Invicti Standard 6.4.3.35616 - 4th April 2022
NEW SECURITY CHECKS
- Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.
Invicti Standard 6.4.0.35166 - 8th March 2022
IMPROVEMENTS
- Netsparker Standard now Invicti Standard.
- Added a token matching rule when it is required to get the token from a website other than the target URL.
- Improved the GraphQL attacks to include non-string fields.
FIXES
- Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities.
- Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
- Fixed a null reference exception by adding a control whether the current scan policy is empty.
- Fixed a bug that the agent does not continue the scan after a pause.
- Fixed a bug that does not properly show all components detected by a software composition analysis after a retest.
Invicti Standard 6.3.3.34686 - 14th February 2022
IMPROVEMENTS
FIXES
- Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
- Fixed an issue that results in false positive Cross-site Scripting.
- Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
- Fixed an issue that the page counter goes to zero in the Recent Scans window.
- Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.
Invicti Standard 6.3.2.34187 - 20th January 2022
IMPROVEMENTS
- Added the .deploy extension to Default Policy's extension list.
- Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs.
FIXES
- Fixed a null reference error issue when a user right-clicks the target on the Sitemap.
- Fixed the URL response error of the main node when Override Target URL check is enabled.
- Fixed the Imported Links date and time value in the body that is cropped.
- Fixed an issue that opens the vulnerability panel instead of the HTTP Request and Response panel when the email node is selected in the Knowledge Base panel.
- Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
- Fixed an issue that tries to stop the scan when the What's New tab is closed.
- Fixed an issue that Invicti Standard starts a retest for a vulnerability randomly.
- Fixed a payload for the GraphQL.
Netsparker Standard 6.3.1.33855 - 29 December 2021
FIXES
- Fixed a scan policy migration issue that causes selecting all the security checks.
Invicti Standard 6.3.033782 - 23 December 2021
NEW FEATURES
NEW SECURITY CHECKS
- Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira.
- Added Stack Trace Disclosure Signature for Java.
- Added Shopify Identified Security Check.
IMPROVEMENTS
- Updated Invicti Standard .NET Framework version from 4.7.2 to 4.8.
- Allowed to enter hyphens for the proxy address on the Proxy Settings.
- Enabled that all child controlled scan parameters are listed in the Sitemap parent node.
- Changed classification for Cross-site Referrer Leakage and Breach in OWASP Top Ten 2021.
- Changed CryptographicException error log type.
- Added condition that when the max crawling link is reached, the DOM simulation stops.
- Updated Version Disclosure Signature for Apache Coyote.
- Added callback flag to prevent multi trigger of DOM parser view callback
- Improved the importing of RAML files includes other files.
- Added tags property to the Kenna Send to Action.
- Updated Freshservice integration not to send user agent header.
- Updated Version Disclosure Signature for Jolokia.
- Improved the Form Values to be entered into the relevant sections during the form authentication process in the React environment.
- Improved the login verification process by detecting page load properly.
FIXES
- Fixed an issue that created an incorrect issue link in Bitbucket Integration.
- Fixed an issue that occurred when the proxy information from the Proxy Auto-Configuration file cannot be transmitted in requests made by the browser.
- Fixed the null reference error (NRE) that occurred during importing the paused or canceled scan files.
- Fixed an issue that calculated total response time incorrectly.
- Fixed the bug related to Send To action of Kenna integration.
- Fixed the Jolokia version disclosure report to properly highlight the related lines.
- Fixed the OWASP classification links.
- Fixed an issue that does not show a vulnerability when sorted by the Vulnerability Type although it shows when sorted by Severity.
- Fixed the misleading tooltip in Scan Policy - Security Checks.
- Fixed the misaligned text on the PDF version of Executive Summary Report.
- Fixed an issue that Invicti Standard doesn't show out-of-scope warning when out-of-scope link is imported.
- Fixed the inconsistent vulnerability count between reports and status bar.
- Fixed the manual authentication issue when links are imported from URL.
- Fixed the Sitemap multilevel group count.
- Fixed Scan Policy security check count.
- Fixed a naming issue that occurred when a new custom report name contains a dot.
- Fixed an issue while changing the Data Directory option on Storage tab.
- Fixed the issue that external references were not rendered correctly.
Netsparker Standard 6.2.1.33642 - 14 December 2021
NEW SECURITY CHECKS
- Added Out of Band Code Evaluation (Log4j - CVE-2021-44228) a.k.a. Log4Shell detection support.
Invicti Standard 6.2.0.33156 - 16 November 2021
NEW FEATURES
NEW SECURITY CHECKS
- Added signature matching to Web app fingerprint checker.
- Added patterns for Base64 encoded DOM Cross-site Scripting.
- Added phpMyAdmin Version Disclosure security check.
- Added Atlassian Confluence Version disclosure and Out-of-date security checks.
- Added exclusion feature to JavaScript Library detection.
- Added PHP Version Detection via phpinfo() call.
- Added the Shopify Identified security check.
IMPROVEMENTS
- Added the Bridge URL and Shark token support for Invicti Shark (IAST).
- Added setting to configure Session Cookie Names.
- Updated CWE classification category orders for Out-of-date templates.
- Improved Cross-site Scripting attack pattern.
- Added support for exploiting local storage and session storage in the DOM XSS security checks.
- Added highlighting support for custom scripts.
- Added Web Application Firewall to the site profile.
- Changed the default ignored parameter comparison to case insensitive.
- Added 'Is Encoded' option to OAuth2 parameters.
- Added JWT Token pre-request script template.
- Added the CSP Not Implemented that will be reported as confirmed.
- Added the Subresource integrity not implemented that will be reported as confirmed.
FIXES
- Fixed the issue that Content-Type header missing was reported when there was no content in the response.
- Fixed the issue FP JWT was reported in a not found response.
- Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
- Marked weak TLS ciphers.
- Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
- Fixed FP WAF Identified.
- Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
- Fixed the issue source code disclosure is reported in binary responses.
- Fixed the issue fingerprint checker crashes when an applications file could not be found.
- Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
- Fixed the issue that some cipher suites are not reported as weak.
- Fixed the issue classification links were not rendered correctly when there are multiple values.
- Fixed the issue proof prefix was added when there were no more characters to be found.
Invicti Standard 6.1.0.31760 - 1st July 2021
NEW FEATURES
NEW SECURITY CHECKS
- Implemented JSON Web Token (JWT) security check
- Added the SSL Certificate is About to Expire security check
- Added StackPath Web Application Firewall (WAF) detection.
- Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Proxy Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for JavaServer Pages
- Added Identified, Version Disclosure, and Out-of-date security checks for Kong Server
- Added Identified, Version Disclosure, and Out-of-date security checks for Liferay Digital Experience Platform.
- Added Identified, Version Disclosure, and Out-of-date security checks for Taleo Web Server
- Added Version Disclosure and Out-of-date security checks for Sugar Customer Relationship Management (CRM)
- Added Version Disclosure and Out-of-date security checks for Squid
- Added Identified and Out-of-date security checks for Magento
- Added Out-of-date security check for Daiquiri
- Added Identified security check for Plesk (Windows)
- Added Identified security check for Vegur
- Added Identified security check for HupSpot
- Added Identified security check for DataDome
- Added Identified security check for Craft CMS
- Added Identified security check for Windows Azure Web Apps
- Added Identified security check for OpenVPN Access Server
- Added Identified security check for Squarespace
- Added Identified security check for Plesk (Linux)
- Added Identified security check for Lighthouse
- Added Identified security check for BitNinja Captcha Server
- Added Identified security check for Pardot Server
IMPROVEMENTS
- Added Scan Paused, Scan Resumed, Scan Canceled, and Scan Finished states to the log category.
- Send to Request Builder option is now visible for Issue Group Nodes
- Added page type field to vulnerability reports
- Added Authentication Profile name to reports
- Improved RAML Importer to import the ZIP files
- Added application name and version information to a vulnerability report
- Implemented Swagger path parameter default value
- Fixed a Dom XSS scan stuck issue
- Fixed Daiquiri Identified reporting redundant custom field issue.
- Improved Common Weakness Enumeration (CWE) classifications for Out-of-Date Version vulnerabilities
- Added a new Akamai Content Delivery Network (CDN) detection signature
- Added a new Varnish Cache detection signature
- Added missing Identified security checks for the existing technologies
- Improved the summary section of the Version Disclosure template for SharePoint
- Improved TRACE/TRACK Method Detected security check
- Improved SVN Detected security check
- Improved Version Disclosure security check and report template for Phusion Passenger
- Improved Caddy Web Server Identified security check.
- Improved WAF Identifier security check.
- Added Blind SQL Injection security check with a new XOR payload for MySQL
- Proxy credential passed to Chrome page authentication
- Vulnerabilities ordered by severity in the Comparison Report
FIXES
- Fixed Invicti license decrypt problem
- HTTPS Requests are recorded as HTTP
- Fixed the requested security protocol is not supported error
- Fixed handling Protocol Buffers encoding type
- Fixed miswritten product name
- Fixed Phusion Passenger version disclosure template and added Out-of-Date mapping
- Fixed analyzing headers even if the identification source is the crawler
- Fixed an issue that may cause deadlock during adding items to Sitemap
- Fixed an issue that caused out-of-scope URLs to be scanned when the override target URL option is enabled and the authentication is failed while scanning.
- Fixed issue where headers in Postman collection were not replaced with variables
- Fixed an issue that cause SSL validation callback returns invalid SSL certificates as out-of-scope links
- Added disable-feature flag to the browser manager
- Fixed a null reference exception while generating Knowledge Base report
- Rare error when loading overlay window showed was ignored
- Fixed out-of-scope imported links showing in Knowledge Base Rest API List
- Fixed a detection issue with the Akamai CDN signature.
- Fixed a detection issue with Tomcat Identified security check.
- Fixed the signatures of phpMyAdmin Identified security check
- Fixed big size upload error
- The Exclude Authentication Page option will be checked if there is a selected authentication profile
- Fixed DPI settings at Custom Script Dialog
- Disabled GPU acceleration to prevent rendering errors and black bars
- Fixed UI bugs at General Scan Profile Settings
- Fixed issue max page visit was not received but showing in Knowledge Base because of max signature limit
- Fixed Custom 404 Regex in Invicti Enterprise scan data is shown as Auto 404 at Invicti Standard
- Fixed malformed VDB exception while getting the latest version of the application
- Severity null control added to the Vulnerability Profile dialog
- Fixed a non-recurring parameter while logging in with auto-authenticator
- Fixed Scan Policy Report migration primary key error
- Fixed saving Crawl & Attack option to the Scan Profile
- Fixed Logout detection window shows first entered URL for every login simulation error
- Fixed reporting false positive HSTS vulnerability
Invicti Standard 6.0.2.30446 - 7th April 2021
NEW FEATURES
- Added TLS 1.3 support
- Added the character limit setting for Blind SQL Injection proof generation and enabled proof generation by default
- Added the Common Vulnerability Scoring System field to the known vulnerabilities
- Added the Vulnerability Database version to the scan logs
IMPROVEMENTS
- Improved IPv6 support to cover all SSL checks
- Added an advanced setting option to turn on/off the "disable-web-security" command line option while launching chromium
- Added the redirect navigation support for DOM Parser
- Fixed Ghost Chromium problems and DOM simulation leaks
- Added multiple ISO Classification support
- Added alphabetical order to the Knowledge Base nodes
- Updated Invicti Shark (IAST) licensing
- Improved WAF Identification checks to prevent false positives
- Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled
- Improved Open Redirection checks
- Updated Capture Group for OpenResty Version Disclosure
- Updated DS_Store File Found Report Template
- Changed the Referrer-Policy Report Template names to be more accurate
- Refined Possible Stored XSS Vulnerability template
- Added missing external references to SSL Templates that are removed after the merge
- Added IAST suffix to titles of vulnerability detected by Invicti Shark
- Updated OpenSSL regex
- Updated OpenSSL version disclosure regex
- Updated SSTI patterns to use specific type to match code execution patterns
NEW SECURITY CHECKS
- Added Short XSS Attack to bypass character limit checks
- Added Revoked SSL Certificate check
- Added SSL Certificate's Name and Hostname Mismatch security check
- Added SSL Certificate is not signed by a trusted root certification authority security check
- Added Daiquiri Identified security check
- Added Expired SSL Certificate security check
- Added ZSH History File Detected
- Added DOM XSS pattern for the script SRC Injection
FIXES
- Fixed an issue with simultaneous access to the same object while updating the sitemap during scanning
- Fixed unexpected error when saving parse from URL in form values screen
- Fixed the Chrome address bar displaying in different resolutions on the verify login form
- Fixed the detected logout status when an unreachable link is given
- Fixed the customization menu at the form authentication's custom script dialog
- Fixed unsupported browser issue for Headless Chromium
- Fixed weak ciphers not reported for additional websites issue
- Fixed ignoring weak ciphers check because of the ROBOT attack
- Fixed logging HTTPS requests as HTTP when LogHttpRequests option is enabled
- Updated Invicti Updater icons
- Fixed an issue where the Postman Importer ignores the authorization header that is defined in a request item
- Updated requester not to send Accept-Language header if it is not enabled in a scan policy
- Fixed an issue that occurred when exporting custom reports generated from Compliance, Detailed Scan, and Executive Summary report
- Fixed a synchronization problem while creating puppeteer instances
- Fixed an issue where external schema was not added when importing WSDL
- Fixed the Write Lock Leak in LinkPool
- Disabled mouse wheel on the Include/Exclude URLs with Regex radio group
- Fixed the typo in the jQuery validation out-of-date vulnerability type
- Fixed the issue Untrusted Root certificate was not reported on the self-signed certificates
- Fixed the issue that the wrong version was reported in the web app fingerprinting
- Fixed False Positive weak credentials vulnerability
- Fixed the issue that logs were not correctly formatted in the Logs panel
- Fixed the issue that SSL vulnerabilities found in additional sites might be reported in the wrong URL
- Fixed the issue that authenticated link was not crawled
- Fixed the issue that the proof URL was not added to XSS
- Fixed word-wrapping in Tags label in the Azure DevOps Send to Action Configuration Wizard
- Removed the logging for the replacing control characters in headers
- Changed the log level of DOM simulation timeout from Error to Warning
- Fixed the issue that another hash was appended to URLs with a fragment on DOM XSS attacks
- Fixed the issue that SSL certificates were not analyzed for each website when there are additional websites
- Fixed the issue that URI fragment was parsed incorrectly
- Fixed OpenSSL version disclosure regex
- Fixed WS_FTP Log check
- Fixed F5 BIG-IP WAF detection
- Fixed the typo in the jQuery Validation Out-of-date Vulnerability type
- Fixed Extractor for Lodash in repository.json by adding a new function
- Fixed WildFly regex for the WildFly Application Server Identified
- Fixed Whoops Error Handling framework signature
- Fixed the signature for Liferay Portal Identified
- Fixed Version Disclosure for Artifactory by adding missing custom field tag
- Fixed regex of Grafana Version Disclosure
- Fixed OpenResty regex for Version Disclosure
- Fixed the regex of Liferay Portal Version Disclosure pattern
Invicti Standard 6.0.1.29866 - 11th February 2021
IMPROVEMENTS
- Added IAST suffix to titles of vulnerabilities identified by Invicti Shark
FIXES
- Fixed the issue that custom fields were removed when a vulnerability was cached
- Fixed a typo in the Invicti Shark dialog
- Fixed the issue that Invicti Shark responses were reported as comments in the Knowledge Base
- Fixed the issue that Invicti Shark engines were not enabled on old scan policies
- Fixed renaming default scan profile while using the Invicti Shark configuration with test websites
- Fixed setting explicit logout URL from the authentication verification dialog
- Fixed an NRE that occurred while opening the Invicti Enterprise options panel in Invicti Standard
Invicti Standard 6.0.0.29750 - 28th January 2021
NEW FEATURES
- Added NIST SP 800-53 compliance classification and report template.
- Added DISA STIG compliance classification and report template.
- Added the OWASP ASVS 4.0 classification and report template.
- Added header and footer section to customize reports.
- Added an option to customize POST attacks for the Open Redirect engine.
NEW SECURITY CHECKS
- Added PHP magic_quotes_gpc Is Disabled security check.
- Added PHP register_globals Is Enabled security check.
- Added PHP display_errors Is Enabled security check.
- Added PHP allow_url_fopen Is Enabled security check.
- Added PHP allow_url_include Is Enabled security check.
- Added PHP session.use_trans_sid Is Enabled security check.
- Added PHP open_basedir Is Not Configured security check.
- Added PHP enable_dl Is Enabled security check.
- Added ASP.NET Tracing Is Enabled security check.
- Added ASP.NET Cookieless Session State Is Enabled security check.
- Added ASP.NET Cookieless Authentication Is Enabled security check.
- Added ASP.NET Failure To Require SSL For Authentication Cookies security check.
- Added ASP.NET Login Credentials Stored In Plain Text security check.
- Added ASP.NET ValidateRequest Is Globally Disabled security check.
- Added ASP.NET ViewStateUserKey Is Not Set security check.
- Added ASP.NET CustomErrors Is Disabled security check.
- Added PHP session.use_only_cookies Is Disabled security check.
- Added new Blind SQL Injection attack pattern.
- Added Jinjava SSTI security check.
- Added Whoops Framework Detected security check.
- Added CrushFTP server detected security check.
- Added database error message signature pattern for Hibernate.
- Added Identified, Version Disclosure, and Out-of-date security checks for W3 Total Cache.
- Added Identified, Version Disclosure, and Out-of-date security checks for Next.JS React Framework.
- Added Identified, Version Disclosure, and Out-of-date security checks for Twisted Web HTTP Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for Werkzeug Python WSGI Library.
- Added Identified, Version Disclosure, and Out-of-date security checks for OpenResty.
- Added Identified, Version Disclosure, and Out-of-date security checks for GlassFish.
- Added Identified, Version Disclosure, and Out-of-date security checks for Resin Application Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for Plone CMS.
- Added Identified, Version Disclosure, and Out-of-date security checks for Trac Software Project Management Tool.
- Added Identified, Version Disclosure, and Out-of-date security checks for IBM RTC.
- Added Identified, Version Disclosure, and Out-of-date security checks for Tornado Web Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for Jetty Web Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for Axway SecureTransport Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for Artifactory.
- Added Identified, Version Disclosure, and Out-of-date security checks for Gunicorn Python WSGI HTTP Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for IBM Security Access Manager (WebSEAL).
- Added Identified, Version Disclosure, and Out-of-date security checks for Nexus OSS.
- Added Identified, Version Disclosure, and Out-of-date security checks for Cowboy HTTP Server.
- Added Identified, Version Disclosure, and Out-of-date security checks for Python WSGIserver.
- Added Identified, Version Disclosure, and Out-of-date security checks for Restlet Framework.
- Added Identified, Version Disclosure, and Out-of-date security checks for Phusion Passenger.
- Added Version Disclosure and Out-of-date security checks for Liferay Portal.
- Added Version Disclosure and Out-of-date security checks for Tracy debugging tool.
- Added detection for Varnish HTTP Cache Server.
- Added detection for SonicWall VPN.
- Added detection for Play Web Framework.
- Added detection for Private Burp Collaborator Server.
- Added detection for LiteSpeed Web Server.
- Added detection for JBoss Enterprise Application Platform.
- Added detection for JBoss Core Services.
- Added detection for WildFly Application Server.
- Added detection for Oracle HTTP Server.
- Added version disclosure Daiquiri security check.
IMPROVEMENTS
- Added Wordlist Entries feature to the Resource Finder security check group
- Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled.
- Improved Open Redirect attack patterns.
- Improved TLS 1.0 issue remediation reference.
- Added WCF service support to WSDL importer.
- Added a fix to reduce the possibility of an out-of-memory problem.
- Added authentication support to system proxy for PAC file.
- Verification dialog remembers old logout keywords.
- Added scan profile information and URL to all reports.
- Added bypass list for scan policy settings.
- Added scan scope variables to the Pre-Request Scripts.
- Added information label to the Pre-Request Script settings panel
- Added a fail tolerance to Puppeteer launch.
- Improved Tomcat signature patterns.
- Improved authenticator not to store the plain password in the request data
- Added HTTP Request Logger to authentication
- Added Canada region to the Invicti Enterprise settings
- Added tooltip to the Excluded Usage Trackers feature.
- Removed X-Scanner header from default scan policies
- Added new sensitive comment patterns.
- Revised the description of the Resource Finder checks option.
- Removed header and footer settings for reports that do not contain header and footer in the save report dialog.
- Added Incremental Scan to Knowledge Base reports.
- Updated Invicti Standard splash screen.
FIXES
- Fixed Lodash Identified security check signature.
- Fixed WebLogic Version Disclosure security check signature.
- Fixed Whoops Error Handling Framework Identified security check signature.
- Fixed Zope Web Server Version Disclosure security check signature.
- Fixed Grafana Version Disclosure security check signature.
- Fixed ASP.NET MVC Version Disclosure security check signature.
- Fixed Telerik Version Disclosure vulnerability severity to be low.
- Fixed IIS Version Disclosure vulnerability severity to be low.
- Fixed the grammar issues at the CSP Not Implemented report template.
- Hide the scope tooltip at the manual authentication panel.
- Fixed the order of Out-of-Date vulnerabilities; now sorting vulnerabilities by their severities.
- Fixed the issue "link stuck error" was repeated many times in the scan logs.
- Fixed the typo in the Pre-Request Scripts Menu.
- Fixed a few typos in the Impact descriptions.
- Fixed validating WAF settings before trying to test WAF connection
- Fixed the issue where the Exclude Authentication Pages option could not be manually disabled when the Form Authentication is enabled.
- Fixed an issue where the Form Authentication verification dialog loses focus and disappears.
- Fixed directory modifiers limit usage
- Fixed sending previous request headers while navigating to the Form Authentication's latest response URL.
- Fixed an issue where the custom script dialog failed to display login page when requests encoded with Brotli
- Fixed an issue that causes Reflected Parameter analyzer attacks to the ignored parameters when the breach engine is disabled
- Fixed an issue that may cause the null reference exception when reflected parameter analyzer working
- Fixed an issue that caused WASC ID is not sent properly in the Kenna Send To Action
- Fixed an issue where the HTTP request is not redirected to HTTPS when Strict Transport Security is enabled
- Fixed an issue that caused DOM simulation to fail because of the null windows and elements
- Fixed an issue that is caused by NTLM, Kerberos, Negotiate authentication credentials send with every request without challenge
- Fixed an issue that causes the Pre-Request Script requests to be ignored when its method is disallowed from the Scope settings
- Fixed an issue that causes raw request created without cookies
- Added SSL, Attack Possibility, and JavaScript files to Knowledge Base
- Fixed the order of classification report ribbon menu.
- Fixed handling the invalid characters of request headers set from the Pre-Request Scripts.
- Fixed the tooltip of Send To Tasks button at the ribbon
- Fixed unwanted warning on the auto authenticator
- Fixed date and time zone problem on Swagger file.
- Fixed null reference exception on excluded URL check.
- Fixed multiple instance knowledge base render problem.
- Fixed reporting style issues.
- Fixed relativity of the charts in the Comparison Report.
- Fixed grid showing on the logout detection screen.
- Fixed scan resuming problem on unavailable host.
- Fixed pop-up problem on the DOM simulation for better performance.
- Fixed the logo at the Knowledge Base render error page.
- Fixed an issue which causes unhandled exception when the link clicked multiple times on authentication verify dialog when interactive login is enabled
- Fixed internet connection problem at test site configuration dialog.
- Added information label to the Azure Configuration wizard.
- Fixed request and response results in out-of-band vulnerabilities.
- Fixed Blind SQL Injection cache issue.
- Fixed wrong expiry time for cookie which occurs at DOM simulation.
- Fixed the null reference exception while checking the source type.
- Fixed the Basic Authentication header problem for chromium requests.
- Fixed the null reference exception while getting authorization tokens.
- Fixed an issue where XSLT requests are not intercepted.
- Fixed Netsparker Helper Service dll not found issue.
- Fixed the client certificate selection issue while logging in to the target website.
- Fixed session storage problem at DOM simulation.
- Fixed upload request problem that creates false positive at LFI engine.
- Fixed chromium errors at authentication
- Fixed the unhandled multiple choices redirect status code at requester.
- Fixed the keyword-based logout detection stuck when the pop-up opened at chromium browsers.
- Fixed the Generate Exploit button label in the ribbon menu and vulnerability pop-up menu.
- Fixed an issue where the form value parser was not working.
- Fixed unauthorized request handling in the license view.
- Fixed an issue that causes invalid parent issue selection if Check Inverse is used at Security Checks
- Fixed maximum logout detection issue.
- Fixed the typo in the Pre-request Scripts menu.
- Fixed a few typos in the Impact descriptions.
- Fixed the issue that email disclosure was reported without identified email addresses.
- Fixed an issue in the scan policy optimizer where the DOM preset was set wrong.
- Removed URL signature field from the phpinfo detection pattern.
- Fixed Perl version disclosure pattern.
- Fixed the issue that movable type cannot be detected because the app name contained whitespace.
- Removed the Fiddler core dependency from Fiddler Importer that caused issues in Linux agents.
- Fixed the custom script dialog title.
- Fixed the signature of Python version disclosure pattern.
- Fixed the issue that charset error was repeated many times in the logs.
- Fixed the issue that the attack parameter name was not displayed on error based SQL injection vulnerabilities.
- Fixed an ArgumentNullException that was thrown when the proxy bypass list is null.
- Fixed the request parsing error in TCP Requester.
- Fixed the issue that header and footer were mixed up in the reports.
- Fixed info icons position in the Knowledge Base reports.
- Fixed the issue XSS payload was not highlighted correctly.
- Fixed the typo in the base scan CLI argument.
- Fixed the issue that the confirmation dialog was not displayed when the delete rows button in the context menu is used.
- Fixed the inconsistencies in the summary page of Asana configuration wizard.
- Fixed tooltip enabled/disabled states in Form Authentication, Client Certificate, and Smart Card Authentication settings.
- Fixed the issue that search results were not highlighted correctly.
- Fixed the issue that URL was not correctly encoded in Send To Action templates.
- Fixed the issue request.Headers was empty in custom script API.
- Fixed the issue Mithril version could not be detected.
- Fixed the issue that SSTI could not be detected consistently because the code execution patterns were not loaded correctly.
- Fixed the issue that version disclosure vulnerabilities were always fixed in retest.
- Fixed the issue that causes FP Open Redirection because of the improper decoding of location header
- Fixed Swagger parser that caused importing object with a parent node while the object is inside an array
Netsparker Standard 5.9.1.29030 - 6th of November 2020
NEW SECURITY CHECKS
- Added Oracle WebLogic Server Remote Code Execution (CVE-2020-14882)
- Added Oracle WebLogic Server Authentication Bypass (CVE-2020-14883)
Invicti Standard 5.9.0.28895 - 30th of September 2020
NEW FEATURES
- Added a new signature limit for URL Rewrite matched links
- Added a crawling limit for Not found (404) links
- Added a WASC Classification Report template
- Added an option to exclude authentication pages and removed authentication related regexes from the default settings
NEW SECURITY CHECKS
- Added Out-of-date security checks for the Liferay portal
- Added Version Disclosure and Out-of-date security checks for Jolokia
- Added Nested XSS security checks
- Added an ASP.NET Razor SSTI security check
- Added a Java Pebble SSTI security check
- Added a Theymeleaf SSTI security check
- Added Version Disclosure and Out-of-date security checks for Grafana
IMPROVEMENTS
- Improved custom scripting to send raw requests
- Improved the authenticator to hide passwords in request data in order to prevent exposing them in reports
- Added an Auto Follow Redirect setting to the Advanced settings
- Added request and response details to Out of Band vulnerabilities
- Improved logging for timed out regexes in the Javascript Library Checker
- Updated signature of Stack Trace/Custom Stack Trace (Python)
- Improved the memory consumption on long running scans
FIXES
- Fixed an error that was caused when parsing duplicate response content-type headers
- Updated Invicti logos, splash screen and icons
- Fixed reporting of Crawl Performance for crawl-only scans
- Fixed an issue where Form Value Errors were occurring after simulation was finished
- Fixed the Maximum Body Length exceeded log message
- Fixed the log level of the Dom Parser's ignored link message
- Fixed the Jira Send To application description
- Fixed an issue that occured when the content-type and accept header was used in a parameter in the Open API (Swagger) file
- Fixed an issue where the custom Comparison Report was not generated
- Fixed an ArgumentNullException that was occuring in the TestSiteConfiguration dialog
- Disabled the LFI button for possible xxe
- Fixed a certificate error problem on the new ssl checker
- Fixed the timezone problem on reports
- Fixed the Executive Summary Report title
- Fixed an ArgumentException that was thrown when the URI was empty
- Fixed HIPAA classification links
- Fixed the issue where the Invicti session importer did not import all links from the session
- Fixed the bug where the URL was split incorrectly when a segment contained the file extension
- Fixed the issue responses that were not being analyzed in the Signatures engine during the re-crawl phase
- Fixed the HIPAA classification link when there are multiple classifications
- Removed plugin functions that are used to detect bootstrap to prevent false positive versions from being reported
- Fixed NRE in the static detection engine
- Fixed the Swagger parser that caused an object to be imported with a parent node while the object was inside an array
Netsparker Standard 5.8.2.28358 - 10th of July 2020
IMPROVEMENTS
- Added a highlight icon to the attack parameters on the vulnerability reports
- Added a report URL to the scheduled reports
FIXES
- Fixed a ObjectDisposedException that was occasionally thrown when the attacker started in manual proxy mode
- Fixed a NRE that occurred when exporting a report from a scheduled scan
- Fixed an issue caused when the login page identifier was disabled in the Scan Policy
- Fixed an issue where the Jira Send To Action failed to create an issue when the components field did not exist in the project
- Fixed the issue where the content type was not parsed correctly when there were multiple Content-type headers
- Fixed the issue where responses were not being analyzed in signature detection in the re-crawl phase.
- Fixed the list of enabled security checks on reports
- Changed the Sans Top 25 classification name to CWE on reports
NEW SECURITY CHECKS
- Added an F5 Big IP LFI (CVE-2020-5902) attack pattern
- Added out of date checks for Apache Traffic Server
- Added version disclosure for Undertow Server
- Added out of date checks for Undertow Server
- Added version disclosure for Jenkins
- Added out of date checks for Jenkins
- Added signature detection for Kestrel
- Added detection for Tableau Server
- Added detection for Bomgar Remote Support Software
- Added version disclosure for Apache Traffic Server
Netsparker Standard 5.8.1.28119 - 4th of June 2020
IMPROVEMENTS
- Added Request API to Form Authentication's Custom Script
- Added ability to add, edit and remove HTTP parameters and headers from Custom Security Check requests
- Improved the Jira Send To Action to include a new Components field
- Improved the SSL security check implementation
- Improved the design of default Report Templates
FIXES
- Fixed a memory leak in the Attacking phase
- Fixed a CSS Parser issue that caused infinite loops while parsing invalid css files
- Fixed an Attacker issue that caused a memory leak
- Fixed a Null Reference Exception that occurred during crawling
- Fixed the parsing of duplicate content-type headers
Invicti Standard 5.8.0.27987 - 14th of May 2020
NEW FEATURES
- Added Pivotal Tracker Send To integration
- Added test website (Target URL) configuration to enable the scanning of REST websites with selected XML and JSON mime type(s)
- Added ability to add, remove or edit request parameters, headers and edit the request body in pre-request scripts
- Added a Fragment Parsing checkbox to the Crawling tab of the Scan Policy Editor dialog
NEW SECURITY CHECKS
- Added a new vulnerability for Same Site Cookies that are set to None and not marked as secure
IMPROVEMENTS
- Improved the Webhook Send To Action to enable it to send data from the query string when the POST or PUT method is selected
- Improved the Jira Send To Action to include Epic Key and Epic Name fields
- Updated the default value for Allow Out-of-scope XHR requests from False to True, to improve the simulation process
- Improved Form Authentication to capture All Authorization Headers instead of just Bearer Authentication Tokens
- Improved the scan performance with memoization of Passive Security Checks
- Optimized Stored XSS checks to eliminate unnecessary DOM simulations in PermanentXssSignature
- Optimized signature detection to avoid executing unnecessary Regex checks
- Improved the attack payload of the Open - Integer (MySQL) pattern
FIXES
- Fixed the problem where the authentication header was parsing if an empty OAuth2 token type was provided
- Fixed a typo in the XSS vulnerability template
- Fixed a typo in Expect-CT engine error message
- The WAF Identified dialog is no longer displayed when Invicti is started from the command line in Silent Mode
- Fixed an issue that meant the Target URL was not crawled when the Override Target URL with authenticated page checkbox was enabled in the Form Authentication tab of the Start a New Website or Web Service Scan dialog
- Fixed the visibility of the scan search bar
- Fixed the Regex Pattern of the BREACH Engine's sensitive keywords
- Fixed an issue where the Possible OOB Command Injection Vulnerability was reported as confirmed
- Fixed the exception that was thrown if the script file name was empty when the Execute button was clicked in the Custom Scripts panel
- Fixed the problem where the XXE engine was reporting a false positive on possible XXEs
- Data Type Mismatch errors are now ignored while importing OpenAPI (Swagger) documents
- Fixed an issue where Authentication Verification was failing to complete in Silent Mode when the Target URL was unreachable
- Fixed an issue that caused the crawler to be exited abnormally and stopping the scan when Invicti Assistant changed the Scan Settings
- Fixed a NullReferenceException in the Custom Scripts panel
- Fixed an issue that caused the link to get stuck in Crawling causing the scan to take too long
- Fixed a NRE that occurred when a Retest was performed on an imported scan
- Fixed an issue that occasionally caused scans to hang when the Target URL timed out on requests
- Removed an extra semicolon from the Actions to Take section of the Insecure Transportation Security Protocol Supported vulnerability templates
Invicti 5.7.2.27749 - 9th of April 2020
IMPROVEMENTS
- Added an image injection pattern to the Blind Cross-site Scripting security check
- Added Script Type information to the comment section of the Custom Security Check scripts
- Added the ability to show the Custom Scripts Panel without opening a scan
FIXES
- Fixed an issue so that the JavaScript configuration in the Scan Policy is saved when it is updated by Invicti Assistant
- Fixed an issue where the web proxy was not being used while connecting to Invicti Enterprise
- Fixed an issue where the Custom Scripts were not executing inside pop-up dialogs that open during Form Authentication
- Fixed an issue wherelogouts was not detected with single page applications that used Form Authentication
Netsparker 5.7.1.27675 - 25th of March 2020
FIXES
- Fixed a case sensitivity issue in Imported Links which caused Content-Type headers to be sent without requests
- Fixed an issue where the WAF Identification notification dialog was occasionally unclickable
- Fixed issue links for the Azure Send To Action to match Azure's new link scheme
- Fixed an issue that caused the computer to go into Sleep mode even when the advanced PreventSleepModeDuringScan setting was enabled