Invicti Standard

Read the blog post for more details about this version

NEW FEATURES

• Import / Enter Proxy Logs and HTTP Requests
• Manual Crawling / Internal Proxy / Proxy Mode
• Ability to Include & Exclude links

Read the blog post for more details about this version

NEW FEATURE

• Anti-CSRF Token Support.

NEW WEB SECURITY TESTS

• Brute Force Support
• Tomcat Source Code Disclosure
• Default Tomcat Page Identified
• Frame Injection
• Backdoor Detection
• Sensitive Files Detection.

Read the blog post for more details about this version

NEW FEATURES

• New Settings Interface
• Resume Support
• Better GUI for Permanent XSS vulnerabilities.

NEW WEB SECURITY TEST

• Second Order SQL Injection.

Read the blog post for more details about this version

NEW FEATURES

• Client Certificate Authentication Support
• Vulnerability Classification data reported the GUI and reports
• New Save / Load Files.

NEW WEB SECURITY TEST

• Blind Command Injection.

Read the blog post for more details about this version

NEW FEATURES

• Scheduling Support
• Command Line Automation Support
• ViewState Panel.

NEW WEB SECURITY TESTS

• ASP.NET Viewstate Analyzer
• Confirmation for Remote code evaluation
• Confirmation for Remote file inclusion
• Confirmation for Command Injection.

Read the blog post for more details about this version

NEW FEATURES

• New reporting format
• New Security Tests
• Open Redirection.

Read the blog post for more details about this version

• First public release.

Read the blog post for more details about this version

NEW FEATURES

• Encoder
• Custom Reporting API
• New Security Tests
• Confirmation for RCE
• Confirmation for CI via LFI.

NEW FEATURES

• Rewrote Sitemap and Issues trees which improves the performance and adds features like filtering, grouping, sorting and searching.
• Added vulnerability families feature where similar types of vulnerabilities are not reported separately
• Added support for Swagger 3 / OpenAPI link import
• Added support for 64-bit smart card drivers for authentication
• Added GitLab Send To integration
• Added Bitbucket Send To integration
• Added Unfuddle Send To integration
• Added Zapier Send To integration
• Added Azure DevOps Send To integration
• Added support for importing links from IOdocs file format
• Added automatic upload to Invicti Enterprise option
• Added copy to clipboard buttons to request and response viewers
• Added a new Knowledge Base item for Not Found pages
• Added a hex view for binary responses in reports
• Added options to switch Scan Profile, Scan Policy and Report Policy for the current scan
• Added Uncheck by Severity context menu item to the Report Policy editor
• Added ISO 27001 vulnerability classifications and report template
• Added raw value support for Send To custom fields
• Added option to report variations of vulnerabilities

NEW SECURITY CHECKS

• Added a new pattern for CherryPy Version Disclosure
• Added an LFI attack pattern for WEB-INF/web.xml
• Added Ruby Error Disclosure detection
• Added WP Engine Configuration File detection
• Added CherryPy Stack Trace Disclosure detection
• Added Intro.js out-of-date version detection
• Added Axios out-of-date version detection
• Added Fingerprintjs2 out-of-date version detection
• Added XRegExp out-of-date version detection
• Added DataTables out-of-date version detection
• Added Lazy.js out-of-date version detection
• Added FancyBox out-of-date version detection
• Added Underscore.js out-of-date version detection
• Added Lightbox out-of-date version detection
• Added JBoss application server out-of-date version detection
• Added SweetAlert2 out-of-date version detection
• Added Lodash out-of-date version detection
• Added Bluebird out-of-date version detection
• Added Polymer out-of-date version detection

IMPROVEMENT

• Separated the Scan Activity panel and Progress chart into their own dock panels below
• Added a button to the Reporting tab for creating new Custom Report Templates
• Improved Knowledge Base item updates to prevent unexpected scrolling to the top of the screen
• Ordered several Knowledge Base items alphabetically
• Concurrent Connection count of imported scans can be modified
• Changed default Issue type to Story in JIRA Send To integration
• Changed CallerId field to optional in ServiceNow Send To integration
• Added PHP extension attack for Nginx vulnerability to File Upload engine
• Added File Upload patterns for Nginx parsing vulnerability
• Added settings to File Upload engine for configuring upload folders
• Added errorlog.axd detection support
• Improved elmah.axd detection
• The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
• Improved SSTI PHP Smarty attack detection
• Retest All can now be started when the scan is paused
• Improved the Swagger link importer to handle additional properties with integer and string value types
• Improved the Expect-CT engine by only reporting a vulnerability once for each host
• Improved RSA key confirmation by handling OpenPGP format
• Added a Statistics tab to the HTTP response viewer
• Increased the HSTS Not Enabled vulnerability severity from Information to Low
• Improved HTTP 407 proxy authentication error handling
• Improved missing license handling for non-interactive Windows sessions
• Controlled scan is now cancelled when a new scan is imported
• Added classifications to the HSTS Not Enabled vulnerability
• Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
• Improved the user experience of suggestions in the Scan Policy Optimizer when navigating back and forward in the wizard
• New certificate imported for Client Certificate Authentication is automatically selected
• Improved JSON request/response viewer performance for large documents
• Spaces in URLs of vulnerabilities are encoded in the vulnerability viewer
• Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
• Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
• Updated HTTP response data of vulnerabilities after retest
• Scan Policy Optimizer now respects the security engine and pattern selections of the base policy
• Improved JSON format detection
• Replaced Unicode replacement characters with question marks in responses
• Added a Scan Policy option to attack cookies
• Improved element click DOM simulation for various element types
• SRI Not Implemented will no longer be reported for localhost URLs
• Improved ASP.NET error message detection
• Added descriptions to PCI categories in the PCI Compliance Report
• Improved Boolean SQL Injection detection
• Improved the Blind Command Injection attack patterns
• Improved the representation of Report Template compilation errors
• Removed the dependency of Object Model Installer for using TFS Send To integration
• Improved the language used in Retest and Controlled Scan results
• Focused policies are now set to the currently used ones in Scan Policy Editor and Report Policy Editor
• Misconfigured X-Frame-Options Header is now reported separately
• Improved source code disclosure checks to prevent reporting JavaScript template pages
• The link to a created Issue is now displayed on the status bar after sending a vulnerability to an integration
• Status code, status description and content length information have been added to the Slowest Pages knowledge base node
• Retest activities are marked on the Scan Activity panel
• Added the list of failed vulnerabilities to retest results dialog
• Improved WADL document parsing by ignoring DTDs
• Improved Open Redirect DOM based confirmation performance
• Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
• Cookie vulnerabilities report where the cookie is set from
• Improved the multi-line representation of LFI Exploitation data
• Removed the redundant scan save confirmation dialog displayed when closing the app
• Improved Swagger Document Format detection
• Options dialog now remembers its location and size
• File upload engine now detects new links in the response after the file is uploaded

FIXES

• Fixed double URL encoding problem in various Report Templates
• Fixed parsing issue that occurs when the upload folder contains a slash
• Fixed the issue where authentication does not work when retesting
• Fixed an exception thrown prior to scan when the language is set to Korean
• Fixed the incorrect license holder name displayed on application title
• Fixed a controlled scan issue where it fails if the connection check response status code is not 200 (OK)
• Fixed Jira send to custom field values by HTML encoding them
• Fixed double HTML encoding problem in TFS Send To template
• Fixed the issue where the connection error is displayed during a controlled scan when the response status code is not 200 (OK)
• Fixed a NullReferenceException thrown when a link label is clicked in a dialog
• Fixed display of Post Scan ribbon group's caption text
• Fixed the issue where the Swagger importer generates an invalid JSON request body
• Fixed the ArgumentException thrown while performing Heartbleed security checks
• Fixed visibility of fixed vulnerabilities in Report Templates
• Fixed the issue where the wrong version was identified for Drupal
• Fixed the UriFormatException thrown during SSRF (Hawk) URI validation
• Fixed a disallowed HTTP method issue where some methods were still being allowed
• Fixed a typo in the CSP Not Implemented vulnerability details
• Fixed the issue where SRI Not Implemented URLs were not properly highlighted in the source code
• Fixed an InvalidCastException thrown while loading the panel layout
• Fixed a Form Authentication issue that occured on some React-based websites
• Fixed the issue where the old scan's activities continued even when another scan was imported while performing a Retest All
• Fixed a NullReferenceException thrown in Retest
• Fixed signature detection for links found via the crawler
• Fixed an issue in CSP engine where it reported an incorrect vulnerability
• Fixed an URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
• Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
• Fixed the incorrect Retest Fail dialog in the InternalServerError vulnerability
• Fixed the URL decoding issue when the URL was copied in the Issues panel
• Fixed the comments that were injected via Invicti attacks reported in the Knowledge Base Comment node
• Fixed duplicate parsing source field values reported for IFrame vulnerabilities
• Fixed a corrupted PDF report
• Fixed an issue where Apache MultiViews could not be detected in the target server
• Fixed the incorrect Cookie Expire Date set during Form Authentication
• Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
• Fixed a Content-Type parsing issue in Form Authentication
• Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
• Fixed the NullReferenceException thrown by the Request Builder if there were no scans open
• Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
• Fixed an Out of Memory issue that occurred while trying to view a large document

FEATURES

• Added Windows 10 support
• Added the Scan Policy Optimizer
• Added automatic configuration of URL rewrite rules
• Added automated evidence collection to several confirmed vulnerabilities
• Added Korean language option for application user interface (currently in beta)
• Added support for detecting outdated versions of several popular JavaScript client-side libraries
• Added HIPAA compliance report template
• Added syntax highlighting for HTTP response viewer for responses like XML, JavaScript, CSS, etc.
• Added syntax highlighting for HTTP request viewer for request bodies like XML, JSON, etc.
• Added sessionStorage and localStorage support
• Added send to Team Foundation Server (TFS) and GitHub feature
• Added URL Rewrite knowledgebase node to list the URL patterns that have been discovered
• Added SSL knowledgebase node that shows several SSL related configurations on target web server
• Added CSS knowledgebase node
• Added Slowest Pages knowledgebase node
• Added no challenge option for basic authentication

NEW SECURITY CHECKS

• Added Windows Short File Name security checks
• Added several new backup file checks
• Added web.config pattern for LFI checks
• Added boot.ini pattern for LFI checks
• Added a signature which checks against a passive backdoor affecting vBulletin 4.x and 5.x versions
• Added a signature which checks against an error message generated by regexp function at MySQL database
• Added DAws web backdoor check
• Added MOF Web Shell backdoor check
• Added RoR database configuration file detection
• Added RoR version disclosure detection
• Added RoR out-of-date version detection
• Added RoR Stack Trace Disclosure
• Added RubyGems version disclosure detection
• Added RubyGems out-of-date version detection
• Added Ruby out-of-date version detection
• Added Python out-of-date version detection
• Added Perl out-of-date version detection
• Added RoR Development Mode Enabled detection
• Added Django version disclosure detection
• Added Django out-of-date version detection
• Added Django Development Mode Enabled detection
• Added PHPLiteAdmin detection
• Added phpMoAdmin detection
• Added DbNinja detection
• Added WeakNet Post-Exploitation PHP Execution Shell (WPES) detection
• Added Adminer detection
• Added Microsoft IIS Log File detection
• Added Laravel Configuration File detection
• Added Laravel Debug Mode Enabled detection
• Added Laravel Stack Trace Disclosure
• Added S/FTP Config File detection

IMPROVEMENTS

• Several performance improvements to reduce memory usage
• Improved credit card detection to eliminate false positives
• HTTP cookie handling code written from scratch to conform with the latest RFCs which modern browsers also follow
• SSL cipher support check code has been rewritten to support more cipher suites
• SSL checks are now made for target URLs even when protocol is HTTP
• Improved logging code to decrease the performance overhead
• Updated embedded chrome based browser engine to version 41
• Improved logging when an error occurs if Invicti was started from command line with arguments
• Added more ignored parameters for ASP.NET web applications
• Improved JIRA send to action to support both old and new versions
• Added activity details for singular security checks (SSL, Heartbleed, etc.) on scan summary dashboard
• Improved authentication verifier to include keywords from alt and title attributes
• Improved scan policy versioning where new security checks are automatically included or excluded by default on existing scan policies
• Improved out-of-date vulnerability reporting on XML vulnerability list report to include references and affected versions elements
• Improved LFI pattern that matches win.ini files
• Improved XSS coverage by adding an attack pattern for email inputs which require an @ character
• Improved cookie vulnerability details to show all cookies that are not marked as Secure or HttpOnly
• Added descriptions for advanced settings
• Improved out-of-date vulnerability templates by including severity information of vulnerabilities for that version of software
• Improved out-of-date vulnerability reporting by increasing the severity of the vulnerability if that version of software contains an important vulnerability
• Increased static resource finder limit from 75 to 100
• Added several text parser settings to advanced settings
• Improved Ruby version disclosure detection
• Improved SQL injection vulnerability template by adding remedy information for more development environments
• Improved common directory checks by adding more known directory names
• Updated default user agent
• Improved the default Anti-CSRF token name list
• Improved database error messages vulnerability detection for Informix
• Added new XSS attack pattern for title tag in which JavaScript execution is not possible
• Improved XHTML attacks to check against XSS vulnerabilities
• Missing Content-Type vulnerability is not reported when status code returns 304
• Optimized confirmation of Boolean SQLi
• Added exploitation for Remote Code Evaluation via ASP vulnerability
• Revamped DOM based XSS vulnerability detail with a table showing XPath column
• Changed SQLi attack patterns specific to MSSQL database with shorter ones
• Improved SQLi attack pattern which causes a vulnerability in LIMIT clauses specific to MySQL database
• DOM simulation is turned off for hidden input types which causes a false-positive confirmed XSS vulnerability
• Improved the "Name" form value pattern to match more inputs
• Improved confirmation of Expression Language Injection vulnerability
• Improved Frame Injection vulnerability details
• Added .phtml extension to detect code execution via file upload
• Improved blind SQL injection detection on some INNER JOIN cases
• Improved external references section of "Remote Code Evaluation (PHP)" vulnerability
• Added retest support for several vulnerability types
• Improved import link user interface
• Improved CSRF engine
• Displaying installer links for cases where auto update fails or auto updating is not possible
• Improved Apache Tomcat detection patterns
• Improved the message on "Reset to Defaults" dialog
• Added severity column for Vulnerabilities List (CSV) report template
• Increased the number of sensitive comments reported
• Added exploitation support for "RCE via Perl" vulnerability
• Added project selection to FogBugz send to action
• Improved text parser improvements
• Added the total number of attack counts per parameter for current scan policy to scan policy editor dialog
• Added the passive engine names which are currently running to scan summary dashboard
• Added separate checks in scan policy for each supported web app fingerprint application

FIXES

• Fixed Extensive Security Checks policy to enable DOM simulation for open redirection
• Fixed Extensive Security Checks policy to enable Prepend Original Value for XSS security tests
• Fixed authentication verifier to omit empty keywords for keyword based authentication
• Fixed authentication verifier to omit keywords longer than 200 characters for keyword based authentication
• Fixed authentication verifier to omit keywords containing null bytes for keyword based authentication
• Fixed URL rewrite analysis to respect case sensitivity settings
• Fixed a form authentication issue which image submit elements were not clicked
• Fixed send to extension context menu which does not focus Extensions section when Options dialog is opened
• Fixed a form authentication verification issue which may crash when username and/or password is empty
• Fixed a manual crawling issue when proxy was left open when you start a regular scan after a manual crawling
• Fixed custom reporting sample code on user manual to match the latest reporting API
• Fixed an issue occurs when the HTTP response body starts with unicode BOM
• Fixed Open Redirect security checks where it should not perform DOM based checks if DOM checks are turned off
• Fixed fiddler logging where form authentication requests were not being captured
• Fixed static resource finder where it was not following a redirect if only the protocol portion of an URL changes
• Fixed Start a New Scan dialog where Schedule Scan dialog was always shown when you first try to schedule a scan
• Fixed DOM simulation hangs if a rogue JavaScript call enters an endless loop
• Fixed slow XSS highlights on some responses
• Fixed disk space detection on cases when there are no space left on disk where Invicti documents folder resides
• Fixed the issue on Start a New Scan dialog where some check box values were not restored correctly
• Fixed a bug where Full-Url LFI attack which is specific to Ruby-on-Rails applications could not be confirmed
• Fixed a bug where XSS vulnerability could not be confirmed when injection occurs in the middle of a CSS style
• Fixed a bug where generated XSS exploit did not work due to incorrect encoding
• Fixed a bug where a false-positive file upload vulnerability was reported
• Fixed a bug where maximum amount of hard fails was preventing next scan making HTTP requests
• Fixed "Missing Content-Type" reporting issue where redirected responses should not be reported
• Fixed Set-Cookie response headers being merged issue on response viewers
• Fixed an issue where send failures were not being handled while making HTTP requests
• Fixed credit card reporting issue where the value specified in default form values section should not be reported
• Fixed the trimmed parameter name issue on controlled scan pane
• Fixed ignore vulnerability issue function where it was not working for comparison reports
• Fixed documentation for nginx vulnerability template that tells how to fix the issue
• Fixed HSTS support for form authentication HTTP requests
• Fixed a bug which prevents attacking from resuming when an existing session is imported
• Fixed the issue of HttpRequests.saz file being truncated when a scan is resumed after import
• Fixed fiddler log file saving issue where chunked response bodies were not being saved correctly
• Fixed a URI parsing issue where non-HTTP(S) protocols are ignored
• Fixed a DOM XSS scanner issue that crashes Invicti when a long URL is parsed
• Fixed a bug where an attribute based attack could not be confirmed as XSS
• Fixed a bug where an injection with "javascript:" protocol for XSS attacks occurs after a new line
• Fixed a bug where exploitation goes into loop and causes an unresponsive UI for error based SQLi
• Fixed a bug where redirection happens relatively and reported as Open Redirect vulnerability
• Fixed an issue where importing links to an existing profile with imported links was failing
• Fixed generated report name issue where and extra .htm extension is added to report file if run from command line
• Fixed an unhandled ArgumentException raised from permanent XSS detection
• Fixed the issue that Invicti hangs with a confirmation dialog upon scan completion when started with /auto command line parameter
• Fixed an issue where a Groovy RCE is reported as Perl RCE
• Fixed an issue where a scan started with Scan Imported Links option were attacking to links those are not imported
• Fixed an issue where retest request is started with the attacked value and causes a vulnerability creation in a different injection point
• Fixed a WSDL parsing issue where reference parameters were not handled
• Fixed a WSDL parsing issue where XML types were not handled
• Fixed a visual bug where "Security Check Groups" description text was clipped
• Fixed a bug where illegal characters were causing invalid XML reports
• Fixed an issue where RCE Perl exploitation could not be performed due to incorrect encoding
• Fixed an issue with auto complete input reporting where highlighting was not correct
• Fixed an issue with web app fingerprinting where pausing the scan was not pausing it
• Fixed an issue that occurs during form authentication with an HSTS site that performs redirects to an URL with http protocol
• Fixed a form authentication configuration issue where both keyword based and redirect based logout detection pattern could be configured
• Fixed a bug where the hash is reported incorrectly in a DOM based XSS vulnerability
• Fixed the misleading content in basic authentication over clear text vulnerability

IMPROVEMENTS

• Added support for parsing Swagger files with comments
• Added crawling support for hash based, routed websites
• Added deprecated usage report for TLS 1.1
• The size of the HTML reports has been significantly decreased

FIXES

• Authentication tokens are now shared among the hosts of the scan target and the additional websites
• Fixed an issue where the vulnerabilities from the previous scan were sometimes added into the new scan when Custom Scripts were used
• Fixed the logical operation stack field duplication that was occurring in log files
• Fixed a formatting issue in the vulnerability report templates
• Fixed an issue in the SQL Injection (Out of Band) engine where vulnerabilities were occasionally missed due to request timeouts
• Fixed an issue where discovered application or database versions were not shown in the Site Profile if a Version Disclosure vulnerability had already been reported
• Fixed a NullReferenceException that was thrown when the response was null in the Web Cache Deception engine

IMPROVEMENTS

• Improved confirmation on time-based attacks.

FIXES

• Fixed the percent encoding issue on Detailed Scan Report.
• Fixed the stale custom report template buttons which were removed from the disk.
• Fixed the InvalidOperationException caused by Expect CT IP endpoint highlighting.
• Fixed a NullReferenceException while generating sitemap tree.
• Fixed the incorrect numbers reported on vulnerability summary table of Detailed Scan Report.
• Fixed the selection issue on scan policy user agent settings.
• Fixed the FormatException when HTTP rate limits are set on a scan policy.