Release Notes

Invicti Standard

RSS Feed

v6.6.1.36926 - 19 Jul 2022

IMPROVEMENTS Improved the Late-Confirmation Storage Mechanism to lower disc usage. Improved the Links/API definition to add links with a single click. Added the Block navigation on SPAs to built-in scan policies. Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3. …

IMPROVEMENTS

  • Improved the Late-Confirmation Storage Mechanism to lower disc usage.
  • Improved the Links/API definition to add links with a single click.
  • Added the Block navigation on SPAs to built-in scan policies.
  • Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

  • Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
  • Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
  • Fixed the bug that throws null reference exception at the link pool.
  • Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
  • Fixed the bug that resulted in running many Chromium instances when a new scan is started.
  • Fixed a null reference error when a new scan is started via the command line.

v6.6.0.36485 - 14 Jun 2022

NEW FEATURES Added GraphQL Libraries detection support. Added the Shark node to the Knowledge Base. Added Acunetix XML to URL Import. Added built-in DVWA policies to scan policies. IMPROVEMENTS Updated embedded Chromium browser. Added a new IAST vulnerability: Overly Long Session Timeout. Added new config vulnerabilities for the IAST Node.js sensor. Added new config vulnerabilities for …

NEW FEATURES

IMPROVEMENTS

  • Updated embedded Chromium browser.
  • Added a new IAST vulnerability: Overly Long Session Timeout.
  • Added new config vulnerabilities for the IAST Node.js sensor.
  • Added new config vulnerabilities for the IAST Java sensor.
  • Added support for detecting SQL Injections on HSQLDB.
  • Added support for detecting XSS through file upload.
  • Updated DISA STIG Classifications.
  • Updated Java and Node.js IAST sensors.
  • Improved time-based blind SQLi detection checks.
  • Improved the Content Security Policy Engine.
  • Updated XSS via File Upload vulnerability template.
  • Updated License Agreement on the Invicti Standard installer.
  • Added Extract Resource default property to DOM simulation.
  • Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
  • Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
  • Added vulnerabilityType filter to add VulnerabilityLookup table.
  • Added the agent mode to the authentication request.
  • Added a default behavior to scan the login page.
  • Added an option to disable anti-CSRF token attacks.
  • Added an option to block navigation on SPAs pages.
  • Added a default behavior to disable TLS1.3

FIXES

  • Fixed basic authorization over HTTP bug.
  • Fixed SQL Injection Vulnerability Family Reporting Bug.
  • Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
  • Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
  • Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
  • Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
  • Fixed a typo bug on GraphQL importing window.
  • Fixed the report naming bug that occurs users create a custom report from a base report.
  • Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
  • Fixed a bug that updates all built-in scan policies instead of edited scan policy.
  • Fixed a typo on Skip Crawling & Attacking pop-up.
  • Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
  • Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
  • Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
  • Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
  • Fixed missing template section migration on report policy.
  • Fixed a bug that throws an error when a report is submitted upon error.
  • Fixed the LFI Exploiter null reference.
  • Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
  • Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
  • Fixed a bug that occurs when users search the Target URL on the New Scan panel.
  • Fixed typo in the timeout error message.
  • Fixed a bug that prevents the WSDL files from being imported.
  • Fixed reporting “SSL/TLS not implemented” when scanning only TLS 1.3 supported sites.
  • Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
  • Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.

REMOVAL

  • Removed Expect-CT security check.
  • Removed the End-of-Text characters in URL rewrite rules.

v6.5 - 29 Apr 2022

IMPROVEMENTS Updated embedded chromium browser Improved JWT confirmation to avoid false positives. FIXES Fixed an issue that passive vulnerabilities were reported as out-of-scope links. Fixed an issue that imports global servers as Swagger files. Fixed an issue where the OK button disappears during interactive login. Fixed an issue that adds interactive login buttons to iframes. …

IMPROVEMENTS

  • Updated embedded chromium browser
  • Improved JWT confirmation to avoid false positives.

FIXES

  • Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
  • Fixed an issue that imports global servers as Swagger files.
  • Fixed an issue where the OK button disappears during interactive login.
  • Fixed an issue that adds interactive login buttons to iframes.
  • Fixed a null reference exception at the LFI exploit panel.

v6.4.3.35616 - 04 Apr 2022

NEW SECURITY CHECKS Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

NEW SECURITY CHECKS

  • Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

v6.4.0.35166 - 08 Mar 2022

IMPROVEMENTS Netsparker Standard now Invicti Standard.  Added a token matching rule when it is required to get the token from a website other than the target URL. Improved the GraphQL attacks to include non-string fields.  FIXES Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities.  Fixed a bug …

IMPROVEMENTS

  • Netsparker Standard now Invicti Standard
  • Added a token matching rule when it is required to get the token from a website other than the target URL.
  • Improved the GraphQL attacks to include non-string fields. 

FIXES

  • Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities. 
  • Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
  • Fixed a null reference exception by adding a control whether the current scan policy is empty.
  • Fixed a bug that the agent does not continue the scan after a pause.
  • Fixed a bug that does not properly show all components detected by a software composition analysis after a retest. 

v6.3.3.34686 - 14 Feb 2022

IMPROVEMENTS Implemented new Log4j attack patterns. Added the parameter types to exported reports for GraphQL. FIXES Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links. Fixed an issue that results in false positive Cross-site Scripting. Fixed an issue that prevents the scan policy migration when a …

IMPROVEMENTS

FIXES

  • Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
  • Fixed an issue that results in false positive Cross-site Scripting.
  • Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
  • Fixed an issue that the page counter goes to zero in the Recent Scans window.
  • Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.

v6.3.2.34187 - 20 Jan 2022

IMPROVEMENTS Added the .deploy extension to Default Policy’s extension list. Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs. FIXES Fixed a null reference error issue when a user right-clicks the target on the Sitemap.  Fixed the URL response error of the main …

IMPROVEMENTS

  • Added the .deploy extension to Default Policy’s extension list.
  • Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs.

FIXES

  • Fixed a null reference error issue when a user right-clicks the target on the Sitemap. 
  • Fixed the URL response error of the main node when Override Target URL check is enabled.
  • Fixed the Imported Links date and time value in the body that is cropped. 
  • Fixed an issue that opens the vulnerability panel instead of the HTTP Request and Response panel when the email node is selected in the Knowledge Base panel. 
  • Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
  • Fixed an issue that tries to stop the scan when the What’s New tab is closed.
  • Fixed an issue that Invicti Standard starts a retest for a vulnerability randomly. 
  • Fixed a payload for the GraphQL.

v6.3.1.33855 - 29 Dec 2021

FIXES Fixed a scan policy migration issue that causes selecting all the security checks.

FIXES

  • Fixed a scan policy migration issue that causes selecting all the security checks.

v6.3.033782 - 23 Dec 2021

NEW FEATURES Added Software Composition Analysis (SCA) feature. Added OWASP Top 10 2021 classification and report. Added support for scanning GraphQL APIs. NEW SECURITY CHECKS Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira. Added Stack Trace Disclosure Signature for Java. Added Shopify Identified Security Check. IMPROVEMENTS Updated Invicti Standard .NET Framework version from 4.7.2 …

NEW FEATURES

NEW SECURITY CHECKS

  • Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira.
  • Added Stack Trace Disclosure Signature for Java.
  • Added Shopify Identified Security Check.

IMPROVEMENTS

  • Updated Invicti Standard .NET Framework version from 4.7.2 to 4.8.
  • Allowed to enter hyphens for the proxy address on the Proxy Settings.
  • Enabled that all child controlled scan parameters are listed in the Sitemap parent node.
  • Changed classification for Cross-site Referrer Leakage and Breach in OWASP Top Ten 2021.
  • Changed CryptographicException error log type.
  • Added condition that when the max crawling link is reached, the DOM simulation stops.
  • Updated Version Disclosure Signature for Apache Coyote.
  • Added callback flag to prevent multi trigger of DOM parser view callback
  • Improved the importing of RAML files includes other files.
  • Added tags property to the Kenna Send to Action.
  • Updated Freshservice integration not to send user agent header.
  • Updated Version Disclosure Signature for Jolokia.
  • Improved the Form Values to be entered into the relevant sections during the form authentication process in the React environment.
  • Improved the login verification process by detecting page load properly.

FIXES

  • Fixed an issue that created an incorrect issue link in Bitbucket Integration.
  • Fixed an issue that occurred when the proxy information from the Proxy Auto-Configuration file cannot be transmitted in requests made by the browser.
  • Fixed the null reference error (NRE) that occurred during importing the paused or canceled scan files.
  • Fixed an issue that calculated total response time incorrectly.
  • Fixed the bug related to Send To action of Kenna integration.
  • Fixed the Jolokia version disclosure report to properly highlight the related lines.
  • Fixed the OWASP classification links.
  • Fixed an issue that does not show a vulnerability when sorted by the Vulnerability Type although it shows when sorted by Severity.
  • Fixed the misleading tooltip in Scan Policy – Security Checks.
  • Fixed the misaligned text on the PDF version of Executive Summary Report.
  • Fixed an issue that Invicti Standard doesn’t show out-of-scope warning when out-of-scope link is imported.
  • Fixed the inconsistent vulnerability count between reports and status bar.
  • Fixed the manual authentication issue when links are imported from URL.
  • Fixed the Sitemap multilevel group count.
  • Fixed Scan Policy security check count.
  • Fixed a naming issue that occurred when a new custom report name contains a dot.
  • Fixed an issue while changing the Data Directory option on Storage tab.
  • Fixed the issue that external references were not rendered correctly.

v6.2.1.33642 - 14 Dec 2021

NEW SECURITY CHECKS Added Out of Band Code Evaluation (Log4j – CVE-2021-44228) a.k.a. Log4Shell detection support.

NEW SECURITY CHECKS

  • Added Out of Band Code Evaluation (Log4j – CVE-2021-44228) a.k.a. Log4Shell detection support.

v6.2 - 16 Nov 2021

NEW FEATURES Added Node.js sensor for Invicti Shark (IAST). Added OWASP API Top 10 classification and report template. NEW SECURITY CHECKS Added signature matching to Web app fingerprint checker. Added patterns for Base64 encoded DOM Cross-site Scripting. Added phpMyAdmin Version Disclosure security check. Added Atlassian Confluence Version disclosure and Out-of-date security checks. Added exclusion feature to JavaScript …

NEW FEATURES

NEW SECURITY CHECKS

  • Added signature matching to Web app fingerprint checker.
  • Added patterns for Base64 encoded DOM Cross-site Scripting.
  • Added phpMyAdmin Version Disclosure security check.
  • Added Atlassian Confluence Version disclosure and Out-of-date security checks.
  • Added exclusion feature to JavaScript Library detection.
  • Added PHP Version Detection via phpinfo() call.
  • Added the Shopify Identified security check.

IMPROVEMENTS

  • Added the Bridge URL and Shark token support for Invicti Shark (IAST).
  • Added setting to configure Session Cookie Names.
  • Updated CWE classification category orders for Out-of-date templates.
  • Improved Cross-site Scripting attack pattern.
  • Added support for exploiting local storage and session storage in the DOM XSS security checks.
  • Added highlighting support for custom scripts.
  • Added Web Application Firewall to the site profile.
  • Changed the default ignored parameter comparison to case insensitive.
  • Added ‘Is Encoded’ option to OAuth2 parameters.
  • Added JWT Token pre-request script template.
  • Added the CSP Not Implemented that will be reported as confirmed.
  • Added the Subresource integrity not implemented that will be reported as confirmed.

FIXES

  • Fixed the issue that Content-Type header missing was reported when there was no content in the response.
  • Fixed the issue FP JWT was reported in a not found response.
  • Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
  • Marked weak TLS ciphers.
  • Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
  • Fixed FP WAF Identified.
  • Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
  • Fixed the issue source code disclosure is reported in binary responses.
  • Fixed the issue fingerprint checker crashes when an applications file could not be found.
  • Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
  • Fixed the issue that some cipher suites are not reported as weak.
  • Fixed the issue classification links were not rendered correctly when there are multiple values.
  • Fixed the issue proof prefix was added when there were no more characters to be found.

v6.1 - 01 Jul 2021

NEW FEATURES Added Authentication Profiles Added the Overall Latest Version field to out-of-date vulnerabilities Added multiple vulnerabilities reporting support to passive and singular custom scripts Added Acunetix 360 integration NEW SECURITY CHECKS Implemented JSON Web Token (JWT) security check Added the SSL Certificate is About to Expire security check Added StackPath Web Application Firewall (WAF) …

NEW FEATURES

NEW SECURITY CHECKS

  • Implemented JSON Web Token (JWT) security check
  • Added the SSL Certificate is About to Expire security check
  • Added StackPath Web Application Firewall (WAF) detection.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Proxy Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for JavaServer Pages
  • Added Identified, Version Disclosure, and Out-of-date security checks for Kong Server
  • Added Identified, Version Disclosure, and Out-of-date security checks for Liferay Digital Experience Platform.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Taleo Web Server
  • Added Version Disclosure and Out-of-date security checks for Sugar Customer Relationship Management (CRM)
  • Added Version Disclosure and Out-of-date security checks for Squid
  • Added Identified and Out-of-date security checks for Magento
  • Added Out-of-date security check for Daiquiri
  • Added Identified security check for Plesk (Windows)
  • Added Identified security check for Vegur
  • Added Identified security check for HupSpot
  • Added Identified security check for DataDome
  • Added Identified security check for Craft CMS
  • Added Identified security check for Windows Azure Web Apps
  • Added Identified security check for OpenVPN Access Server
  • Added Identified security check for Squarespace
  • Added Identified security check for Plesk (Linux)
  • Added Identified security check for Lighthouse
  • Added Identified security check for BitNinja Captcha Server
  • Added Identified security check for Pardot Server

IMPROVEMENTS

  • Added Scan Paused, Scan Resumed, Scan Canceled, and Scan Finished states to the log category.
  • Send to Request Builder option is now visible for Issue Group Nodes
  • Added page type field to vulnerability reports
  • Added Authentication Profile name to reports
  • Improved RAML Importer to import the ZIP files
  • Added application name and version information to a vulnerability report
  • Implemented Swagger path parameter default value
  • Fixed a Dom XSS scan stuck issue
  • Fixed Daiquiri Identified reporting redundant custom field issue.
  • Improved Common Weakness Enumeration (CWE) classifications for Out-of-Date Version vulnerabilities
  • Added a new Akamai Content Delivery Network (CDN) detection signature
  • Added a new Varnish Cache detection signature
  • Added missing Identified security checks for the existing technologies
  • Improved the summary section of the Version Disclosure template for SharePoint
  • Improved TRACE/TRACK Method Detected security check
  • Improved SVN Detected security check
  • Improved Version Disclosure security check and report template for Phusion Passenger
  • Improved Caddy Web Server Identified security check.
  • Improved WAF Identifier security check.
  • Added Blind SQL Injection security check with a new XOR payload for MySQL
  • Proxy credential passed to Chrome page authentication
  • Vulnerabilities ordered by severity in the Comparison Report

FIXES

  • Fixed Invicti license decrypt problem
  • HTTPS Requests are recorded as HTTP
  • Fixed the requested security protocol is not supported error
  • Fixed handling Protocol Buffers encoding type
  • Fixed miswritten product name
  • Fixed Phusion Passenger version disclosure template and added Out-of-Date mapping
  • Fixed analyzing headers even if the identification source is the crawler
  • Fixed an issue that may cause deadlock during adding items to Sitemap
  • Fixed an issue that caused out-of-scope URLs to be scanned when the override target URL option is enabled and the authentication is failed while scanning.
  • Fixed issue where headers in Postman collection were not replaced with variables
  • Fixed an issue that cause SSL validation callback returns invalid SSL certificates as out-of-scope links
  • Added disable-feature flag to the browser manager
  • Fixed a null reference exception while generating Knowledge Base report
  • Rare error when loading overlay window showed was ignored
  • Fixed out-of-scope imported links showing in Knowledge Base Rest API List
  • Fixed a detection issue with the Akamai CDN signature.
  • Fixed a detection issue with Tomcat Identified security check.
  • Fixed the signatures of phpMyAdmin Identified security check
  • Fixed big size upload error
  • The Exclude Authentication Page option will be checked if there is a selected authentication profile
  • Fixed DPI settings at Custom Script Dialog
  • Disabled GPU acceleration to prevent rendering errors and black bars
  • Fixed UI bugs at General Scan Profile Settings
  • Fixed issue max page visit was not received but showing in Knowledge Base because of max signature limit
  • Fixed Custom 404 Regex in Invicti Enterprise scan data is shown as Auto 404 at Invicti Standard
  • Fixed malformed VDB exception while getting the latest version of the application
  • Severity null control added to the Vulnerability Profile dialog
  • Fixed a non-recurring parameter while logging in with auto-authenticator
  • Fixed Scan Policy Report migration primary key error
  • Fixed saving Crawl & Attack option to the Scan Profile
  • Fixed Logout detection window shows first entered URL for every login simulation error
  • Fixed reporting false positive HSTS vulnerability