Changelogs

Invicti Standard

RSS Feed

05 Oct 2016

FIXES Fixed an issue which prevents resource files (report templates, etc.) updates.

FIXES

  • Fixed an issue which prevents resource files (report templates, etc.) updates.

03 Oct 2016

NEW FEATURES Added the ability to configure the scanner to scan websites which are linked from the target website. Added the Common Vulnerability Scoring System (CVSS) in vulnerability reports. Added ability to play sounds while certain program events occur (i.e. scan finished, vulnerability found). Added OWASP Proactive Guide to classification list. NEW SECURITY CHECKS Added …

NEW FEATURES

NEW SECURITY CHECKS

IMPROVEMENTS

  • Improved XSS security checks coverage.
  • Improved the Report Policy Editor.
  • Improved the default filename of generated exploits.
  • Renamed “Permanent XSS” vulnerability to “Stored XSS”.
  • Authentication credentials are now stored encrypted in profile files.
  • Increased the number of vulnerabilities for which the scanner highlights the text related to the vulnerability in the HTTP response viewer.
  • Added an option to follow redirects for the HTTP Request Builder.
  • Added auto completion support to Scan Policy > Headers grid for well-known request headers.
  • Added the version information of Invicti to the reports.
  • Added type ahead search functionality for Scan Policy > Security Checks.
  • Added HTTP methods to AJAX / XML HTTP Requests knowledgebase section.
  • Added editing support for imported links.
  • Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
  • Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
  • Added JavaScript dialog support for form authentication verification dialog.
  • Improved HTTP request logging by splitting log files once a certain amount of requests are logged.
  • Improved DOM simulation by simulating “contextmenu” events.
  • Added “Attacked Parameters” column to “Scanned URLs List” report.
  • Improved Manual Crawl (Proxy Mode) feature to work as passive and not re-issue the requests made during manual crawl phase.
  • Increased the default values for “Maximum Page Visit” and “Max. Number of Parameters to Attack on a Single Page” settings.
  • Improved XML parsing during crawling by parsing empty XML elements as parameters too.
  • Added the ability to attack parameter names.
  • Added a note to vulnerability detail for non-exploitable frame injection.
  • Added .jhtml and .jsp attacks to file upload engine.
  • Improved CORS security checks.
  • Improved Open Redirect engine to detect CNAME injection such as example.com.r87.com.
  • Added tooltips for long texts shown on activity dashboard.
  • Added current DOM XSS attack information to activity pane.
  • Improved XSS confirmation for vulnerabilities found inside noscript tags.
  • Added a new method (Vulnerability.GetTemplateSections) for reporting API to be able to get vulnerability template section content separately.
  • Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.
  • Added /resumescan parameter to command line options to resume the loaded scan.

FIXES

  • Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
  • Fixed the position of clipped auto update notification.
  • Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
  • Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
  • Fixed an issue where switching between builder and raw tabs causes POST parameter to be removed on Request Builder.
  • Fixed the duplicate log printed for same WSDLs.
  • Fixed a NullReferenceException thrown when the Request Builder fails to make a request with the current SecurityProtocol setting.
  • Fixed the blurred message dialog icons on high DPI screens.
  • Fixed various navigation issues of Previous and Next buttons on HTTP Response viewer.
  • Fixed the missing GET parameter request builder issue occurs when a full querystring/URL attack request is sent.
  • Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
  • Fixed a DOM simulation issue occurs when there is a form element with name “action” on target web page.
  • Fixed the duplicate cookie issue occurs while using Manual Crawling (Proxy Mode) scanning feature.
  • Fixed duplicate “Email Address Disclosure” reporting issue.
  • Fixed a NullReferenceException on occurs during CORS security checks.
  • Fixed an issue where current OS UI language was not being selected automatically upon first start.
  • Fixed a CSRF exploit generation issue where the generated file is empty.
  • Fixed an issue where injection/identification responses are unable to display for file upload vulnerability.
  • Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
  • Fixed a text parsing issue where relative URLs were not supported as base href values.
  • Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
  • Fixed an XSS attacking issue where duplicate attacks are made for same payload.
  • Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
  • Fixed an issue where post exploitation does not work sometimes.
  • Fixed a form authentication issue where any slash character in credentials cannot be used.

26 Jul 2016

FIXES Fixed an issue in which Invicti crashes when using the Korean interface and trying to start a scan or load a scan file.

FIXES

  • Fixed an issue in which Invicti crashes when using the Korean interface and trying to start a scan or load a scan file.

13 Jul 2016

FIXES Fixed a NullReferenceException thrown during late confirmation. Fixed an incorrect crawling activity reported on scan summary dashboard UI while performing a passive analysis of an attack response. Fixed a Request Builder issue where response is incorrectly reported as binary. Fixed a Request Builder issue where “Enable Raw Request Body” option is initially selected when …

FIXES

  • Fixed a NullReferenceException thrown during late confirmation.
  • Fixed an incorrect crawling activity reported on scan summary dashboard UI while performing a passive analysis of an attack response.
  • Fixed a Request Builder issue where response is incorrectly reported as binary.
  • Fixed a Request Builder issue where “Enable Raw Request Body” option is initially selected when a GET request is dropped on the builder.

30 Jun 2016

NEW FEATURES Added the HTTP Request Builder penetration testing tool. Added a button on start new scan dialog to open target URL on default web browser. Added a new activity type group called “Passive Analysis” which shows the analysis activity of attack responses. IMPROVEMENTS Improved the “HTML Base Tag Hijacking” vulnerability template. Improved the long-term …

NEW FEATURES

  • Added the HTTP Request Builder penetration testing tool.
  • Added a button on start new scan dialog to open target URL on default web browser.
  • Added a new activity type group called “Passive Analysis” which shows the analysis activity of attack responses.

IMPROVEMENTS

  • Improved the “HTML Base Tag Hijacking” vulnerability template.
  • Improved the long-term memory usage of the DOM simulation and cross-site scripting (XSS). scanning
  • DOM simulation smart filtering now prunes unnecessary DOM branches.
  • Improved the detection of “Redirect Body Too Large” vulnerability.

FIXES

  • Fixed an issue in which the editing of a report policy can cause some external references to be removed unintentionally.
  • Fixed an issue in which multiple tabs on the web browser could be opened while trying to open a vulnerability URL.
  • Fixed a comparison report issue in which charts were not being generated according to selected report policy.
  • Fixed a NullReferenceException that can be thrown by the Subresource integrity security checks.
  • Fixed a report policy editor bug where clicking check all/none affects the vulnerability types that are not currently displayed.
  • Fixed an issue where the vulnerability types disabled on current report policy were affecting the number of vulnerability count on “Issues” panel title.

22 Jun 2016

IMPROVEMENTS Improved the automatic form authentication script to click “button” HTML elements if no suitable button is found. FIXES Fixed the clipped dialog buttons on “Report Policy Editor”. Fixed the incompatibility issues of “Report Policy Editor” on some Windows 8/8.1 systems with Internet Explorer 10. Fixed a Report Policy issue where a vulnerability hidden from …

IMPROVEMENTS

  • Improved the automatic form authentication script to click “button” HTML elements if no suitable button is found.

FIXES

  • Fixed the clipped dialog buttons on “Report Policy Editor”.
  • Fixed the incompatibility issues of “Report Policy Editor” on some Windows 8/8.1 systems with Internet Explorer 10.
  • Fixed a Report Policy issue where a vulnerability hidden from a scan was still not being displayed when a report is generated using the Default Report Policy.
  • Fixed scope related bugs in SRI checks.

16 Jun 2016

NEW FEATURES Scanning of RESTful web services. Report Policies to customize the scan results and reports “Heuristic Rule Detection” support while using custom URL rewrite rules. Added an option to disable logout detection for form authentication. Added ASP.NET Web Application project import support. NEW SECURITY CHECKS Added Samesite cookie attribute check. Added Reverse Tabnabbing check. …

NEW FEATURES

NEW SECURITY CHECKS

  • Added Samesite cookie attribute check.
  • Added Reverse Tabnabbing check.
  • Added Subresource Integrity (SRI) Not Implemented check.
  • Added Subresource Integrity (SRI) Hash Invalid check.

IMPROVEMENTS

  • Various memory usage improvements to handle large web sites.
  • Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
  • Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
  • Improved coverage of LFI engine.
  • Added name completion for profile save as dialog.
  • Updated missing localized text for Korean translation.

FIXES

  • Fixed the issue of form authentication remembers the cookies from the previous scan while using the same Invicti instance for a new scan.
  • Fixed the incorrect progress bar while performing a controlled scan.
  • Fixed the issue of DOM Based XSS security checks enabled status were not being logged.
  • Fixed the “Cross-site Scripting via Remote File Inclusion” vulnerability was not being confirmed issue.
  • Fixed JIRA Send To action issue where the port number of the JIRA service were being ignored.
  • Fixed the synchronization issue on JavaScript Scan Policy section where UI elements are left enabled even though “Analyze JavaScript / AJAX” option is not checked.
  • Fixed the NullReferenceException thrown when scan is paused and resumed during performing form authentication.
  • Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
  • Fixed the broken layout of input controls on basic authentication dialog shown during form authentication.
  • Fixed the error reporting issue occurs when log file collection and/or compression fails.
  • Fixed the HTTP Archive Importer issue where POST method was parsed as GET when postData is empty.
  • Fixed the ObjectDisposedException thrown on form authentication verification dialog.
  • Fixed a bug where GWT parameter cannot be detected which contains a Base64 encoded value.
  • Fixed a time span parsing bug in Knowledge base report templates.
  • Fixed an issue where some vulnerabilities are treated as fixed while retesting.
  • Fixed an issue where XSS proof URL was missing alert function call.
  • Fixed a typo on “Base Tag Hijacking” vulnerability template.
  • Fixed the broken “Generate Debug Info” function of JavaScript simulation feature.

11 May 2016

IMPROVEMENTS Added PCI DSS 3.2 vulnerability ratings Update the PCI Compliance report template with the details of PCI DSS version 3.2

IMPROVEMENTS

  • Added PCI DSS 3.2 vulnerability ratings
  • Update the PCI Compliance report template with the details of PCI DSS version 3.2

05 May 2016

NEW SECURITY CHECK Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)

NEW SECURITY CHECK

  • Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)

03 May 2016

NEW FEATURES Added ModSecurity WAF rule generation feature. NEW SECURITY CHECKS Detection of SQLite Database files. Detection of Microsoft Outlook Personal Folders File (.pst) files. Detection of DS_Store files. Detection of SVN files, supporting the latest version of SVN. IMPROVEMENTS Improved LFI “Long attack – boot.ini” attack. Added Internet Explorer 10, 11 and Microsoft Edge …

NEW FEATURES

  • Added ModSecurity WAF rule generation feature.

NEW SECURITY CHECKS

  • Detection of SQLite Database files.
  • Detection of Microsoft Outlook Personal Folders File (.pst) files.
  • Detection of DS_Store files.
  • Detection of SVN files, supporting the latest version of SVN.

IMPROVEMENTS

  • Improved LFI “Long attack – boot.ini” attack.
  • Added Internet Explorer 10, 11 and Microsoft Edge browser user agent values.
  • Improved the performance of the scan session auto saves.
  • Improved link importing to better handle relative URLs.
  • Improved the “MIME Types” knowledge base list by ordering items alphabetically.
  • Added “Extract static resources” option to JavaScript scan policy settings.
  • Improved coverage of XML External Entity engine.

FIXES

  • Fixed an attacking issue that occurs when retesting a vulnerability in an incremental scan.
  • Fixed a link parsing issue in the text parser where links were incorrectly split.
  • Fixed a form authentication “Override Target URL with authenticated page” issue which caused a wrong URL to be identified as the “Target URL”.
  • Fixed a highlighting issue where the URL for “Insecure Frame (External)” vulnerability is partially highlighted.
  • Fixed an incorrect “Source Code Disclosure” vulnerability report when the response contained an ASP.NET event validation code sample.
  • Fixed an ObjectDisposedException which occured while trying to close the Authentication Verification dialog.
  • Fixed a broken link in XSS vulnerability templates.

11 Apr 2016

FIXES Fixed an exception that happens when reordering form values. Fixed the hidden URL text box on custom URL rewrite settings. Fixed the clipped automatic update notification label.

FIXES

  • Fixed an exception that happens when reordering form values.
  • Fixed the hidden URL text box on custom URL rewrite settings.
  • Fixed the clipped automatic update notification label.

08 Apr 2016

NEW FEATURES Added Proof of Concept generation for the CSRF vulnerability. Added Parameter-Based Navigation settings to better crawl and attack parameters that are used for website navigation. Added a new crawling option in the Scan Policy that allows users to add new extensions for the crawler to parse. NEW SECURITY TESTS Added Missing X-XSS-Protection Header …

NEW FEATURES

NEW SECURITY TESTS

  • Added Missing X-XSS-Protection Header vulnerability check.
  • Added Video.js JavaScript library detection.
  • Added Critical Form Send to HTTP vulnerability check.
  • Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

IMPROVEMENTS

  • Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid  multiple scanning of the same or similar parameters.
  • Added license load option to Help menu.
  • Improved “Not Found Analyzer” to better handle binary responses and long strings.
  • Changed the default settings of JIRA Send to Action for better out of the box support.
  • Added a link to the proof URL for XSS vulnerabilities.
  • Added link generation to Text Parser for all select element options.
  • Improved the DOM parser to skip redirect responses.
  • Added an option to allow the user to move the Invicti data directory to a different location.
  • Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
  • Added support for modifying asynchronous JavaScript executions in order to increase DOM Parser coverage.
  • Improved relative link parsing on JavaScript files.
  • Improved the coverage of file upload security checks.
  • Improved the coverage of XSS security checks.

FIXES

  • Fixed an issue where LFI attack patterns are reported as internal path disclosure.
  • Fixed the incorrect raw response representing SSL connections.
  • Fixed an issue where forms containing ignored parameters are not reported as CSRF vulnerability.
  • Fixed a case where dynamically generated HTML option elements’ change event were not being triggered.
  • Fixed cross-domain document access errors on DOM parser and XSS scanner.
  • Fixed an issue where a JSON request’s method was incorrectly recognized as POST rather than GET.
  • Fixed a retest issue where a vulnerability is reported as fixed incorrectly.
  • Fixed form values target setting to use Name as the default value when a Target is not selected.
  • Fixed an issue related with JavaScript “Load Preset Values” combo where selecting a preset value may revert the combo value to “(Custom)”.
  • Fixed a file extension parsing issue related with File Extension List knowledgebase item.
  • Fixed a hang issue occurs while performing JavaScript library checks.
  • Fixed a custom form authentication API issue where “ns” namespace was conflicting with a global variable on target web site (authentication API has been moved to “invicti” namespace preserving the “ns” backward compatibility)
  • Fixed a DOM Parser and XSS scanner bug that incorrectly follows redirects.
  • Fixed misplaced certainty label on vulnerability details for trial editions.
  • Fixed an ObjectDisposedException occurs on trial edition when you press escape key several times during application load.
  • Fixed a resource deployment issue occurs on Invicti installations with custom application data path.
  • Fixed a form values issue where empty form values should not set any default values for parameters.
  • Fixed an issue where trying to set Connection request header fails.