Invicti Standard 6.6.0.36485 - 14th June 2022

IMPROVEMENTS

• Updated embedded chromium browser
• Improved JWT confirmation to avoid false positives.

FIXES

• Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
• Fixed an issue that imports global servers as Swagger files.
• Fixed an issue where the OK button disappears during interactive login.
• Fixed an issue that adds interactive login buttons to iframes.
• Fixed a null reference exception at the LFI exploit panel.

NEW SECURITY CHECKS

• Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

IMPROVEMENTS

• Netsparker Standard now Invicti Standard. 
• Added a token matching rule when it is required to get the token from a website other than the target URL.
• Improved the GraphQL attacks to include non-string fields. 

FIXES

• Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities. 
• Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
• Fixed a null reference exception by adding a control whether the current scan policy is empty.
• Fixed a bug that the agent does not continue the scan after a pause.
• Fixed a bug that does not properly show all components detected by a software composition analysis after a retest. 

IMPROVEMENTS

• Implemented new Log4j attack patterns.
• Added the parameter types to exported reports for GraphQL.

FIXES

• Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
• Fixed an issue that results in false positive Cross-site Scripting.
• Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
• Fixed an issue that the page counter goes to zero in the Recent Scans window.
• Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.

IMPROVEMENTS

• Added the .deploy extension to Default Policy's extension list.
• Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs.

FIXES

• Fixed a null reference error issue when a user right-clicks the target on the Sitemap. 
• Fixed the URL response error of the main node when Override Target URL check is enabled.
• Fixed the Imported Links date and time value in the body that is cropped. 
• Fixed an issue that opens the vulnerability panel instead of the HTTP Request and Response panel when the email node is selected in the Knowledge Base panel. 
• Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
• Fixed an issue that tries to stop the scan when the What's New tab is closed.
• Fixed an issue that Invicti Standard starts a retest for a vulnerability randomly. 
• Fixed a payload for the GraphQL.

FIXES

• Fixed a scan policy migration issue that causes selecting all the security checks.

NEW FEATURES

• Added Software Composition Analysis (SCA) feature.
• Added OWASP Top 10 2021 classification and report.
• Added support for scanning GraphQL APIs.

NEW SECURITY CHECKS

• Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira.
• Added Stack Trace Disclosure Signature for Java.
• Added Shopify Identified Security Check.

IMPROVEMENTS

• Updated Invicti Standard .NET Framework version from 4.7.2 to 4.8.
• Allowed to enter hyphens for the proxy address on the Proxy Settings.
• Enabled that all child controlled scan parameters are listed in the Sitemap parent node.
• Changed classification for Cross-site Referrer Leakage and Breach in OWASP Top Ten 2021.
• Changed CryptographicException error log type.
• Added condition that when the max crawling link is reached, the DOM simulation stops.
• Updated Version Disclosure Signature for Apache Coyote.
• Added callback flag to prevent multi trigger of DOM parser view callback
• Improved the importing of RAML files includes other files.
• Added tags property to the Kenna Send to Action.
• Updated Freshservice integration not to send user agent header.
• Updated Version Disclosure Signature for Jolokia.
• Improved the Form Values to be entered into the relevant sections during the form authentication process in the React environment.
• Improved the login verification process by detecting page load properly.

FIXES

• Fixed an issue that created an incorrect issue link in Bitbucket Integration.
• Fixed an issue that occurred when the proxy information from the Proxy Auto-Configuration file cannot be transmitted in requests made by the browser.
• Fixed the null reference error (NRE) that occurred during importing the paused or canceled scan files.
• Fixed an issue that calculated total response time incorrectly.
• Fixed the bug related to Send To action of Kenna integration.
• Fixed the Jolokia version disclosure report to properly highlight the related lines.
• Fixed the OWASP classification links.
• Fixed an issue that does not show a vulnerability when sorted by the Vulnerability Type although it shows when sorted by Severity.
• Fixed the misleading tooltip in Scan Policy - Security Checks.
• Fixed the misaligned text on the PDF version of Executive Summary Report.
• Fixed an issue that Invicti Standard doesn't show out-of-scope warning when out-of-scope link is imported.
• Fixed the inconsistent vulnerability count between reports and status bar.
• Fixed the manual authentication issue when links are imported from URL.
• Fixed the Sitemap multilevel group count.
• Fixed Scan Policy security check count.
• Fixed a naming issue that occurred when a new custom report name contains a dot.
• Fixed an issue while changing the Data Directory option on Storage tab.
• Fixed the issue that external references were not rendered correctly.

NEW SECURITY CHECKS

• Added Out of Band Code Evaluation (Log4j - CVE-2021-44228) a.k.a. Log4Shell detection support.

NEW FEATURES

• Added Node.js sensor for Invicti Shark (IAST).
• Added OWASP API Top 10 classification and report template.

NEW SECURITY CHECKS

• Added signature matching to Web app fingerprint checker.
• Added patterns for Base64 encoded DOM Cross-site Scripting.
• Added phpMyAdmin Version Disclosure security check.
• Added Atlassian Confluence Version disclosure and Out-of-date security checks.
• Added exclusion feature to JavaScript Library detection.
• Added PHP Version Detection via phpinfo() call.
• Added the Shopify Identified security check.

IMPROVEMENTS

• Added the Bridge URL and Shark token support for Invicti Shark (IAST).
• Added setting to configure Session Cookie Names.
• Updated CWE classification category orders for Out-of-date templates.
• Improved Cross-site Scripting attack pattern.
• Added support for exploiting local storage and session storage in the DOM XSS security checks.
• Added highlighting support for custom scripts.
• Added Web Application Firewall to the site profile.
• Changed the default ignored parameter comparison to case insensitive.
• Added 'Is Encoded' option to OAuth2 parameters.
• Added JWT Token pre-request script template.
• Added the CSP Not Implemented that will be reported as confirmed.
• Added the Subresource integrity not implemented that will be reported as confirmed.

FIXES

• Fixed the issue that Content-Type header missing was reported when there was no content in the response.
• Fixed the issue FP JWT was reported in a not found response.
• Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
• Marked weak TLS ciphers.
• Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
• Fixed FP WAF Identified.
• Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
• Fixed the issue source code disclosure is reported in binary responses.
• Fixed the issue fingerprint checker crashes when an applications file could not be found.
• Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
• Fixed the issue that some cipher suites are not reported as weak.
• Fixed the issue classification links were not rendered correctly when there are multiple values.
• Fixed the issue proof prefix was added when there were no more characters to be found.

NEW FEATURES

• Added Authentication Profiles
• Added the Overall Latest Version field to out-of-date vulnerabilities
• Added multiple vulnerabilities reporting support to passive and singular custom scripts
• Added Acunetix 360 integration

NEW SECURITY CHECKS

• Implemented JSON Web Token (JWT) security check
• Added the SSL Certificate is About to Expire security check
• Added StackPath Web Application Firewall (WAF) detection.
• Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Proxy Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for JavaServer Pages
• Added Identified, Version Disclosure, and Out-of-date security checks for Kong Server
• Added Identified, Version Disclosure, and Out-of-date security checks for Liferay Digital Experience Platform.
• Added Identified, Version Disclosure, and Out-of-date security checks for Taleo Web Server
• Added Version Disclosure and Out-of-date security checks for Sugar Customer Relationship Management (CRM)
• Added Version Disclosure and Out-of-date security checks for Squid
• Added Identified and Out-of-date security checks for Magento
• Added Out-of-date security check for Daiquiri
• Added Identified security check for Plesk (Windows)
• Added Identified security check for Vegur
• Added Identified security check for HupSpot
• Added Identified security check for DataDome
• Added Identified security check for Craft CMS
• Added Identified security check for Windows Azure Web Apps
• Added Identified security check for OpenVPN Access Server
• Added Identified security check for Squarespace
• Added Identified security check for Plesk (Linux)
• Added Identified security check for Lighthouse
• Added Identified security check for BitNinja Captcha Server
• Added Identified security check for Pardot Server

IMPROVEMENTS

• Added Scan Paused, Scan Resumed, Scan Canceled, and Scan Finished states to the log category.
• Send to Request Builder option is now visible for Issue Group Nodes
• Added page type field to vulnerability reports
• Added Authentication Profile name to reports
• Improved RAML Importer to import the ZIP files
• Added application name and version information to a vulnerability report
• Implemented Swagger path parameter default value
• Fixed a Dom XSS scan stuck issue
• Fixed Daiquiri Identified reporting redundant custom field issue.
• Improved Common Weakness Enumeration (CWE) classifications for Out-of-Date Version vulnerabilities
• Added a new Akamai Content Delivery Network (CDN) detection signature
• Added a new Varnish Cache detection signature
• Added missing Identified security checks for the existing technologies
• Improved the summary section of the Version Disclosure template for SharePoint
• Improved TRACE/TRACK Method Detected security check
• Improved SVN Detected security check
• Improved Version Disclosure security check and report template for Phusion Passenger
• Improved Caddy Web Server Identified security check.
• Improved WAF Identifier security check.
• Added Blind SQL Injection security check with a new XOR payload for MySQL
• Proxy credential passed to Chrome page authentication
• Vulnerabilities ordered by severity in the Comparison Report

FIXES

• Fixed Invicti license decrypt problem
• HTTPS Requests are recorded as HTTP
• Fixed the requested security protocol is not supported error
• Fixed handling Protocol Buffers encoding type
• Fixed miswritten product name
• Fixed Phusion Passenger version disclosure template and added Out-of-Date mapping
• Fixed analyzing headers even if the identification source is the crawler
• Fixed an issue that may cause deadlock during adding items to Sitemap
• Fixed an issue that caused out-of-scope URLs to be scanned when the override target URL option is enabled and the authentication is failed while scanning.
• Fixed issue where headers in Postman collection were not replaced with variables
• Fixed an issue that cause SSL validation callback returns invalid SSL certificates as out-of-scope links
• Added disable-feature flag to the browser manager
• Fixed a null reference exception while generating Knowledge Base report
• Rare error when loading overlay window showed was ignored
• Fixed out-of-scope imported links showing in Knowledge Base Rest API List
• Fixed a detection issue with the Akamai CDN signature.
• Fixed a detection issue with Tomcat Identified security check.
• Fixed the signatures of phpMyAdmin Identified security check
• Fixed big size upload error
• The Exclude Authentication Page option will be checked if there is a selected authentication profile
• Fixed DPI settings at Custom Script Dialog
• Disabled GPU acceleration to prevent rendering errors and black bars
• Fixed UI bugs at General Scan Profile Settings
• Fixed issue max page visit was not received but showing in Knowledge Base because of max signature limit
• Fixed Custom 404 Regex in Invicti Enterprise scan data is shown as Auto 404 at Invicti Standard
• Fixed malformed VDB exception while getting the latest version of the application
• Severity null control added to the Vulnerability Profile dialog
• Fixed a non-recurring parameter while logging in with auto-authenticator
• Fixed Scan Policy Report migration primary key error
• Fixed saving Crawl & Attack option to the Scan Profile
• Fixed Logout detection window shows first entered URL for every login simulation error
• Fixed reporting false positive HSTS vulnerability

NEW FEATURES

• Added TLS 1.3 support
• Added the character limit setting for Blind SQL Injection proof generation and enabled proof generation by default
• Added the Common Vulnerability Scoring System field to the known vulnerabilities
• Added the Vulnerability Database version to the scan logs

IMPROVEMENTS

• Improved IPv6 support to cover all SSL checks
• Added an advanced setting option to turn on/off the "disable-web-security" command line option while launching chromium
• Added the redirect navigation support for DOM Parser
• Fixed Ghost Chromium problems and DOM simulation leaks
• Added multiple ISO Classification support
• Added alphabetical order to the Knowledge Base nodes
• Updated Invicti Shark (IAST) licensing
• Improved WAF Identification checks to prevent false positives
• Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled
• Improved Open Redirection checks
• Updated Capture Group for OpenResty Version Disclosure
• Updated DS_Store File Found Report Template
• Changed the Referrer-Policy Report Template names to be more accurate
• Refined Possible Stored XSS Vulnerability template
• Added missing external references to SSL Templates that are removed after the merge
• Added IAST suffix to titles of vulnerability detected by Invicti Shark
• Updated OpenSSL regex
• Updated OpenSSL version disclosure regex
• Updated SSTI patterns to use specific type to match code execution patterns

NEW SECURITY CHECKS

• Added Short XSS Attack to bypass character limit checks
• Added Revoked SSL Certificate check
• Added SSL Certificate's Name and Hostname Mismatch security check
• Added SSL Certificate is not signed by a trusted root certification authority security check
• Added Daiquiri Identified security check
• Added Expired SSL Certificate security check
• Added ZSH History File Detected
• Added DOM XSS pattern for the script SRC Injection

FIXES

• Fixed an issue with simultaneous access to the same object while updating the sitemap during scanning
• Fixed unexpected error when saving parse from URL in form values screen
• Fixed the Chrome address bar displaying in different resolutions on the verify login form
• Fixed the detected logout status when an unreachable link is given
• Fixed the customization menu at the form authentication's custom script dialog
• Fixed unsupported browser issue for Headless Chromium
• Fixed weak ciphers not reported for additional websites issue
• Fixed ignoring weak ciphers check because of the ROBOT attack
• Fixed logging HTTPS requests as HTTP when LogHttpRequests option is enabled
• Updated Invicti Updater icons
• Fixed an issue where the Postman Importer ignores the authorization header that is defined in a request item
• Updated requester not to send Accept-Language header if it is not enabled in a scan policy
• Fixed an issue that occurred when exporting custom reports generated from Compliance, Detailed Scan, and Executive Summary report
• Fixed a synchronization problem while creating puppeteer instances
• Fixed an issue where external schema was not added when importing WSDL
• Fixed the Write Lock Leak in LinkPool
• Disabled mouse wheel on the Include/Exclude URLs with Regex radio group
• Fixed the typo in the jQuery validation out-of-date vulnerability type
• Fixed the issue Untrusted Root certificate was not reported on the self-signed certificates
• Fixed the issue that the wrong version was reported in the web app fingerprinting
• Fixed False Positive weak credentials vulnerability
• Fixed the issue that logs were not correctly formatted in the Logs panel
• Fixed the issue that SSL vulnerabilities found in additional sites might be reported in the wrong URL
• Fixed the issue that authenticated link was not crawled
• Fixed the issue that the proof URL was not added to XSS
• Fixed word-wrapping in Tags label in the Azure DevOps Send to Action Configuration Wizard
• Removed the logging for the replacing control characters in headers
• Changed the log level of DOM simulation timeout from Error to Warning
• Fixed the issue that another hash was appended to URLs with a fragment on DOM XSS attacks
• Fixed the issue that SSL certificates were not analyzed for each website when there are additional websites
• Fixed the issue that URI fragment was parsed incorrectly
• Fixed OpenSSL version disclosure regex
• Fixed WS_FTP Log check
• Fixed F5 BIG-IP WAF detection
• Fixed the typo in the jQuery Validation Out-of-date Vulnerability type
• Fixed Extractor for Lodash in repository.json by adding a new function
• Fixed WildFly regex for the WildFly Application Server Identified
• Fixed Whoops Error Handling framework signature
• Fixed the signature for Liferay Portal Identified
• Fixed Version Disclosure for Artifactory by adding missing custom field tag
• Fixed regex of Grafana Version Disclosure
• Fixed OpenResty regex for Version Disclosure
• Fixed the regex of Liferay Portal Version Disclosure pattern

IMPROVEMENTS

• Added IAST suffix to titles of vulnerabilities identified by Invicti Shark 

FIXES

• Fixed the issue that custom fields were removed when a vulnerability was cached
• Fixed a typo in the Invicti Shark dialog
• Fixed the issue that Invicti Shark responses were reported as comments in the Knowledge Base
• Fixed the issue that Invicti Shark engines were not enabled on old scan policies
• Fixed renaming default scan profile while using the Invicti Shark configuration with test websites
• Fixed setting explicit logout URL from the authentication verification dialog
• Fixed an NRE that occurred while opening the Invicti Enterprise options panel in Invicti Standard

NEW FEATURES

• Added NIST SP 800-53 compliance classification and report template.
• Added DISA STIG compliance classification and report template.
• Added the OWASP ASVS 4.0 classification and report template.
• Added header and footer section to customize reports.
• Added an option to customize POST attacks for the Open Redirect engine.

NEW SECURITY CHECKS

• Added PHP magic_quotes_gpc Is Disabled security check.
• Added PHP register_globals Is Enabled security check.
• Added PHP display_errors Is Enabled security check.
• Added PHP allow_url_fopen Is Enabled security check.
• Added PHP allow_url_include Is Enabled security check.
• Added PHP session.use_trans_sid Is Enabled security check.
• Added PHP open_basedir Is Not Configured security check.
• Added PHP enable_dl Is Enabled security check.
• Added ASP.NET Tracing Is Enabled security check.
• Added ASP.NET Cookieless Session State Is Enabled security check.
• Added ASP.NET Cookieless Authentication Is Enabled security check.
• Added ASP.NET Failure To Require SSL For Authentication Cookies security check.
• Added ASP.NET Login Credentials Stored In Plain Text security check.
• Added ASP.NET ValidateRequest Is Globally Disabled security check.
• Added ASP.NET ViewStateUserKey Is Not Set security check.
• Added ASP.NET CustomErrors Is Disabled security check.
• Added PHP session.use_only_cookies Is Disabled security check.
• Added new Blind SQL Injection attack pattern.
• Added Jinjava SSTI security check.
• Added Whoops Framework Detected security check.
• Added CrushFTP server detected security check.
• Added database error message signature pattern for Hibernate.
• Added Identified, Version Disclosure, and Out-of-date security checks for W3 Total Cache.
• Added Identified, Version Disclosure, and Out-of-date security checks for Next.JS React Framework.
• Added Identified, Version Disclosure, and Out-of-date security checks for Twisted Web HTTP Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for Werkzeug Python WSGI Library.
• Added Identified, Version Disclosure, and Out-of-date security checks for OpenResty.
• Added Identified, Version Disclosure, and Out-of-date security checks for GlassFish.
• Added Identified, Version Disclosure, and Out-of-date security checks for Resin Application Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for Plone CMS.
• Added Identified, Version Disclosure, and Out-of-date security checks for Trac Software Project Management Tool.
• Added Identified, Version Disclosure, and Out-of-date security checks for IBM RTC.
• Added Identified, Version Disclosure, and Out-of-date security checks for Tornado Web Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for Jetty Web Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for Axway SecureTransport Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for Artifactory.
• Added Identified, Version Disclosure, and Out-of-date security checks for Gunicorn Python WSGI HTTP Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for IBM Security Access Manager (WebSEAL).
• Added Identified, Version Disclosure, and Out-of-date security checks for Nexus OSS.
• Added Identified, Version Disclosure, and Out-of-date security checks for Cowboy HTTP Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for Python WSGIserver.
• Added Identified, Version Disclosure, and Out-of-date security checks for Restlet Framework.
• Added Identified, Version Disclosure, and Out-of-date security checks for Phusion Passenger.
• Added Version Disclosure and Out-of-date security checks for Liferay Portal.
• Added Version Disclosure and Out-of-date security checks for Tracy debugging tool.
• Added detection for Varnish HTTP Cache Server.
• Added detection for SonicWall VPN.
• Added detection for Play Web Framework.
• Added detection for Private Burp Collaborator Server.
• Added detection for LiteSpeed Web Server.
• Added detection for JBoss Enterprise Application Platform.
• Added detection for JBoss Core Services.
• Added detection for WildFly Application Server.
• Added detection for Oracle HTTP Server.
• Added version disclosure Daiquiri security check.

IMPROVEMENTS

• Added Wordlist Entries feature to the Resource Finder security check group
• Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled.
• Improved Open Redirect attack patterns.
• Improved TLS 1.0 issue remediation reference.
• Added WCF service support to WSDL importer.
• Added a fix to reduce the possibility of an out-of-memory problem.
• Added authentication support to system proxy for PAC file.
• Verification dialog remembers old logout keywords.
• Added scan profile information and URL to all reports.
• Added bypass list for scan policy settings.
• Added scan scope variables to the Pre-Request Scripts.
• Added information label to the Pre-Request Script settings panel
• Added a fail tolerance to Puppeteer launch.
• Improved Tomcat signature patterns.
• Improved authenticator not to store the plain password in the request data
• Added HTTP Request Logger to authentication
• Added Canada region to the Invicti Enterprise settings
• Added tooltip to the Excluded Usage Trackers feature.
• Removed X-Scanner header from default scan policies
• Added new sensitive comment patterns.
• Revised the description of the Resource Finder checks option.
• Removed header and footer settings for reports that do not contain header and footer in the save report dialog.
• Added Incremental Scan to Knowledge Base reports.
• Updated Invicti Standard splash screen.

FIXES

• Fixed Lodash Identified security check signature.
• Fixed WebLogic Version Disclosure security check signature.
• Fixed Whoops Error Handling Framework Identified security check signature.
• Fixed Zope Web Server Version Disclosure security check signature.
• Fixed Grafana Version Disclosure security check signature.
• Fixed ASP.NET MVC Version Disclosure security check signature.
• Fixed Telerik Version Disclosure vulnerability severity to be low.
• Fixed IIS Version Disclosure vulnerability severity to be low.
• Fixed the grammar issues at the CSP Not Implemented report template.
• Hide the scope tooltip at the manual authentication panel.
• Fixed the order of Out-of-Date vulnerabilities; now sorting vulnerabilities by their severities.
• Fixed the issue "link stuck error" was repeated many times in the scan logs.
• Fixed the typo in the Pre-Request Scripts Menu.
• Fixed a few typos in the Impact descriptions.
• Fixed validating WAF settings before trying to test WAF connection
• Fixed the issue where the Exclude Authentication Pages option could not be manually disabled when the Form Authentication is enabled.
• Fixed an issue where the Form Authentication verification dialog loses focus and disappears.
• Fixed directory modifiers limit usage
• Fixed sending previous request headers while navigating to the Form Authentication's latest response URL.
• Fixed an issue where the custom script dialog failed to display login page when requests encoded with Brotli
• Fixed an issue that causes Reflected Parameter analyzer attacks to the ignored parameters when the breach engine is disabled
• Fixed an issue that may cause the null reference exception when reflected parameter analyzer working
• Fixed an issue that caused WASC ID is not sent properly in the Kenna Send To Action
• Fixed an issue where the HTTP request is not redirected to HTTPS when Strict Transport Security is enabled
• Fixed an issue that caused DOM simulation to fail because of the null windows and elements
• Fixed an issue that is caused by NTLM, Kerberos, Negotiate authentication credentials send with every request without challenge
• Fixed an issue that causes the Pre-Request Script requests to be ignored when its method is disallowed from the Scope settings
• Fixed an issue that causes raw request created without cookies
• Added SSL, Attack Possibility, and JavaScript files to Knowledge Base
• Fixed the order of classification report ribbon menu.
• Fixed handling the invalid characters of request headers set from the Pre-Request Scripts.
• Fixed the tooltip of Send To Tasks button at the ribbon
• Fixed unwanted warning on the auto authenticator
• Fixed date and time zone problem on Swagger file.
• Fixed null reference exception on excluded URL check.
• Fixed multiple instance knowledge base render problem.
• Fixed reporting style issues.
• Fixed relativity of the charts in the Comparison Report.
• Fixed grid showing on the logout detection screen.
• Fixed scan resuming problem on unavailable host.
• Fixed pop-up problem on the DOM simulation for better performance.
• Fixed the logo at the Knowledge Base render error page.
• Fixed an issue which causes unhandled exception when the link clicked multiple times on authentication verify dialog when interactive login is enabled
• Fixed internet connection problem at test site configuration dialog.
• Added information label to the Azure Configuration wizard.
• Fixed request and response results in out-of-band vulnerabilities.
• Fixed Blind SQL Injection cache issue.
• Fixed wrong expiry time for cookie which occurs at DOM simulation.
• Fixed the null reference exception while checking the source type.
• Fixed the Basic Authentication header problem for chromium requests.
• Fixed the null reference exception while getting authorization tokens.
• Fixed an issue where XSLT requests are not intercepted.
• Fixed Netsparker Helper Service dll not found issue.
• Fixed the client certificate selection issue while logging in to the target website.
• Fixed session storage problem at DOM simulation.
• Fixed upload request problem that creates false positive at LFI engine.
• Fixed chromium errors at authentication
• Fixed the unhandled multiple choices redirect status code at requester.
• Fixed the keyword-based logout detection stuck when the pop-up opened at chromium browsers.
• Fixed the Generate Exploit button label in the ribbon menu and vulnerability pop-up menu.
• Fixed an issue where the form value parser was not working.
• Fixed unauthorized request handling in the license view.
• Fixed an issue that causes invalid parent issue selection if Check Inverse is used at Security Checks
• Fixed maximum logout detection issue.
• Fixed the typo in the Pre-request Scripts menu.
• Fixed a few typos in the Impact descriptions.
• Fixed the issue that email disclosure was reported without identified email addresses.
• Fixed an issue in the scan policy optimizer where the DOM preset was set wrong.
• Removed URL signature field from the phpinfo detection pattern.
• Fixed Perl version disclosure pattern.
• Fixed the issue that movable type cannot be detected because the app name contained whitespace.
• Removed the Fiddler core dependency from Fiddler Importer that caused issues in Linux agents.
• Fixed the custom script dialog title.
• Fixed the signature of Python version disclosure pattern.
• Fixed the issue that charset error was repeated many times in the logs.
• Fixed the issue that the attack parameter name was not displayed on error based SQL injection vulnerabilities.
• Fixed an ArgumentNullException that was thrown when the proxy bypass list is null.
• Fixed the request parsing error in TCP Requester.
• Fixed the issue that header and footer were mixed up in the reports.
• Fixed info icons position in the Knowledge Base reports.
• Fixed the issue XSS payload was not highlighted correctly.
• Fixed the typo in the base scan CLI argument.
• Fixed the issue that the confirmation dialog was not displayed when the delete rows button in the context menu is used.
• Fixed the inconsistencies in the summary page of Asana configuration wizard.
• Fixed tooltip enabled/disabled states in Form Authentication, Client Certificate, and Smart Card Authentication settings.
• Fixed the issue that search results were not highlighted correctly.
• Fixed the issue that URL was not correctly encoded in Send To Action templates.
• Fixed the issue request.Headers was empty in custom script API.
• Fixed the issue Mithril version could not be detected.
• Fixed the issue that SSTI could not be detected consistently because the code execution patterns were not loaded correctly.
• Fixed the issue that version disclosure vulnerabilities were always fixed in retest.
• Fixed the issue that causes FP Open Redirection because of the improper decoding of location header
• Fixed Swagger parser that caused importing object with a parent node while the object is inside an array

NEW SECURITY CHECKS

• Added Oracle WebLogic Server Remote Code Execution (CVE-2020-14882)
• Added Oracle WebLogic Server Authentication Bypass (CVE-2020-14883)

NEW FEATURES

• Added a new signature limit for URL Rewrite matched links
• Added a crawling limit for Not found (404) links
• Added a WASC Classification Report template
• Added an option to exclude authentication pages and removed authentication related regexes from the default settings

NEW SECURITY CHECKS

• Added Out-of-date security checks for the Liferay portal
• Added Version Disclosure and Out-of-date security checks for Jolokia
• Added Nested XSS security checks
• Added an ASP.NET Razor SSTI security check
• Added a Java Pebble SSTI security check
• Added a Theymeleaf SSTI security check
• Added Version Disclosure and Out-of-date security checks for Grafana

IMPROVEMENTS

• Improved custom scripting to send raw requests
• Improved the authenticator to hide passwords in request data in order to prevent exposing them in reports
• Added an Auto Follow Redirect setting to the Advanced settings
• Added request and response details to Out of Band vulnerabilities
• Improved logging for timed out regexes in the Javascript Library Checker
• Updated signature of Stack Trace/Custom Stack Trace (Python)
• Improved the memory consumption on long running scans

FIXES

• Fixed an error that was caused when parsing duplicate response content-type headers
• Updated Invicti logos, splash screen and icons
• Fixed reporting of Crawl Performance for crawl-only scans
• Fixed an issue where Form Value Errors were occurring after simulation was finished
• Fixed the Maximum Body Length exceeded log message
• Fixed the log level of the Dom Parser's ignored link message
• Fixed the Jira Send To application description
• Fixed an issue that occured when the content-type and accept header was used in a parameter in the Open API (Swagger) file
• Fixed an issue where the custom Comparison Report was not generated
• Fixed an ArgumentNullException that was occuring in the TestSiteConfiguration dialog
• Disabled the LFI button for possible xxe
• Fixed a certificate error problem on the new ssl checker
• Fixed the timezone problem on reports
• Fixed the Executive Summary Report title
• Fixed an ArgumentException that was thrown when the URI was empty
• Fixed HIPAA classification links
• Fixed the issue where the Invicti session importer did not import all links from the session
• Fixed the bug where the URL was split incorrectly when a segment contained the file extension
• Fixed the issue responses that were not being analyzed in the Signatures engine during the re-crawl phase
• Fixed the HIPAA classification link when there are multiple classifications
• Removed plugin functions that are used to detect bootstrap to prevent false positive versions from being reported
• Fixed NRE in the static detection engine
• Fixed the Swagger parser that caused an object to be imported with a parent node while the object was inside an array

IMPROVEMENTS

• Added a highlight icon to the attack parameters on the vulnerability reports
• Added a report URL to the scheduled reports

FIXES

• Fixed a ObjectDisposedException that was occasionally thrown when the attacker started in manual proxy mode
• Fixed a NRE that occurred when exporting a report from a scheduled scan
• Fixed an issue caused when the login page identifier was disabled in the Scan Policy
• Fixed an issue where the Jira Send To Action failed to create an issue when the components field did not exist in the project
• Fixed the issue where the content type was not parsed correctly when there were multiple Content-type headers
• Fixed the issue where responses were not being analyzed in signature detection in the re-crawl phase.
• Fixed the list of enabled security checks on reports
• Changed the Sans Top 25 classification name to CWE on reports

NEW SECURITY CHECKS

• Added an F5 Big IP LFI (CVE-2020-5902) attack pattern
• Added out of date checks for Apache Traffic Server
• Added version disclosure for Undertow Server
• Added out of date checks for Undertow Server
• Added version disclosure for Jenkins
• Added out of date checks for Jenkins
• Added signature detection for Kestrel
• Added detection for Tableau Server
• Added detection for Bomgar Remote Support Software
• Added version disclosure for Apache Traffic Server

IMPROVEMENTS

• Added Request API to Form Authentication's Custom Script
• Added ability to add, edit and remove HTTP parameters and headers from Custom Security Check requests
• Improved the Jira Send To Action to include a new Components field
• Improved the SSL security check implementation
• Improved the design of default Report Templates

FIXES

• Fixed a memory leak in the Attacking phase
• Fixed a CSS Parser issue that caused infinite loops while parsing invalid css files
• Fixed an Attacker issue that caused a memory leak
• Fixed a Null Reference Exception that occurred during crawling
• Fixed the parsing of duplicate content-type headers

NEW FEATURES

• Added Pivotal Tracker Send To integration
• Added test website (Target URL) configuration to enable the scanning of REST websites with selected XML and JSON mime type(s)
• Added ability to add, remove or edit request parameters, headers and edit the request body in pre-request scripts
• Added a Fragment Parsing checkbox to the Crawling tab of the Scan Policy Editor dialog

NEW SECURITY CHECKS

• Added a new vulnerability for Same Site Cookies that are set to None and not marked as secure

IMPROVEMENTS

• Improved the Webhook Send To Action to enable it to send data from the query string when the POST or PUT method is selected
• Improved the Jira Send To Action to include Epic Key and Epic Name fields
• Updated the default value for Allow Out-of-scope XHR requests from False to True, to improve the simulation process
• Improved Form Authentication to capture All Authorization Headers instead of just Bearer Authentication Tokens
• Improved the scan performance with memoization of Passive Security Checks
• Optimized Stored XSS checks to eliminate unnecessary DOM simulations in PermanentXssSignature
• Optimized signature detection to avoid executing unnecessary Regex checks
• Improved the attack payload of the Open - Integer (MySQL) pattern

FIXES

• Fixed the problem where the authentication header was parsing if an empty OAuth2 token type was provided
• Fixed a typo in the XSS vulnerability template
• Fixed a typo in Expect-CT engine error message
• The WAF Identified dialog is no longer displayed when Invicti is started from the command line in Silent Mode
• Fixed an issue that meant the Target URL was not crawled when the Override Target URL with authenticated page checkbox was enabled in the Form Authentication tab of the Start a New Website or Web Service Scan dialog
• Fixed the visibility of the scan search bar
• Fixed the Regex Pattern of the BREACH Engine's sensitive keywords
• Fixed an issue where the Possible OOB Command Injection Vulnerability was reported as confirmed
• Fixed the exception that was thrown if the script file name was empty when the Execute button was clicked in the Custom Scripts panel
• Fixed the problem where the XXE engine was reporting a false positive on possible XXEs
• Data Type Mismatch errors are now ignored while importing OpenAPI (Swagger) documents
• Fixed an issue where Authentication Verification was failing to complete in Silent Mode when the Target URL was unreachable
• Fixed an issue that caused the crawler to be exited abnormally and stopping the scan when Invicti Assistant changed the Scan Settings
• Fixed a NullReferenceException in the Custom Scripts panel
• Fixed an issue that caused the link to get stuck in Crawling causing the scan to take too long
• Fixed a NRE that occurred when a Retest was performed on an imported scan
• Fixed an issue that occasionally caused scans to hang when the Target URL timed out on requests
• Removed an extra semicolon from the Actions to Take section of the Insecure Transportation Security Protocol Supported vulnerability templates

IMPROVEMENTS

• Added an image injection pattern to the Blind Cross-site Scripting security check
• Added Script Type information to the comment section of the Custom Security Check scripts
• Added the ability to show the Custom Scripts Panel without opening a scan

FIXES

• Fixed an issue so that the JavaScript configuration in the Scan Policy is saved when it is updated by Invicti Assistant
• Fixed an issue where the web proxy was not being used while connecting to Invicti Enterprise
• Fixed an issue where the Custom Scripts were not executing inside pop-up dialogs that open during Form Authentication
• Fixed an issue wherelogouts was not detected with single page applications that used Form Authentication