Netsparker 184.108.40.20649 - 18th April 2018
Netsparker 220.127.116.1123 - 8th March 2018
- Added support for importing Postman v2.1 files.
- Added certificate extension aliases support to Client Certificate Authentication.
- Fixed certificates not listing in the client certificates dropdown list issue.
- Fixed Invicti Hawk validation issue.
Netsparker 18.104.22.16839 - 2nd February 2018
- Added a new report template - Detailed Vulnerabilities List in XML.
- Optimized ROBOT attack check performance.
- Improved React Controlled Field coverage in form authentication custom scripts.
- Fixed the non-rendered web page on form authentication verification dialog, due to malformed Content-Type header.
- Fixed the disabled Retest menu item for vulnerabilities on Issues tree.
Netsparker 22.214.171.12482 - 28th December 2017
- Fixed perhost certificate generation issue which renders manual crawling unusable.
- Fixed an ArgumentNullException thrown from DOM simulation.
Netsparker 126.96.36.19902 - 22nd December 2017
NEW SECURITY CHECK
Netsparker 188.8.131.5267 - 13th December 2017
- Fixed the empty target URL text box on start new scan window on initial load.
- Fixed the hang issue caused by popup windows during form authentication.
- Fixed the exception that occurs when root directory node is excluded in sitemap.
- Fixed an exception thrown while shutting down the application.
- Fixed a NullReferenceException occurs while trying to parse compressed sitemap files.
- Fixed a serialization exception issue occurs while trying to load older scan files.
- Fixed the broken tooltip message on Custom Form Authentication Script dialog.
- Fixed the exception that occurs when importing scan file because the path has invalid chars.
- Fixed duplicate activities displayed while analyzing crawled pages.
Invicti 184.108.40.20670 - 24th November 2017
- Users can now preconfigure local/session web storage data for a website.
- Added a new send to action to send e-mails.
- Added HTTP Header Authentication settings to add request HTTP Headers with authentication information.
- Added CSV file link importer.
- Parsing of form values from a specified URL.
- Added custom root certificate support for manual crawling.
- Added gzipped sitemap parsing support.
NEW SECURITY CHECKS
- Added reflected "Code Evaluation (Apache Struts 2)" security check (CVE-2017-12611).
- Added "Remote Code Execution in Apache Struts" security check. (CVE-2017-5638).
- Renamed "Important" severity name to "High".
- Updated external references for several vulnerabilities.
- Improved default Form Values settings.
- Improved scan stability and performance.
- Added Form Authentication performance data to Scan Performance knowledgebase node.
- Added "Run only when user is logged on" option to the scan scheduling.
- Added a warning before the scan starting if there are out of scope links in imported links.
- Improved Active Mixed Content vulnerability description.
- Improved DOM simulation for events attached to document object.
- Added "Alternates", "Content-Location" and "Refresh" response header parsing.
- Removed "Disable IE ESC" requirement on Windows server operating systems.
- Improved Content Security Policy (CSP) engine performance by checking CSP Nonce value per directory.
- Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
- Added --batch argument to sqlmap payloads.
- Removed Markdown Injection XSS attack payloads.
- Filtered out irrelevant certificates generated by Invicti from client certificate selection dropdown on Client Certificate Authentication settings.
- Added ALL parameter type option to the Ignored Parameters settings.
- Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
- Added an option to export only PDF reports without HTML.
- Added -nohtml argument to CLI to create only pdf reports.
- Updated the Accept header value for default scan policy.
- Added CSS exclusion selector supports frames and iframes.
- Added scan start time information to the dashboard.
- Skip Phase button is disabled if the phase cannot be skipped.
- Added validation messages for invalid entries on start new scan dialog sections.
- Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
- Added highlight support for password transmitted over HTTP vulnerabilities.
- Email disclosure will not be reported for email address used in form authentication credentials.
- Added focus and blur event simulation for form authentication set value API calls.
- Uninstaller now checks for any running instances.
- Internal proxy now serves the certificate used through HTTP echo page.
- Added spell checker for Report Policy Editor.
- Added an error page if any internal proxy exception occurs.
- Added more information about the HTML form and input for vulnerabilities found on HTML forms.
- Extensions on the URLs are handled by the custom URL rewrite rule wizard.
- Added Parameter Value column to Vulnerabilities List CSV report.
- Added match by HTML element id for form values.
- Improved Windows Short Filename vulnerability details Remedy section.
- Improved scan policy security check filtering by supporting short names of security checks.
- Improved Burp file import dialog by removing the file extension filter.
- Improved table column widths on several reports.
- Updated default User-Agent HTTP request header string.
- URL Rewrite parameters are now represented as asterisks in sqlmap payloads.
- Fixed the InvalidOperationException on application exit.
- Fixed CSRF vulnerability reporting on change password forms.
- Fixed Email Disclosure highlight issue where only the first email address is highlighted when there are multiple email addresses on the page.
- Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
- Fixed the incorrect progress bar value displayed when a scan is imported.
- Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
- Fixed up/down movement issue on Form Values when multiple rows are selected.
- Fixed various source code disclosure issues.
- Fixed an escaping issue with CSS exclusion selectors.
- Fixed the issue where the basic authentication credentials are not being sent on logout detection phase.
- Fixed a NullReferenceException when an invalid raw request is entered in request builder.
- Fixed HTTP Request Builder where it does not set request method to POST if the selected method is PUT.
- Fixed the issue where the response URL is displayed in the vulnerability details.
- Fixed the issue where some links were not excluded from scan from sitemap.
- Fixed enabled security check group with all security checks within are disabled.
- Fixed a random DOM simulation exception occurs when site creates popup windows.
- Fixed a RemotingException occurs on Form Authentication Verifier.
- Fixed a possible NullReferenceException on Form Authentication.
- Fixed the message dialog windows displayed by the 3rd party component on Form Authentication Verification.
- Fixed the broken form authentication custom script when the last line of the script is a single line comment.
- Fixed certificate search in store by subject name returns matches without exact subject names.
- Fixed ESC key handling on message dialogs.
- Fixed huge parameter value deserialization memory usage.
- Fixed an issue with Load New License occurs when the source and destination license files are same.
- Fixed the issue where the parsing source is set to Unspecified for links found by resource finder in reports.
- Fixed the incorrect sitemap representation of excluded nodes when a scan is imported.
- Fixed the wrong URLs added with only extension values.
- Fixed the logout detection portion of form authentication verification where it was not using the configured proxy.
- Fixed the message overflow issue in the out of scope link warning dialog.
- Fixed a NullReferenceException which may be thrown while importing a swagger file.
- Fixed the incorrect Skip Current Phase button state when scan phase is changed
- Fixed internal proxy throwing when certain browsers do not send the full URL with the initial request.
- Fixed an issue in which the form authentication is not being triggered on retest.
- Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
- Fixed a swagger file parsing issue where target URL should be used when host field is missing.
- Fixed swagger importer by ignoring any metadata properties.
- Fixed the empty request/response displayed for some sitemap nodes with 404 response.
- Fixed the autocomplete issue in Content-Type header in Request builder
- Fixed a NullReferenceException occurs during DOM simulation.
- Fixed the incorrect URLs parsed on attack responses.
- Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
- Fixed show/hide issue for Dashboard and Sitemap panels.
- Fixed the issue where Retest All button disappears after a Retest.
- Fixed the issue where the dollar sign in imported URL is encoded after scan.
- Fixed the empty request/response header issue for links discovered during attacking.
- Fixed ignore parameter issue for parameters containing special characters.
- Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
- Fixed missing vulnerabilities requiring late confirmation for incremental scans.
- Fixed a NullReferenceException may occur on iframe security checks.
- Fixed the exception that occurs while adding duplicate POST parameters with the same name in Request builder.
Netsparker 220.127.116.1196 - 11th November 2017
NEW SECURITY CHECK
- Added more Command Injection and Blind Command Injection patterns for Windows systems.
Netsparker 18.104.22.16823 - 11th October 2017
- Updated vulnerability database to latest version.
Netsparker 22.214.171.12400 - 9th October 2017
- Fixed the incorrect percentage encoding on Detailed Scan Report template.
Netsparker 126.96.36.19976 - 6th October 2017
NEW SECURITY CHECK
- Added "Out of Band Code Evaluation (Apache Struts 2)" security check (CVE-2017-12611).
- Improved report templates.
Netsparker 188.8.131.5290 - 22nd September 2017
NEW SECURITY CHECK
- Added "Out of Band Code Evaluation (Apache Struts 2)" security check (CVE-2017-9805).
Netsparker 184.108.40.20645 - 18th September 2017
- Fixed an out of memory issue.
Netsparker 220.127.116.1190 - 13th September 2017
- Improved the form authentication element click API by providing the mouse coordinates.
- Fixed an object leak causing performance issues during scans.
- Fixed a backup file check where scan policy selections were not honoured.
- Fixed the broken Basic, NTLM/Kerberos "Test Credentials" button.
- Fixed the unencrypted credentials saved with profile files.
- Fixed the broken email disclosure detection which was not able to match multiple emails.
Invicti 18.104.22.16847 - 24th August 2017
- New Basic, NTLM, Digest and Kerberos authentication settings to support multiple credentials for different URL paths.
NEW SECURITY CHECKS
- Checks for default pages of IIS 10.0, 8.5, 7.5, 7.0 web servers.
- Checks for WordPress Setup Configuration File.
- Remote Code Execution checks for Node.js on Windows.
- Improved Local File Inclusion (LFI) attack patterns.
- Improved DOM XSS attack patterns.
- Improved Blind Command Injection detection on Linux systems.
- Added response compression and length information to HTTP Request Builder.
- Displaying times in 24-hour format on scan reports.
- Improved the performance of email address disclosure detection.
- Improved the performance of database connection string disclosure detection.
- Improved the performance of RoR database configuration detection.
- Improved "Enter Links" dialog by adding format selection for all the supported import formats.
- Added parameter type information to nodes on "Issues" panel.
- Improved scan import performance significantly.
- Added context menu item for sitemap root node to open the scan folder.
- Improved resource finder to find more hidden resources.
- Time zone information added to reports.
- Improved support for simulating customized select elements.
- Improved NTLM, Digest and Kerberos authentication support.
- Improved DOM simulation stability and performance.
- Added the list of URLs that do not match the rewrite rules on URL Rewrite knowledge base.
- Added number of links that match to a URL Rewrite rule on URL Rewrite knowledge base.
- Added out of scope links count information to the knowledge base.
- Improved the default parameter name list for Parameter Based Navigation.
- Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
- Improved boolean and blind SQL injection checks for MySQL databases.
- Improved blind SQL injection checks for PostgreSQL databases.
- Added excluded URLs list to the detailed scan report.
- Improved reflected and stored XSS detection.
- HSTS checks now reports missing preload directives.
- Updated Korean translation.
- Added XML report types for Crawled URLs List and Scanned URLs List reports.
- Added toolbar to open and copy URLs for Browser View tab.
- Improved JSON response parsing.
- Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
- Improved email disclosure checks by checking host names against to public suffix list.
- Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
- Fixed an incorrect "Password Transmitted over HTTP" issue for relative URLs on pages redirected to HTTPS addresses.
- Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
- Fixed the missing activities while performing a controlled scan.
- Fixed the missing DOM parsing activity when "Override Target URL with authenticated page" option is selected.
- Fixed the incorrect total security check count while performing controlled scans on activity list.
- Fixed incorrect "Interesting Header" report for Content-Security-Policy header.
- Fixed the redundant extra headers added to requests while using request builder.
- Fixed the disabled "Start Proxy" button when Invicti is opened after an application crash.
- Fixed directory listing is not reported issues on some IIS versions.
- Fixed page break issues on reports.
- Fixed the issue where comments in CSS files are not parsed.
- Fixed the incorrect URL found in CSS comments.
- Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
- Fixed an IndexOutOfRangeException caused by CSP checks.
- Fixed the signature pattern which fails to match "Programming Error Message (PHP)" in multiple lines.
- Fixed markdown XSS attack patterns causing incorrect findings.
- Fixed the double quote encoding issue on generated sqlmap commands.
- Fixed incorrect "Interesting Header" reports for some headers.
- Fixed the incorrect http protocol displayed for SSL vulnerabilities.
- Fixed the duplicate delete confirmation message while deleting the scan and report policies using a keyboard shortcut.
- Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
- Fixed the incorrect progress report during controlled scans.
- Fixed the encoding issue on reported DOM XSS stack traces.
- Fixed the highlighting issue of multiple custom data reported on vulnerabilities.
- Fixed the incorrect rows deleted issue when multiple rows are selected on imported links section.
- Fixed the incorrect behaviour of move up/down controls on custom URL rewrite section.
- Fixed the maximum crawled URL limit exceeded issue.
- Fixed duplicate resource finder requests.
- Fixed CSS escaping in CSS selector generation.
- Fixed the failing error report when the unexpected exception title is too long.
- Fixed the WADL import issue where the operation fails for responses with no status codes.
- Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
- Fixed incorrect cURL and sqlmap commands when basic authentication is used.
- Fixed the incorrect missing object-src report on CSP checks.
- Fixed an issue where default crawled value is double-encoded instead of single.
- Fixed the problem where the unique links added twice while importing Postman files.
- Fixed the "Property set method not found" that occurs while using FogBugz send to action
- Fixed the missing content for Site Profile section of Knowledge Base report.
- Fixed "The selected task no longer exists." error when trying to run a scheduled scan on some Windows machines.
Netsparker 22.214.171.12474 - 19th July 2017
- Enhanced and fixed several DOM simulations.
- Removed redundant SSL logs caused by HSTS security checks.
- Improved localization capabilities of Report Policy Editor.
Invicti 126.96.36.19901 - 12th of June 2017
- Manual Crawling (Proxy Mode) now supports protocols like TLS 1.1 and 1.2.
- Added scan policy settings for CSRF security checks.
- Added ability to use custom HTTP headers during scan.
- Added /generatereport CLI argument for report generation from scan session files.
- Added hex editor view for requests on request builder.
- Added attacking optimization option for recurring parameters on different pages.
NEW SECURITY CHECKS
- Added Referrer Policy security checks.
- Added markdown injection XSS patterns.
- Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
- Added Database Name Disclosure security checks for MS SQL and MySQL.
- Added Remote Code Evaluation (Node.js) security checks.
- Added SSRF detection with server-status.
- Added user controllable cookie detection.
- Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.
- Updated the links to several external references.
- Added cancellation of ongoing attack activities when excluded from site map.
- Added exploitation for XXE vulnerabilities.
- Added DOM simulation options to scan policy optimizer wizard.
- Improved Mixed Content vulnerability reporting by separating them according to resource types.
- Improved the CSS query selector generation on form authentication custom script dialog.
- Improved boolean SQL injection detection for redirect responses.
- Improved WSDL parsing for files that contain optional extensions.
- Added current scan profile, scan policy and report policy names to status bar.
- Improved .sql file detection signature.
- Improved the highlighting of patterns on HTTP responses.
- Added extra confirmation for weak credentials detection.
- Added POST parameters to crawling activities on scan activity list.
- Added scan policy option to allow XHR requests during DOM simulation.
- Added response statistics to request builder.
- Added form value for password input types to default scan policy.
- Added status column to the request history in request builder.
- Improved the send to JIRA error message.
- Added maximum number of option elements per select element to simulate scan policy setting.
- Added filter 'colon' events scan policy option to filter events that contain colon character in its name during DOM simulation.
- Improved error based SQLi exploitation by generating prefix/suffix dynamically.
- Improved command injection vulnerability detection by prepending original parameter value to attack payload.
- Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.
- Fixed the incorrect imported link count when search panel is active on the grid view.
- Fixed the "Open in Browser" context menu action broken for root nodes on site map.
- Fixed the undefined password value issue on form authentication custom script dialog.
- Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
- Fixed the duplicate import link issue.
- Fixed request builder issues on parsing query string and encoding.
- Fixed a request builder issue where the error dialog should not be shown while switching tabs if the raw request is empty.
- Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
- Fixed the broken custom cookie issue where the custom cookie is not sent for imported scan files.
- Fixed crawling of URLs on pages where base element points to some other URL.
- Fixed some missing vulnerabilities on site map.
- Fixed the slow performing certificate load operation on start new scan dialog.
- Fixed the incorrect vulnerability severity counts on bar chart and status bar.
- Fixes an issue where blacklisted Invicti attacks prevent further source code disclosures in HTML response.
- Fixed the splash screen which stays open when Invicti is started from command line.
- Fixed the focus stealing issue when HTML response contains the autofocus attribute.
- Fixed missing response on request builder when the request is loaded from history list.
- Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
- Fixed an issue where signature fails to match MS SQL username in error messages.
- Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.
Netsparker 188.8.131.5276 - 6th April 2017
New Security Check
- Added new vulnerability checks for Apache Struts framework vulnerabilities.
- Added JSON format option for "Crawled URL(s) List", "Scanned URL(s) List" and "Vulnerabilities List" report templates.
- Improved Blind SQL Injection detection for MySQL databases.
- Fixed the incorrect weak signature algorithms reported for root certificates.
- Fixed the broken editing capabilities on report policy editor.
- Fixed the empty activity list issue during scans.
- Fixed the missing custom cookie issue on imported scans.
Netsparker 184.108.40.20604 - 16th March 2017
New Security Checks
- New security check that detects insecure targets in Content Security Policy.
- Added checks for exposure of trace.axd in ASP.NET applications.
- New security check for Time Based Server-Side Request Forgery.
- Added Markdown Injection attack pattern to XSS engine.
- Added a Code Evaluation check for Apache Struts framework.
- Improved Boolean SQL Injection detection.
- Updated the Local File Inclusion vulnerability classifications.
- Improved Trace/Track security checks.
- Improved coverage of XSS engine in redirects.
- Added policy optimization support for SSRF security checks.
- Added exploit generation support for "Cross-site Scripting via Remote File Inclusion" vulnerability.
- Improved form authentication logout detection by ignoring the responses of some attacks to prevent incorrect logout detections.
- Added type ahead search box for Security Check Groups on Scan Policy Editor.
- Added "Send to Request Builder" context menu item for activities on scan activity pane.
- Added input validation for placeholder patterns on Custom URL rewrite grid.
- Added scheduling support for Incremental Scan feature.
- Added the number of crawled links next to scanned host names on sitemap tree.
- Improved code generation for form authentication custom scripts.
- Improved proxy options UI. Now proxy address inputs can be pasted along with user credentials and port.
- Added VDB support to Blind & Boolean SQLi post exploitation.
- Added an info message to Browser View tab that tells this view is a limited preview.
- Added file parameter type support to Request Builder.
- Added support for multiple report exporting to Scheduled Scans.
- Added the number of vulnerability severities of current scan to status bar.
- Added Copy URL and Copy as cURL context menu items to Imported Links grid.
- Added pause scan button to interactive login dialog.
- Improved sqlmap command generation by adding database server type parameter.
- Start New Scan dialog is made resizable.
- Added Search feature to Imported Links.
- Added Cancel button for Request Builder.
- Added support for checking Open Redirection vulnerability on Refresh response header.
- Added the XPath information of the element that causes the DOM XSS vulnerability.
- Added "Sub Path Max Dynamic Signatures" setting for Heuristic URL Rewrite detection.
- Added database specific queries for the selected SQLi vulnerability on exploitation panel.
- Added finding vulnerabilities which sink into window.name capability for DOM XSS security checks.
- Improved coverage of Local File Inclusion engine so that a vulnerability can be found in a full url attack.
- Fixed several issues related to DOM parsing and simulation.
- Fixed a NullReferenceException thrown by HTTP Methods checks.
- Fixed a StackOverflowException caused by JSON responses with too many nested elements.
- Fixed PoC generation during post exploitation for time based SQLi checks.
- Fixed incorrect bearer token log message on verify dialog even when bearer token detection is disabled.
- Fixed a NullReferenceException while confirming a Boolean SQLi vulnerability.
- Fixed several issues related with splash screen to make sure it is hidden when the application is loaded.
- Fixed a NullReferenceException thrown by logout detection while trying to close the application.
- Fixed an issue where scan is paused when an additional host is unreachable.
- Fixed an issue where the new link nodes added under an excluded branch on sitemap tree were not excluded.
- Fixed the misleading message that is shown when a manual crawling scan is started, Form Authentication feature no more requires installing a certificate to your computer.
- Fixed IndexOutOfRangeException thrown while trying to open Scan Policy Editor dialog if the UI language is set to Korean.
- Fixed keyboard tab order on Form Authentication settings.
- Fixed an issue where injection HTTP response displays an empty string because deserialized file does not contain the HTML response of the attack.
- Fixed typos in CSP vulnerability templates.
- Fixed the broken impacts table on Executive Summary Report PDF when the table spans 2 pages.
- Fixed several issues related with report policy naming when the name is invalid or too long.
- Fixed generated blank pages on PDF reports.
- Fixed OperationCanceledException thrown during extra confirmation.
- Fixed UI glitches on form authentication Custom Script dialog caused when splitters are resized.
- Fixed several Request Builder issues.
- Fixed Test Credentials button on basic authentication settings which does not send Authorization request header if Do Not Expect Challange check box is checked.
- Fixed the ignored email are still reported on knowledge base issue.
- Fixed a bug where double encoded attacks are not exploitable in browser when proof URL is clicked.
- Fixed an issue where source code disclosure is reported in JS and CSS files.
- Fixed an SQL exploitation issue where executing a SQL query which expects an integer result is no longer giving failure for PostgreSQL database.
- Fixed a Text Parser issue where single quote characters were being captured as part of links.
- Fixed the incorrect path disclosure caused by the Shellshock attack.
- Fixed a TargetInvocationException thrown when a new license is trying to be loaded using Help > Load New License menu item.
- Fixed missing SSRF proofs under Proofs knowledge base.
- Fixed an ArgumentException thrown by DOM XSS checks when the web site is crawled using manual crawling mode.
- Fixed incorrect encoded parameter names for multipart/form-data forms.
- Fixed the incorrect auto update notification even when you have a more up-to-date version of the application.
- Fixed the large right margin on Knowledge Base Report (PDF) summary page.
- Fixed the splash screen that is shown in front of the trial popup message.
- Fixed the performance issues of recrawling related to DOM XSS checks on web sites with lots of links.
- Fixed the incorrect CR LF encoding issues on proof URLs.
- Fixed a retest issue where all parameters of the link were being retested whereas only the vulnerable parameter must be retested.
- Fixed the visual glitch occurs on Imported Links section upon importing new links.
- Fixed an issue where stored XSS vulnerability is reported in an XHR response rather than in the page itself which makes XHR request.
- Fixed an issue where Boolean SQLi vulnerability is missed due to crawled parameter value.
- Fixed an issue where reflected XSS vulnerability is missed because the reflected payload is HTML encoded in an attribute.
Netsparker 220.127.116.1134 - 16th February 2017
- Fixed a Web App Fingerprinter issue causing degraded performance.