Invicti Standard

IMPROVEMENTS

• Improved the Late-Confirmation Storage Mechanism to lower disc usage.
• Improved the Links/API definition to add links with a single click.
• Added the Block navigation on SPAs to built-in scan policies.
• Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

• Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
• Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
• Fixed the bug that throws null reference exception at the link pool.
• Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
• Fixed the bug that resulted in running many Chromium instances when a new scan is started.
• Fixed a null reference error when a new scan is started via the command line.

NEW FEATURES

• Added GraphQL Libraries detection support.
• Added the Shark node to the Knowledge Base.
• Added Acunetix XML to URL Import.
• Added built-in DVWA policies to scan policies.

IMPROVEMENTS

• Updated embedded Chromium browser.
• Added a new IAST vulnerability: Overly Long Session Timeout.
• Added new config vulnerabilities for the IAST Node.js sensor.
• Added new config vulnerabilities for the IAST Java sensor.
• Added support for detecting SQL Injections on HSQLDB.
• Added support for detecting XSS through file upload.
• Updated DISA STIG Classifications.
• Updated Java and Node.js IAST sensors.
• Improved time-based blind SQLi detection checks.
• Improved the Content Security Policy Engine.
• Updated XSS via File Upload vulnerability template.
• Updated License Agreement on the Invicti Standard installer.
• Added Extract Resource default property to DOM simulation.
• Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
• Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
• Added vulnerabilityType filter to add VulnerabilityLookup table.
• Added the agent mode to the authentication request.
• Added a default behavior to scan the login page.
• Added an option to disable anti-CSRF token attacks.
• Added an option to block navigation on SPAs pages.
• Added a default behavior to disable TLS1.3

FIXES

• Fixed basic authorization over HTTP bug.
• Fixed SQL Injection Vulnerability Family Reporting Bug.
• Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
• Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
• Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
• Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
• Fixed a typo bug on GraphQL importing window.
• Fixed the report naming bug that occurs users create a custom report from a base report.
• Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
• Fixed a bug that updates all built-in scan policies instead of edited scan policy.
• Fixed a typo on Skip Crawling & Attacking pop-up.
• Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
• Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
• Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
• Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
• Fixed missing template section migration on report policy.
• Fixed a bug that throws an error when a report is submitted upon error.
• Fixed the LFI Exploiter null reference.
• Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
• Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
• Fixed a bug that occurs when users search the Target URL on the New Scan panel.
• Fixed typo in the timeout error message.
• Fixed a bug that prevents the WSDL files from being imported.
• Fixed reporting “SSL/TLS not implemented” when scanning only TLS 1.3 supported sites.
• Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
• Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.

REMOVAL

• Removed Expect-CT security check.
• Removed the End-of-Text characters in URL rewrite rules.

IMPROVEMENTS

• Updated embedded chromium browser
• Improved JWT confirmation to avoid false positives.

FIXES

• Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
• Fixed an issue that imports global servers as Swagger files.
• Fixed an issue where the OK button disappears during interactive login.
• Fixed an issue that adds interactive login buttons to iframes.
• Fixed a null reference exception at the LFI exploit panel.

NEW SECURITY CHECKS

• Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

IMPROVEMENTS

• Netsparker Standard now Invicti Standard. 
• Added a token matching rule when it is required to get the token from a website other than the target URL.
• Improved the GraphQL attacks to include non-string fields. 

FIXES

• Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities. 
• Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
• Fixed a null reference exception by adding a control whether the current scan policy is empty.
• Fixed a bug that the agent does not continue the scan after a pause.
• Fixed a bug that does not properly show all components detected by a software composition analysis after a retest. 

IMPROVEMENTS

• Implemented new Log4j attack patterns.
• Added the parameter types to exported reports for GraphQL.

FIXES

• Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
• Fixed an issue that results in false positive Cross-site Scripting.
• Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
• Fixed an issue that the page counter goes to zero in the Recent Scans window.
• Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.

IMPROVEMENTS

• Added the .deploy extension to Default Policy’s extension list.
• Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs.

FIXES

• Fixed a null reference error issue when a user right-clicks the target on the Sitemap. 
• Fixed the URL response error of the main node when Override Target URL check is enabled.
• Fixed the Imported Links date and time value in the body that is cropped. 
• Fixed an issue that opens the vulnerability panel instead of the HTTP Request and Response panel when the email node is selected in the Knowledge Base panel. 
• Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
• Fixed an issue that tries to stop the scan when the What’s New tab is closed.
• Fixed an issue that Invicti Standard starts a retest for a vulnerability randomly. 
• Fixed a payload for the GraphQL.

FIXES

• Fixed a scan policy migration issue that causes selecting all the security checks.

NEW FEATURES

• Added Software Composition Analysis (SCA) feature.
• Added OWASP Top 10 2021 classification and report.
• Added support for scanning GraphQL APIs.

NEW SECURITY CHECKS

• Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira.
• Added Stack Trace Disclosure Signature for Java.
• Added Shopify Identified Security Check.

IMPROVEMENTS

• Updated Invicti Standard .NET Framework version from 4.7.2 to 4.8.
• Allowed to enter hyphens for the proxy address on the Proxy Settings.
• Enabled that all child controlled scan parameters are listed in the Sitemap parent node.
• Changed classification for Cross-site Referrer Leakage and Breach in OWASP Top Ten 2021.
• Changed CryptographicException error log type.
• Added condition that when the max crawling link is reached, the DOM simulation stops.
• Updated Version Disclosure Signature for Apache Coyote.
• Added callback flag to prevent multi trigger of DOM parser view callback
• Improved the importing of RAML files includes other files.
• Added tags property to the Kenna Send to Action.
• Updated Freshservice integration not to send user agent header.
• Updated Version Disclosure Signature for Jolokia.
• Improved the Form Values to be entered into the relevant sections during the form authentication process in the React environment.
• Improved the login verification process by detecting page load properly.

FIXES

• Fixed an issue that created an incorrect issue link in Bitbucket Integration.
• Fixed an issue that occurred when the proxy information from the Proxy Auto-Configuration file cannot be transmitted in requests made by the browser.
• Fixed the null reference error (NRE) that occurred during importing the paused or canceled scan files.
• Fixed an issue that calculated total response time incorrectly.
• Fixed the bug related to Send To action of Kenna integration.
• Fixed the Jolokia version disclosure report to properly highlight the related lines.
• Fixed the OWASP classification links.
• Fixed an issue that does not show a vulnerability when sorted by the Vulnerability Type although it shows when sorted by Severity.
• Fixed the misleading tooltip in Scan Policy – Security Checks.
• Fixed the misaligned text on the PDF version of Executive Summary Report.
• Fixed an issue that Invicti Standard doesn’t show out-of-scope warning when out-of-scope link is imported.
• Fixed the inconsistent vulnerability count between reports and status bar.
• Fixed the manual authentication issue when links are imported from URL.
• Fixed the Sitemap multilevel group count.
• Fixed Scan Policy security check count.
• Fixed a naming issue that occurred when a new custom report name contains a dot.
• Fixed an issue while changing the Data Directory option on Storage tab.
• Fixed the issue that external references were not rendered correctly.

NEW SECURITY CHECKS

• Added Out of Band Code Evaluation (Log4j – CVE-2021-44228) a.k.a. Log4Shell detection support.

NEW FEATURES

• Added Node.js sensor for Invicti Shark (IAST).
• Added OWASP API Top 10 classification and report template.

NEW SECURITY CHECKS

• Added signature matching to Web app fingerprint checker.
• Added patterns for Base64 encoded DOM Cross-site Scripting.
• Added phpMyAdmin Version Disclosure security check.
• Added Atlassian Confluence Version disclosure and Out-of-date security checks.
• Added exclusion feature to JavaScript Library detection.
• Added PHP Version Detection via phpinfo() call.
• Added the Shopify Identified security check.

IMPROVEMENTS

• Added the Bridge URL and Shark token support for Invicti Shark (IAST).
• Added setting to configure Session Cookie Names.
• Updated CWE classification category orders for Out-of-date templates.
• Improved Cross-site Scripting attack pattern.
• Added support for exploiting local storage and session storage in the DOM XSS security checks.
• Added highlighting support for custom scripts.
• Added Web Application Firewall to the site profile.
• Changed the default ignored parameter comparison to case insensitive.
• Added ‘Is Encoded’ option to OAuth2 parameters.
• Added JWT Token pre-request script template.
• Added the CSP Not Implemented that will be reported as confirmed.
• Added the Subresource integrity not implemented that will be reported as confirmed.

FIXES

• Fixed the issue that Content-Type header missing was reported when there was no content in the response.
• Fixed the issue FP JWT was reported in a not found response.
• Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
• Marked weak TLS ciphers.
• Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
• Fixed FP WAF Identified.
• Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
• Fixed the issue source code disclosure is reported in binary responses.
• Fixed the issue fingerprint checker crashes when an applications file could not be found.
• Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
• Fixed the issue that some cipher suites are not reported as weak.
• Fixed the issue classification links were not rendered correctly when there are multiple values.
• Fixed the issue proof prefix was added when there were no more characters to be found.

NEW FEATURES

• Added Authentication Profiles
• Added the Overall Latest Version field to out-of-date vulnerabilities
• Added multiple vulnerabilities reporting support to passive and singular custom scripts
• Added Acunetix 360 integration

NEW SECURITY CHECKS

• Implemented JSON Web Token (JWT) security check
• Added the SSL Certificate is About to Expire security check
• Added StackPath Web Application Firewall (WAF) detection.
• Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Proxy Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for JavaServer Pages
• Added Identified, Version Disclosure, and Out-of-date security checks for Kong Server
• Added Identified, Version Disclosure, and Out-of-date security checks for Liferay Digital Experience Platform.
• Added Identified, Version Disclosure, and Out-of-date security checks for Taleo Web Server
• Added Version Disclosure and Out-of-date security checks for Sugar Customer Relationship Management (CRM)
• Added Version Disclosure and Out-of-date security checks for Squid
• Added Identified and Out-of-date security checks for Magento
• Added Out-of-date security check for Daiquiri
• Added Identified security check for Plesk (Windows)
• Added Identified security check for Vegur
• Added Identified security check for HupSpot
• Added Identified security check for DataDome
• Added Identified security check for Craft CMS
• Added Identified security check for Windows Azure Web Apps
• Added Identified security check for OpenVPN Access Server
• Added Identified security check for Squarespace
• Added Identified security check for Plesk (Linux)
• Added Identified security check for Lighthouse
• Added Identified security check for BitNinja Captcha Server
• Added Identified security check for Pardot Server

IMPROVEMENTS

• Added Scan Paused, Scan Resumed, Scan Canceled, and Scan Finished states to the log category.
• Send to Request Builder option is now visible for Issue Group Nodes
• Added page type field to vulnerability reports
• Added Authentication Profile name to reports
• Improved RAML Importer to import the ZIP files
• Added application name and version information to a vulnerability report
• Implemented Swagger path parameter default value
• Fixed a Dom XSS scan stuck issue
• Fixed Daiquiri Identified reporting redundant custom field issue.
• Improved Common Weakness Enumeration (CWE) classifications for Out-of-Date Version vulnerabilities
• Added a new Akamai Content Delivery Network (CDN) detection signature
• Added a new Varnish Cache detection signature
• Added missing Identified security checks for the existing technologies
• Improved the summary section of the Version Disclosure template for SharePoint
• Improved TRACE/TRACK Method Detected security check
• Improved SVN Detected security check
• Improved Version Disclosure security check and report template for Phusion Passenger
• Improved Caddy Web Server Identified security check.
• Improved WAF Identifier security check.
• Added Blind SQL Injection security check with a new XOR payload for MySQL
• Proxy credential passed to Chrome page authentication
• Vulnerabilities ordered by severity in the Comparison Report

FIXES

• Fixed Invicti license decrypt problem
• HTTPS Requests are recorded as HTTP
• Fixed the requested security protocol is not supported error
• Fixed handling Protocol Buffers encoding type
• Fixed miswritten product name
• Fixed Phusion Passenger version disclosure template and added Out-of-Date mapping
• Fixed analyzing headers even if the identification source is the crawler
• Fixed an issue that may cause deadlock during adding items to Sitemap
• Fixed an issue that caused out-of-scope URLs to be scanned when the override target URL option is enabled and the authentication is failed while scanning.
• Fixed issue where headers in Postman collection were not replaced with variables
• Fixed an issue that cause SSL validation callback returns invalid SSL certificates as out-of-scope links
• Added disable-feature flag to the browser manager
• Fixed a null reference exception while generating Knowledge Base report
• Rare error when loading overlay window showed was ignored
• Fixed out-of-scope imported links showing in Knowledge Base Rest API List
• Fixed a detection issue with the Akamai CDN signature.
• Fixed a detection issue with Tomcat Identified security check.
• Fixed the signatures of phpMyAdmin Identified security check
• Fixed big size upload error
• The Exclude Authentication Page option will be checked if there is a selected authentication profile
• Fixed DPI settings at Custom Script Dialog
• Disabled GPU acceleration to prevent rendering errors and black bars
• Fixed UI bugs at General Scan Profile Settings
• Fixed issue max page visit was not received but showing in Knowledge Base because of max signature limit
• Fixed Custom 404 Regex in Invicti Enterprise scan data is shown as Auto 404 at Invicti Standard
• Fixed malformed VDB exception while getting the latest version of the application
• Severity null control added to the Vulnerability Profile dialog
• Fixed a non-recurring parameter while logging in with auto-authenticator
• Fixed Scan Policy Report migration primary key error
• Fixed saving Crawl & Attack option to the Scan Profile
• Fixed Logout detection window shows first entered URL for every login simulation error
• Fixed reporting false positive HSTS vulnerability