Home
/
Documentation
/
Invicti Standard Release Notes
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
Release Notes

Invicti Standard

RSS FEED
24-Nov-2017
COPY LINK

NEW FEATURES

  • Users can now preconfigure local/session web storage data for a website.
  • Added a new send to action to send e-mails.
  • Added HTTP Header Authentication settings to add request HTTP Headers with authentication information.
  • Added CSV file link importer.
  • Parsing of form values from a specified URL.
  • Added custom root certificate support for manual crawling.
  • Added gzipped sitemap parsing support.

NEW SECURITY CHECKS

  • Added reflected "Code Evaluation (Apache Struts 2)" security check (CVE-2017-12611).
  • Added "Remote Code Execution in Apache Struts" security check. (CVE-2017-5638).

IMPROVEMENTS

  • Renamed "Important" severity name to "High".
  • Updated external references for several vulnerabilities.
  • Improved default Form Values settings.
  • Improved scan stability and performance.
  • Added Form Authentication performance data to Scan Performance knowledgebase node.
  • Added "Run only when user is logged on" option to the scan scheduling.
  • Added a warning before the scan starting if there are out of scope links in imported links.
  • Improved Active Mixed Content vulnerability description.
  • Improved DOM simulation for events attached to document object.
  • Added "Alternates", "Content-Location" and "Refresh" response header parsing.
  • Removed "Disable IE ESC" requirement on Windows server operating systems.
  • Improved Content Security Policy (CSP) engine performance by checking CSP Nonce value per directory.
  • Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
  • Added --batch argument to sqlmap payloads.
  • Removed Markdown Injection XSS attack payloads.
  • Filtered out irrelevant certificates generated by Invicti from client certificate selection dropdown on Client Certificate Authentication settings.
  • Added highlighting for detected out of date JavaScript libraries.
  • Added ALL parameter type option to the Ignored Parameters settings.
  • Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
  • Added an option to export only PDF reports without HTML.
  • Added -nohtml argument to CLI to create only pdf reports.
  • Updated the Accept header value for default scan policy.
  • Added CSS exclusion selector supports frames and iframes.
  • Added embedded space parsing for JavaScript code in HTML attribute values.
  • Added scan start time information to the dashboard.
  • Skip Phase button is disabled if the phase cannot be skipped.
  • Added validation messages for invalid entries on start new scan dialog sections.
  • Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
  • Added highlight support for password transmitted over HTTP vulnerabilities.
  • Email disclosure will not be reported for email address used in form authentication credentials.
  • Added focus and blur event simulation for form authentication set value API calls.
  • Uninstaller now checks for any running instances.
  • Internal proxy now serves the certificate used through HTTP echo page.
  • Added spell checker for Report Policy Editor.
  • Added an error page if any internal proxy exception occurs.
  • Added more information about the HTML form and input for vulnerabilities found on HTML forms.
  • Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
  • Extensions on the URLs are handled by the custom URL rewrite rule wizard.
  • Added Parameter Value column to Vulnerabilities List CSV report.
  • Added match by HTML element id for form values.
  • Added "Ignore document events" to JavaScript settings to ignore triggering events attached to document object.
  • Improved Windows Short Filename vulnerability details Remedy section.
  • Improved scan policy security check filtering by supporting short names of security checks.
  • Improved Burp file import dialog by removing the file extension filter.
  • Improved table column widths on several reports.
  • Updated default User-Agent HTTP request header string.
  • URL Rewrite parameters are now represented as asterisks in sqlmap payloads.

FIXES

  • Fixed the InvalidOperationException on application exit.
  • Fixed CSRF vulnerability reporting on change password forms.
  • Fixed Email Disclosure highlight issue where only the first email address is highlighted when there are multiple email addresses on the page.
  • Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
  • Fixed the incorrect progress bar value displayed when a scan is imported.
  • Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
  • Fixed up/down movement issue on Form Values when multiple rows are selected.
  • Fixed various source code disclosure issues.
  • Fixed an escaping issue with CSS exclusion selectors.
  • Fixed the issue where the basic authentication credentials are not being sent on logout detection phase.
  • Fixed a NullReferenceException when an invalid raw request is entered in request builder.
  • Fixed HTTP Request Builder where it does not set request method to POST if the selected method is PUT.
  • Fixed the issue where the response URL is displayed in the vulnerability details.
  • Fixed the issue where some links were not excluded from scan from sitemap.
  • Fixed enabled security check group with all security checks within are disabled.
  • Fixed a random DOM simulation exception occurs when site creates popup windows.
  • Fixed a RemotingException occurs on Form Authentication Verifier.
  • Fixed a possible NullReferenceException on Form Authentication.
  • Fixed the message dialog windows displayed by the 3rd party component on Form Authentication Verification.
  • Fixed the broken form authentication custom script when the last line of the script is a single line comment.
  • Fixed certificate search in store by subject name returns matches without exact subject names.
  • Fixed ESC key handling on message dialogs.
  • Fixed huge parameter value deserialization memory usage.
  • Fixed an issue with Load New License occurs when the source and destination license files are same.
  • Fixed the issue where the parsing source is set to Unspecified for links found by resource finder in reports.
  • Fixed the incorrect sitemap representation of excluded nodes when a scan is imported.
  • Fixed the wrong URLs added with only extension values.
  • Fixed the logout detection portion of form authentication verification where it was not using the configured proxy.
  • Fixed the message overflow issue in the out of scope link warning dialog.
  • Fixed a NullReferenceException which may be thrown while importing a swagger file.
  • Fixed the incorrect Skip Current Phase button state when scan phase is changed
  • Fixed internal proxy throwing when certain browsers do not send the full URL with the initial request.
  • Fixed an issue in which the form authentication is not being triggered on retest.
  • Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
  • Fixed a swagger file parsing issue where target URL should be used when host field is missing.
  • Fixed swagger importer by ignoring any metadata properties.
  • Fixed the empty request/response displayed for some sitemap nodes with 404 response.
  • Fixed the autocomplete issue in Content-Type header in Request builder
  • Fixed a NullReferenceException occurs during DOM simulation.
  • Fixed the incorrect URLs parsed on attack responses.
  • Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
  • Fixed show/hide issue for Dashboard and Sitemap panels.
  • Fixed the issue where Retest All button disappears after a Retest.
  • Fixed the issue where the dollar sign in imported URL is encoded after scan.
  • Fixed the empty request/response header issue for links discovered during attacking.
  • Fixed ignore parameter issue for parameters containing special characters.
  • Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
  • Fixed missing vulnerabilities requiring late confirmation for incremental scans.
  • Fixed a NullReferenceException may occur on iframe security checks.
  • Fixed the exception that occurs while adding duplicate POST parameters with the same name in Request builder.
24-Aug-2017
COPY LINK

NEW FEATURES

  • New Basic, NTLM, Digest and Kerberos authentication settings to support multiple credentials for different URL paths.

NEW SECURITY CHECKS

  • Checks for default pages of IIS 10.0, 8.5, 7.5, 7.0 web servers.
  • Checks for WordPress Setup Configuration File.
  • Remote Code Execution checks for Node.js on Windows.

IMPROVEMENTS

  • Improved Local File Inclusion (LFI) attack patterns.
  • Improved DOM XSS attack patterns.
  • Improved Blind Command Injection detection on Linux systems.
  • Added response compression and length information to HTTP Request Builder.
  • Displaying times in 24-hour format on scan reports.
  • Improved DOM/JavaScript simulation.
  • Improved the performance of email address disclosure detection.
  • Improved the performance of database connection string disclosure detection.
  • Improved the performance of JavaScript library detection.
  • Improved the performance of RoR database configuration detection.
  • Improved "Enter Links" dialog by adding format selection for all the supported import formats.
  • Added parameter type information to nodes on "Issues" panel.
  • Improved scan import performance significantly.
  • Added context menu item for sitemap root node to open the scan folder.
  • Improved resource finder to find more hidden resources.
  • Time zone information added to reports.
  • Improved support for simulating customized select elements.
  • Improved NTLM, Digest and Kerberos authentication support.
  • Improved DOM simulation stability and performance.
  • Added the list of URLs that do not match the rewrite rules on URL Rewrite knowledge base.
  • Added number of links that match to a URL Rewrite rule on URL Rewrite knowledge base.
  • Added out of scope links count information to the knowledge base.
  • Improved the default parameter name list for Parameter Based Navigation.
  • Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
  • Improved boolean and blind SQL injection checks for MySQL databases.
  • Improved blind SQL injection checks for PostgreSQL databases.
  • Added excluded URLs list to the detailed scan report.
  • Improved reflected and stored XSS detection.
  • HSTS checks now reports missing preload directives.
  • Updated Korean translation.
  • Added XML report types for Crawled URLs List and Scanned URLs List reports.
  • Added toolbar to open and copy URLs for Browser View tab.
  • Improved JSON response parsing.
  • Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
  • Improved email disclosure checks by checking host names against to public suffix list.

FIXES

  • Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
  • Fixed an incorrect "Password Transmitted over HTTP" issue for relative URLs on pages redirected to HTTPS addresses.
  • Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
  • Fixed the missing activities while performing a controlled scan.
  • Fixed the missing DOM parsing activity when "Override Target URL with authenticated page" option is selected.
  • Fixed the incorrect total security check count while performing controlled scans on activity list.
  • Fixed incorrect "Interesting Header" report for Content-Security-Policy header.
  • Fixed the redundant extra headers added to requests while using request builder.
  • Fixed the disabled "Start Proxy" button when Invicti is opened after an application crash.
  • Fixed directory listing is not reported issues on some IIS versions.
  • Fixed page break issues on reports.
  • Fixed the issue where comments in CSS files are not parsed.
  • Fixed the incorrect URL found in CSS comments.
  • Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
  • Fixed an IndexOutOfRangeException caused by CSP checks.
  • Fixed the signature pattern which fails to match "Programming Error Message (PHP)" in multiple lines.
  • Fixed markdown XSS attack patterns causing incorrect findings.
  • Fixed the double quote encoding issue on generated sqlmap commands.
  • Fixed incorrect "Interesting Header" reports for some headers.
  • Fixed the incorrect http protocol displayed for SSL vulnerabilities.
  • Fixed the duplicate delete confirmation message while deleting the scan and report policies using a keyboard shortcut.
  • Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
  • Fixed the incorrect progress report during controlled scans.
  • Fixed the encoding issue on reported DOM XSS stack traces.
  • Fixed the highlighting issue of multiple custom data reported on vulnerabilities.
  • Fixed the incorrect rows deleted issue when multiple rows are selected on imported links section.
  • Fixed the incorrect behaviour of move up/down controls on custom URL rewrite section.
  • Fixed the maximum crawled URL limit exceeded issue.
  • Fixed duplicate resource finder requests.
  • Fixed CSS escaping in CSS selector generation.
  • Fixed the failing error report when the unexpected exception title is too long.
  • Fixed the WADL import issue where the operation fails for responses with no status codes.
  • Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
  • Fixed incorrect cURL and sqlmap commands when basic authentication is used.
  • Fixed the incorrect missing object-src report on CSP checks.
  • Fixed an issue where default crawled value is double-encoded instead of single.
  • Fixed the problem where the unique links added twice while importing Postman files.
  • Fixed the "Property set method not found" that occurs while using FogBugz send to action
  • Fixed the missing content for Site Profile section of Knowledge Base report.
  • Fixed "The selected task no longer exists." error when trying to run a scheduled scan on some Windows machines.
23.1.0
COPY LINK

Improvements

  • Added control for login and logout during vulnerability retest.
  • Added auto responder for images to escape the onerror issue.

Fixes

  • Fixed an issue that overrode TLS settings available in the scan policy when the Ignore SSL Certificate Errors is set to True in the Appsetting.json file.
  • Fixed a bug that throws a null reference exception at the authentication.
  • Fixed missing CSP 3 Directive.
  • Fixed an issue about 3-legged OAuth which cause failed authentication at scan.
  • Fixed the scheduled scans not being exported issue to Invicti Enterprise.
  • Fixed an issue about header encoding that cause false positive CSP reporting.
  • Fixed the bug on the Interactive Login page where the Ok and Pause buttons are not available.
  • Fixed case sensitivity when checking HTTP headers for JSON Web Tokens.
  • Fixed the IPv6 registered website resolution issue thrown before scanning.
  • Improved the vulnerability database updating process to enable it to use a proxy.
  • Fixed a bug that prevents the scanner from attacking to login and logout pages.
  • Fixed the bug in which OAuth2 settings were not transferred properly from the web application to the agent.
23-Jan-2020
COPY LINK

IMPROVEMENTS

  • Added Reflected Parameter and matched sensitive keyword names to the Breach Attack vulnerability report
  • Additional websites information will now display 'None' in reports when there are no additional websites set for a scan

FIXES

  • Fixed the JSON Metadata Regex check to match the whole JSON object instead of each part separately
  • Fixed responses with a '201' status code so that they are ignored by the OAuth2 authentication flow
  • Fixed an issue where ignored parameters were displayed as attack parameters in reports
  • Fixed an issue where reporting options were not being applied in scheduled scans
  • Fixed a memory and GDI object leak in the Imported Links dialog
  • Fixed an OutOfMemoryException that was thrown while generating reports
  • Fixed an ArgumentOutOfRangeException in CsrfEngine that was thrown when form instance contained a negative start index
  • Fixed an issue where incorrect links were being captured from JavaScript contexts
23-Apr-2018
COPY LINK

FIX

22.12.0
COPY LINK

Improvements

  • Added an explanation for the failed requests error.
  • Added name variable support for Passive and Singular Custom Security Checks.

Fixes

  • Fixed WSDL parse issue for non-defined object types.
  • Fixed the deserialization problem when importing the scan session.
  • Fixed the CSP analyzer Regex enumeration problem.
  • Fixed the null reference exception on HTTP Requester.
22.11.0
COPY LINK

New security check

Improvements

  • Updated the embedded Chromium browser.
  • Improved the importing link to parse the complex example value for RAML.
  • Added the support for browser flag.
  • Improved the scan failure messages on the issue page.
  • Added the URL decode to scanned and crawled URL list reports.

Fixes

  • Fixed the issue that deleted the customization folder in the agent's folder after the update.
  • Fixed the knowledge base report format to display information clearly.
22-Sep-2017
COPY LINK

NEW SECURITY CHECK

  • Added "Out of Band Code Evaluation (Apache Struts 2)" security check (CVE-2017-9805).
22-Nov-2019
COPY LINK

NEW FEATURES

  • Added a scan search feature which is accessible from the CTRL+K shortcut that allows searching for anything in the scan
  • Added a configuration wizard for GitLab Send To Action
  • Added a Web Application Firewall tab to the Options dialog
  • Added AWS WAF integration
  • Added Cloudflare WAF integration
  • Added SecureSphere WAF integration
  • Added an Auto WAF Rule tab to the Scan Policy Editor dialog
  • Added a Send To Tasks dialog to display the Send To Action and WAF Rule task's status
  • Added a configuration wizard for "rest.testsparker.com" into the Start a New Website or Web Service Scan dialog
  • Added a What's New panel to the right hand side of the Welcome Dashboard, which shows the latest blog posts
  • Added OTP support to the Form Authentication tab in the Start a New Website or Web Services Scan dialog
  • Added "localhost.invicti" host resolution support to allow remote connections to localhost

NEW SECURITY CHECKS

  • Added a new Security Check – HTTP Parameter Pollution (HPP)
  • Added a new Security Check – BREACH Attack Detection
  • Added Out-of-Date checks for Ext JS
  • Added Oracle Cloud and Packet Cloud SSRF attack patterns

IMPROVEMENTS

  • Improved progress bar estimation by populating engine runtimes instead of request count
  • Improved the Scan Performance node by including engine runtimes in the Knowledge Base
  • The Download buttons in the Local File Inclusion Exploitation panel are renamed to Get
  • Improved statistical information in the scan reports
  • Improved Custom 404 settings in the Knowledge ase report
  • Improved the Knowledge Base check icon
  • Improved the display of OAuth2 Authentication information on reports
  • Added Culture Info to error reporting information
  • Renamed the F5 Big-IP ASM WAF Rules button in the Reporting tab
  • Added an Apply button to the Options window, so the dialog stays open until the Save button is clicked
  • Improved the Custom Field Editor dialog to validate custom field values before saving them
  • Improved the I/O Docs Importer to support the latest version
  • Improved the Jira Send To Action to support a new Security Level field
  • Updated Trello Send To Action wizard to hide inactive boards
  • Improved the Crawler and Attacker to identify links separately according to their Accept header. (application/json and application/xml are commonly used in Rest APIs. Invicti can identify and attack for both mime types.)
  • Improved the OpenAPI (Swagger) parser to import links more than once according to their Accept header
  • Updated the AdNetworks file which is used by Invicti to block ad networks
  • Improved the Update Available dialog UI
  • Improved the Report Policy Editor UI.
  • Improved Apache Struts attack patterns by randomizing the attack payloads
  • Improved the Custom Scripting API docs
  • Improved parsing the JavaScript code written inside HTML element attributes
  • Improved the Crawler to detect links with application/xml and application/json headers commonly used in REST APIs, so Invicti can attack each link separately
  • Improved Progress panel's Request per Second setting, to that its value can be viewed by clicking its label
  • Added the ability to parse OAuth2 access token response headers to get the access token value

FIXES

  • Fixed an issue that caused very long URLs to become invisible in the vulnerability report
  • Fixed an issue that caused the Target Website or Web Service URL dropdown list's delete button to become invisible in the Start a New Website or Web Service Scan dialog
  • Fixed a false-positive report of a Windows Username Disclosure in the vulnerability report issue
  • Fixed the problem where the Windows Username Disclosure attack pattern did not match invalid file characters
  • Fixed the problem where a null Scan Profile name was displaying when opening a scan file
  • Fixed an issue where headers were duplicating when imported from a Swagger file.
  • Fixed the license expiration to occur a day after the license Expiration date
  • Fixed an issue that caused a Collection Modified exception when restarting Invicti after changing the storage directory
  • Fixed an issue where the HTTP Request / Response panel did not open when the Sitemap root node was selected
  • Fixed an issue in the Request Builder where the changes in the Raw request tab were not being saved
  • Fixed an issue that caused the name of the vulnerability to be blank in the Report Policy Editor dialog
  • Fixed a High dpi issue in the Update Available dialog
  • Fixed an issue that caused the Context button to overlay information counts in the File menu
  • Fixed the URI format exception that occured on the SSRF configuration screen
  • Fixed an issue that caused the tab key not to work in the Request Builder
  • Fixed an issue where encoded characters and new line characters appeared in the exploit responses in JSON format
  • Fixed an issue where the application name was captured as the version in the Java Servlet Version Disclosure pattern
  • Fixed an issue where some console commands were reported as proofs of exploit even though they had not been executed in the code evaluation
  • Fixed an issue where the Report Policy Editor dialog was showing html encoded values in the grid view and in the Edit dialog
  • Fixed an issue where report template changes were lost when the Cancel button clicked while searching in the Report Policy Editor dialog
  • Fixed an issue where the Dom Parser occasionally made requests to excluded or out of scope URLs
  • Fixed an issue where relative links found during a DOM simulation were sometimes not added to the link pool
  • Fixed a request timeout default value tooltip that was displaying in the HTTP Request settings
  • Fixed property names in the Redmine Send To Actions fields
  • Fixed an issue that caused the vulnerability URL to change when running a custom script on a vulnerability originally detected also by using a custom script
  • Fixed an issue that caused the UI to freeze when activating or deactivating licenses
  • Fixed an issue that caused the UI to freeze when verifying OAUTH settings
  • Disabled layout customization in the Manual Authentication and Test Credential screens
  • Fixed an issue that caused the scan manager to request a login URL in the OAuth2 Authentication settings when the Web Cache Deception security check group was disabled
  • Fixed an issue that caused late UI loading when the Scan Profile contained too many Imported Links
  • Fixed JSON and XML request identifiers to detect the type properly when content contains whitespace characters
  • Handled communication errors that occured while testing credentials
  • Fixed the log for corrupted variation information
  • Fixed a NullReferenceException that was occasionally thrown in the Additional Websites tab in the Start a New Website or Web Service Scan dialog
  • Fixed a performance issue caused when the number of the Sitemap nodes increases
  • Fixed the Regex Pattern of SQLite error message patterns
  • Updated the Remedy sections of some vulnerability report templates.
  • Fixed the internal proxy localhost's handling when adding the loopback override to the system's {roxy settings
  • Fixed misleading logout detection warnings shown during the retest of cookie vulnerabilities
  • Fixed an issue that caused the system to crash when sorting the Sitemap
  • Improved ApacheStruts to report where it would be possible for the attack to succeed at least one time
  • Fixed a NRE in the Signature Detection
  • Fixed the issue where some proofs were duplicated in the Knowledge Base
  • Fixed extensive CPU usage on cloud instances and virtual machines
  • Fixed a Set-Cookie response header parsing issue that occured where empty name/value pairs were skipped and cookie attributes were incorrectly parsed as name/value pairs
  • Fixed the ArgumentNullException error that occured when a null parameter value was sent to the Request Builder
  • Fixed the Knowledge ase's Out of Scope Links resource problem
  • Fixed I1 item's title in the Vulnerability Editor dialog, available from the Report Policy dialog to display as 'No Message'
  • Fixed the Asana Send To Action field, as an identifier field has changed in the Asana API
  • Fixed the issue where Raw and Builder tabs were not synchronized in the HTTP Request Builder
  • Fixed an incorrect localization issue that occurred while displaying custom field values of vulnerabilities
  • Fixed an issue that caused the Issues and Sitemap panels to open before opening a scan session
  • Fixed a problem where the Search box background color changed when there were no results
  • Users are now allowed to enter custom HTTP methods in the Request Builder panel when the Raw request body is enabled
  • Fixed an ArgumentNullException that was thrown when trying to refresh the OAuth2 access token after resuming an imported scan
  • Fixed a couple of alignment problems in reports
  • Fixed the last file name cache problem
  • Fixed the Request response word wrap and border problem solved.
  • Removed capitalization from titles in reports
  • Fixed an issue where the AutoComplete Enabled Vulnerability was being falsely reported if input fields included a new password option
  • Fixed a NullReferenceException that was thrown when the headers were null in the Webhook Send To Action
22-Jun-2016
COPY LINK

IMPROVEMENTS

  • Improved the automatic form authentication script to click "button" HTML elements if no suitable button is found.

FIXES

  • Fixed the clipped dialog buttons on "Report Policy Editor".
  • Fixed the incompatibility issues of "Report Policy Editor" on some Windows 8/8.1 systems with Internet Explorer 10.
  • Fixed a Report Policy issue where a vulnerability hidden from a scan was still not being displayed when a report is generated using the Default Report Policy.
  • Fixed scope related bugs in SRI checks.
22-Dec-2017
COPY LINK

NEW SECURITY CHECK

IMPROVEMENTS

  • Improved performance of huge JavaScript file parsing.
  • Improved custom form authentication scripting support for pages using React JavaScript framework.
21-Oct-2016
COPY LINK

IMPROVEMENTS

  • Improved vulnerability templates.
  • Added support for sending vulnerabilities to JIRA when JIRA is homed at a path instead of the root.
  • Added support for detecting requests made to blob-schemed URIs during DOM simulation.

FIXES

  • Fixed missing external references on some vulnerability templates.