users create a custom report from a base report.
- Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
- Fixed a bug that updates all built-in scan policies instead of edited scan policy.
- Fixed a typo on Skip Crawling & Attacking pop-up.
- Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
- Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
- Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
- Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
- Fixed missing template section migration on report policy.
- Fixed a bug that throws an error when a report is submitted upon error.
- Fixed the LFI Exploiter null reference.
- Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
- Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
- Fixed a bug that occurs when users search the Target URL on the New Scan panel.
- Fixed typo in the timeout error message.
- Fixed a bug that prevents the WSDL files from being imported.
- Fixed reporting “SSL/TLS not implemented” when scanning only TLS 1.3 supported sites.
- Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
- Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.
REMOVAL
- Removed Expect-CT security check.
- Removed the End-of-Text characters in URL rewrite rules.
v6.5 - 29 Apr 2022
IMPROVEMENTS Updated embedded chromium browser Improved JWT confirmation to avoid false positives. FIXES Fixed an issue that passive vulnerabilities were reported as out-of-scope links. Fixed an issue that imports global servers as Swagger files. Fixed an issue where the OK button disappears during interactive login. Fixed an issue that adds interactive login buttons to iframes. …
IMPROVEMENTS
- Updated embedded chromium browser
- Improved JWT confirmation to avoid false positives.
FIXES
- Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
- Fixed an issue that imports global servers as Swagger files.
- Fixed an issue where the OK button disappears during interactive login.
- Fixed an issue that adds interactive login buttons to iframes.
- Fixed a null reference exception at the LFI exploit panel.
v6.4.3.35616 - 04 Apr 2022
NEW SECURITY CHECKS Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.
NEW SECURITY CHECKS
- Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.