Changelogs

Invicti Standard

RSS Feed

v6.7.0.37625 - 31 Aug 2022

SECURITY CHECKS Added pattern for XSS via file upload SVG. IMPROVEMENTS Added the Cache By CSS Selector and Max Cache Elements to the scan policies. Added the GraphQL endpoints and libraries to the Knowledge Base. Updated the Jira tooltip for the access token or password field. Removed the target URL health check that lets the …

SECURITY CHECKS

  • Added pattern for XSS via file upload SVG.

IMPROVEMENTS

  • Added the Cache By CSS Selector and Max Cache Elements to the scan policies.
  • Added the GraphQL endpoints and libraries to the Knowledge Base.
  • Updated the Jira tooltip for the access token or password field.
  • Removed the target URL health check that lets the scan continue despite getting error messages such as 403.
  • Improved the raw scan file expired information message.
  • Improved the scan profile test coverage.
  • Updated regex for Stack Trace Disclosure (Java) – Java.Lang Exceptions.
  • Improved the JSON Web Tokens secret list.
  • Improved the re-login process when the logout is detected.

FIXES

  • Fixed the retest issue.
  • Fixed the null reference error thrown during the late confirmation.
  • Fixed an issue of using the disposed objects.
  • Fixed the exception error when cloning the report policy.
  • Fixed the broken links on the report policy.
  • Fixed mistaken NIST and DISA classifications.
  • Fixed a bug that threw the database locked error when Invicti is restarted after a scan.
  • Fixed an issue where a JavaScript Setting option blocks inputs for the single-page applications to be reported in the Web Pages with Inputs node.
  • Fixed a bug that caused the scan session failure when the scan is paused and resumed.
  • Fixed failed scans where the Target URL is IPv6 and starting with ::1
  • Fixed the Postman collection parsing by removing / in front of the query in the URL.
  • Fixed the Shark validation issue that threw exceptions while validating.
  • Fixed the issue with proxy settings, so Invicti prioritizes the settings in the scan policy.
  • Fixed NodeJS RCE-OOB security check.

v6.6.1 - 12 Aug 2022

IMPROVEMENTS Improved the Late-Confirmation Storage Mechanism to lower disc usage. Improved the Links/API definition to add links with a single click. Added the Block navigation on SPAs to built-in scan policies. Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3. …

IMPROVEMENTS

  • Improved the Late-Confirmation Storage Mechanism to lower disc usage.
  • Improved the Links/API definition to add links with a single click.
  • Added the Block navigation on SPAs to built-in scan policies.
  • Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

  • Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
  • Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
  • Fixed the bug that throws null reference exception at the link pool.
  • Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
  • Fixed the bug that resulted in running many Chromium instances when a new scan is started.
  • Fixed a null reference error when a new scan is started via the command line.

v6.6.1.36926 - 19 Jul 2022

IMPROVEMENTS Improved the Late-Confirmation Storage Mechanism to lower disc usage. Improved the Links/API definition to add links with a single click. Added the Block navigation on SPAs to built-in scan policies. Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3. …

IMPROVEMENTS

  • Improved the Late-Confirmation Storage Mechanism to lower disc usage.
  • Improved the Links/API definition to add links with a single click.
  • Added the Block navigation on SPAs to built-in scan policies.
  • Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

  • Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
  • Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
  • Fixed the bug that throws null reference exception at the link pool.
  • Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
  • Fixed the bug that resulted in running many Chromium instances when a new scan is started.
  • Fixed a null reference error when a new scan is started via the command line.

v6.6.0.36485 - 14 Jun 2022

NEW FEATURES Added GraphQL Libraries detection support. Added the Shark node to the Knowledge Base. Added Acunetix XML to URL Import. Added built-in DVWA policies to scan policies. IMPROVEMENTS Updated embedded Chromium browser. Added a new IAST vulnerability: Overly Long Session Timeout. Added new config vulnerabilities for the IAST Node.js sensor. Added new config vulnerabilities for …

NEW FEATURES

IMPROVEMENTS

  • Updated embedded Chromium browser.
  • Added a new IAST vulnerability: Overly Long Session Timeout.
  • Added new config vulnerabilities for the IAST Node.js sensor.
  • Added new config vulnerabilities for the IAST Java sensor.
  • Added support for detecting SQL Injections on HSQLDB.
  • Added support for detecting XSS through file upload.
  • Updated DISA STIG Classifications.
  • Updated Java and Node.js IAST sensors.
  • Improved time-based blind SQLi detection checks.
  • Improved the Content Security Policy Engine.
  • Updated XSS via File Upload vulnerability template.
  • Updated License Agreement on the Invicti Standard installer.
  • Added Extract Resource default property to DOM simulation.
  • Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
  • Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
  • Added vulnerabilityType filter to add VulnerabilityLookup table.
  • Added the agent mode to the authentication request.
  • Added a default behavior to scan the login page.
  • Added an option to disable anti-CSRF token attacks.
  • Added an option to block navigation on SPAs pages.
  • Added a default behavior to disable TLS1.3

FIXES

  • Fixed basic authorization over HTTP bug.
  • Fixed SQL Injection Vulnerability Family Reporting Bug.
  • Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
  • Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
  • Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
  • Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
  • Fixed a typo bug on GraphQL importing window.
  • Fixed the report naming bug that occurs users create a custom report from a base report.
  • Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
  • Fixed a bug that updates all built-in scan policies instead of edited scan policy.
  • Fixed a typo on Skip Crawling & Attacking pop-up.
  • Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
  • Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
  • Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
  • Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
  • Fixed missing template section migration on report policy.
  • Fixed a bug that throws an error when a report is submitted upon error.
  • Fixed the LFI Exploiter null reference.
  • Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
  • Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
  • Fixed a bug that occurs when users search the Target URL on the New Scan panel.
  • Fixed typo in the timeout error message.
  • Fixed a bug that prevents the WSDL files from being imported.
  • Fixed reporting “SSL/TLS not implemented” when scanning only TLS 1.3 supported sites.
  • Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
  • Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.

REMOVAL

  • Removed Expect-CT security check.
  • Removed the End-of-Text characters in URL rewrite rules.

v6.5 - 29 Apr 2022

IMPROVEMENTS Updated embedded chromium browser Improved JWT confirmation to avoid false positives. FIXES Fixed an issue that passive vulnerabilities were reported as out-of-scope links. Fixed an issue that imports global servers as Swagger files. Fixed an issue where the OK button disappears during interactive login. Fixed an issue that adds interactive login buttons to iframes. …

IMPROVEMENTS

  • Updated embedded chromium browser
  • Improved JWT confirmation to avoid false positives.

FIXES

  • Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
  • Fixed an issue that imports global servers as Swagger files.
  • Fixed an issue where the OK button disappears during interactive login.
  • Fixed an issue that adds interactive login buttons to iframes.
  • Fixed a null reference exception at the LFI exploit panel.

v6.4.3.35616 - 04 Apr 2022

NEW SECURITY CHECKS Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

NEW SECURITY CHECKS

  • Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

v6.4.0.35166 - 08 Mar 2022

IMPROVEMENTS Netsparker Standard now Invicti Standard.  Added a token matching rule when it is required to get the token from a website other than the target URL. Improved the GraphQL attacks to include non-string fields.  FIXES Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities.  Fixed a bug …

IMPROVEMENTS

  • Netsparker Standard now Invicti Standard
  • Added a token matching rule when it is required to get the token from a website other than the target URL.
  • Improved the GraphQL attacks to include non-string fields. 

FIXES

  • Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities. 
  • Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
  • Fixed a null reference exception by adding a control whether the current scan policy is empty.
  • Fixed a bug that the agent does not continue the scan after a pause.
  • Fixed a bug that does not properly show all components detected by a software composition analysis after a retest. 

v6.3.3.34686 - 14 Feb 2022

IMPROVEMENTS Implemented new Log4j attack patterns. Added the parameter types to exported reports for GraphQL. FIXES Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links. Fixed an issue that results in false positive Cross-site Scripting. Fixed an issue that prevents the scan policy migration when a …

IMPROVEMENTS

FIXES

  • Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
  • Fixed an issue that results in false positive Cross-site Scripting.
  • Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
  • Fixed an issue that the page counter goes to zero in the Recent Scans window.
  • Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.

v6.3.2.34187 - 20 Jan 2022

IMPROVEMENTS Added the .deploy extension to Default Policy’s extension list. Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs. FIXES Fixed a null reference error issue when a user right-clicks the target on the Sitemap.  Fixed the URL response error of the main …

IMPROVEMENTS

  • Added the .deploy extension to Default Policy’s extension list.
  • Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs.

FIXES

  • Fixed a null reference error issue when a user right-clicks the target on the Sitemap. 
  • Fixed the URL response error of the main node when Override Target URL check is enabled.
  • Fixed the Imported Links date and time value in the body that is cropped. 
  • Fixed an issue that opens the vulnerability panel instead of the HTTP Request and Response panel when the email node is selected in the Knowledge Base panel. 
  • Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
  • Fixed an issue that tries to stop the scan when the What’s New tab is closed.
  • Fixed an issue that Invicti Standard starts a retest for a vulnerability randomly. 
  • Fixed a payload for the GraphQL.

v6.3.1.33855 - 29 Dec 2021

FIXES Fixed a scan policy migration issue that causes selecting all the security checks.

FIXES

  • Fixed a scan policy migration issue that causes selecting all the security checks.

v6.3.033782 - 23 Dec 2021

NEW FEATURES Added Software Composition Analysis (SCA) feature. Added OWASP Top 10 2021 classification and report. Added support for scanning GraphQL APIs. NEW SECURITY CHECKS Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira. Added Stack Trace Disclosure Signature for Java. Added Shopify Identified Security Check. IMPROVEMENTS Updated Invicti Standard .NET Framework version from 4.7.2 …

NEW FEATURES

NEW SECURITY CHECKS

  • Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira.
  • Added Stack Trace Disclosure Signature for Java.
  • Added Shopify Identified Security Check.

IMPROVEMENTS

  • Updated Invicti Standard .NET Framework version from 4.7.2 to 4.8.
  • Allowed to enter hyphens for the proxy address on the Proxy Settings.
  • Enabled that all child controlled scan parameters are listed in the Sitemap parent node.
  • Changed classification for Cross-site Referrer Leakage and Breach in OWASP Top Ten 2021.
  • Changed CryptographicException error log type.
  • Added condition that when the max crawling link is reached, the DOM simulation stops.
  • Updated Version Disclosure Signature for Apache Coyote.
  • Added callback flag to prevent multi trigger of DOM parser view callback
  • Improved the importing of RAML files includes other files.
  • Added tags property to the Kenna Send to Action.
  • Updated Freshservice integration not to send user agent header.
  • Updated Version Disclosure Signature for Jolokia.
  • Improved the Form Values to be entered into the relevant sections during the form authentication process in the React environment.
  • Improved the login verification process by detecting page load properly.

FIXES

  • Fixed an issue that created an incorrect issue link in Bitbucket Integration.
  • Fixed an issue that occurred when the proxy information from the Proxy Auto-Configuration file cannot be transmitted in requests made by the browser.
  • Fixed the null reference error (NRE) that occurred during importing the paused or canceled scan files.
  • Fixed an issue that calculated total response time incorrectly.
  • Fixed the bug related to Send To action of Kenna integration.
  • Fixed the Jolokia version disclosure report to properly highlight the related lines.
  • Fixed the OWASP classification links.
  • Fixed an issue that does not show a vulnerability when sorted by the Vulnerability Type although it shows when sorted by Severity.
  • Fixed the misleading tooltip in Scan Policy – Security Checks.
  • Fixed the misaligned text on the PDF version of Executive Summary Report.
  • Fixed an issue that Invicti Standard doesn’t show out-of-scope warning when out-of-scope link is imported.
  • Fixed the inconsistent vulnerability count between reports and status bar.
  • Fixed the manual authentication issue when links are imported from URL.
  • Fixed the Sitemap multilevel group count.
  • Fixed Scan Policy security check count.
  • Fixed a naming issue that occurred when a new custom report name contains a dot.
  • Fixed an issue while changing the Data Directory option on Storage tab.
  • Fixed the issue that external references were not rendered correctly.

v6.2.1.33642 - 14 Dec 2021

NEW SECURITY CHECKS Added Out of Band Code Evaluation (Log4j – CVE-2021-44228) a.k.a. Log4Shell detection support.

NEW SECURITY CHECKS

  • Added Out of Band Code Evaluation (Log4j – CVE-2021-44228) a.k.a. Log4Shell detection support.