Changelogs

Invicti Standard

RSS Feed

02 Feb 2018

IMPROVEMENTS Added a new report template – Detailed Vulnerabilities List in XML. Optimized ROBOT attack check performance. Improved React Controlled Field coverage in form authentication custom scripts. FIXES Fixed the non-rendered web page on form authentication verification dialog, due to malformed Content-Type header. Fixed the disabled Retest menu item for vulnerabilities on Issues tree.

IMPROVEMENTS

  • Added a new report template – Detailed Vulnerabilities List in XML.
  • Optimized ROBOT attack check performance.
  • Improved React Controlled Field coverage in form authentication custom scripts.

FIXES

  • Fixed the non-rendered web page on form authentication verification dialog, due to malformed Content-Type header.
  • Fixed the disabled Retest menu item for vulnerabilities on Issues tree.

28 Dec 2017

FIXES Fixed perhost certificate generation issue which renders manual crawling unusable. Fixed an ArgumentNullException thrown from DOM simulation.

FIXES

  • Fixed perhost certificate generation issue which renders manual crawling unusable.
  • Fixed an ArgumentNullException thrown from DOM simulation.

22 Dec 2017

NEW SECURITY CHECK Added security check for “The ROBOT Attack” vulnerability. IMPROVEMENTS Improved performance of huge JavaScript file parsing. Improved custom form authentication scripting support for pages using React JavaScript framework.

NEW SECURITY CHECK

IMPROVEMENTS

  • Improved performance of huge JavaScript file parsing.
  • Improved custom form authentication scripting support for pages using React JavaScript framework.

15 Dec 2017

NEW FEATURE Added JavaScript timeout settings for Open Redirect and XSS confirmation in Scan Policy. IMPROVEMENT Improved the parsing of large JavaScript files. FIXES Fixed the empty target URL text box on start new scan window on initial load. Fixed the hang issue caused by popup windows during form authentication. Fixed the exception that occurs …

NEW FEATURE

  • Added JavaScript timeout settings for Open Redirect and XSS confirmation in Scan Policy.

IMPROVEMENT

  • Improved the parsing of large JavaScript files.

FIXES

  • Fixed the empty target URL text box on start new scan window on initial load.
  • Fixed the hang issue caused by popup windows during form authentication.
  • Fixed the exception that occurs when root directory node is excluded in sitemap.
  • Fixed an exception thrown while shutting down the application.
  • Fixed a NullReferenceException occurs while trying to parse compressed sitemap files.
  • Fixed a serialization exception issue occurs while trying to load older scan files.
  • Fixed the broken tooltip message on Custom Form Authentication Script dialog.
  • Fixed the exception that occurs when importing scan file because the path has invalid chars.
  • Fixed duplicate activities displayed while analyzing crawled pages.

24 Nov 2017

NEW FEATURES Users can now preconfigure local/session web storage data for a website. Added a new send to action to send e-mails. Added HTTP Header Authentication settings to add request HTTP Headers with authentication information. Added CSV file link importer. Parsing of form values from a specified URL. Added custom root certificate support for manual …

NEW FEATURES

  • Users can now preconfigure local/session web storage data for a website.
  • Added a new send to action to send e-mails.
  • Added HTTP Header Authentication settings to add request HTTP Headers with authentication information.
  • Added CSV file link importer.
  • Parsing of form values from a specified URL.
  • Added custom root certificate support for manual crawling.
  • Added gzipped sitemap parsing support.

NEW SECURITY CHECKS

  • Added reflected “Code Evaluation (Apache Struts 2)” security check (CVE-2017-12611).
  • Added “Remote Code Execution in Apache Struts” security check. (CVE-2017-5638).

IMPROVEMENTS

  • Renamed “Important” severity name to “High”.
  • Updated external references for several vulnerabilities.
  • Improved default Form Values settings.
  • Improved scan stability and performance.
  • Added Form Authentication performance data to Scan Performance knowledgebase node.
  • Added “Run only when user is logged on” option to the scan scheduling.
  • Added a warning before the scan starting if there are out of scope links in imported links.
  • Improved Active Mixed Content vulnerability description.
  • Improved DOM simulation for events attached to document object.
  • Added “Alternates”, “Content-Location” and “Refresh” response header parsing.
  • Removed “Disable IE ESC” requirement on Windows server operating systems.
  • Improved Content Security Policy (CSP) engine performance by checking CSP Nonce value per directory.
  • Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
  • Added –batch argument to sqlmap payloads.
  • Removed Markdown Injection XSS attack payloads.
  • Filtered out irrelevant certificates generated by Invicti from client certificate selection dropdown on Client Certificate Authentication settings.
  • Added highlighting for detected out of date JavaScript libraries.
  • Added ALL parameter type option to the Ignored Parameters settings.
  • Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
  • Added an option to export only PDF reports without HTML.
  • Added -nohtml argument to CLI to create only pdf reports.
  • Updated the Accept header value for default scan policy.
  • Added CSS exclusion selector supports frames and iframes.
  • Added embedded space parsing for JavaScript code in HTML attribute values.
  • Added scan start time information to the dashboard.
  • Skip Phase button is disabled if the phase cannot be skipped.
  • Added validation messages for invalid entries on start new scan dialog sections.
  • Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
  • Added highlight support for password transmitted over HTTP vulnerabilities.
  • Email disclosure will not be reported for email address used in form authentication credentials.
  • Added focus and blur event simulation for form authentication set value API calls.
  • Uninstaller now checks for any running instances.
  • Internal proxy now serves the certificate used through HTTP echo page.
  • Added spell checker for Report Policy Editor.
  • Added an error page if any internal proxy exception occurs.
  • Added more information about the HTML form and input for vulnerabilities found on HTML forms.
  • Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
  • Extensions on the URLs are handled by the custom URL rewrite rule wizard.
  • Added Parameter Value column to Vulnerabilities List CSV report.
  • Added match by HTML element id for form values.
  • Added “Ignore document events” to JavaScript settings to ignore triggering events attached to document object.
  • Improved Windows Short Filename vulnerability details Remedy section.
  • Improved scan policy security check filtering by supporting short names of security checks.
  • Improved Burp file import dialog by removing the file extension filter.
  • Improved table column widths on several reports.
  • Updated default User-Agent HTTP request header string.
  • URL Rewrite parameters are now represented as asterisks in sqlmap payloads.

FIXES

  • Fixed the InvalidOperationException on application exit.
  • Fixed CSRF vulnerability reporting on change password forms.
  • Fixed Email Disclosure highlight issue where only the first email address is highlighted when there are multiple email addresses on the page.
  • Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
  • Fixed the incorrect progress bar value displayed when a scan is imported.
  • Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
  • Fixed up/down movement issue on Form Values when multiple rows are selected.
  • Fixed various source code disclosure issues.
  • Fixed an escaping issue with CSS exclusion selectors.
  • Fixed the issue where the basic authentication credentials are not being sent on logout detection phase.
  • Fixed a NullReferenceException when an invalid raw request is entered in request builder.
  • Fixed HTTP Request Builder where it does not set request method to POST if the selected method is PUT.
  • Fixed the issue where the response URL is displayed in the vulnerability details.
  • Fixed the issue where some links were not excluded from scan from sitemap.
  • Fixed enabled security check group with all security checks within are disabled.
  • Fixed a random DOM simulation exception occurs when site creates popup windows.
  • Fixed a RemotingException occurs on Form Authentication Verifier.
  • Fixed a possible NullReferenceException on Form Authentication.
  • Fixed the message dialog windows displayed by the 3rd party component on Form Authentication Verification.
  • Fixed the broken form authentication custom script when the last line of the script is a single line comment.
  • Fixed certificate search in store by subject name returns matches without exact subject names.
  • Fixed ESC key handling on message dialogs.
  • Fixed huge parameter value deserialization memory usage.
  • Fixed an issue with Load New License occurs when the source and destination license files are same.
  • Fixed the issue where the parsing source is set to Unspecified for links found by resource finder in reports.
  • Fixed the incorrect sitemap representation of excluded nodes when a scan is imported.
  • Fixed the wrong URLs added with only extension values.
  • Fixed the logout detection portion of form authentication verification where it was not using the configured proxy.
  • Fixed the message overflow issue in the out of scope link warning dialog.
  • Fixed a NullReferenceException which may be thrown while importing a swagger file.
  • Fixed the incorrect Skip Current Phase button state when scan phase is changed
  • Fixed internal proxy throwing when certain browsers do not send the full URL with the initial request.
  • Fixed an issue in which the form authentication is not being triggered on retest.
  • Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
  • Fixed a swagger file parsing issue where target URL should be used when host field is missing.
  • Fixed swagger importer by ignoring any metadata properties.
  • Fixed the empty request/response displayed for some sitemap nodes with 404 response.
  • Fixed the autocomplete issue in Content-Type header in Request builder
  • Fixed a NullReferenceException occurs during DOM simulation.
  • Fixed the incorrect URLs parsed on attack responses.
  • Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
  • Fixed show/hide issue for Dashboard and Sitemap panels.
  • Fixed the issue where Retest All button disappears after a Retest.
  • Fixed the issue where the dollar sign in imported URL is encoded after scan.
  • Fixed the empty request/response header issue for links discovered during attacking.
  • Fixed ignore parameter issue for parameters containing special characters.
  • Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
  • Fixed missing vulnerabilities requiring late confirmation for incremental scans.
  • Fixed a NullReferenceException may occur on iframe security checks.
  • Fixed the exception that occurs while adding duplicate POST parameters with the same name in Request builder.

21 Nov 2017

NEW SECURITY CHECK Added more Command Injection and Blind Command Injection patterns for Windows systems.

NEW SECURITY CHECK

  • Added more Command Injection and Blind Command Injection patterns for Windows systems.

11 Oct 2017

IMPROVEMENT Updated vulnerability database to latest version.

IMPROVEMENT

  • Updated vulnerability database to latest version.

09 Oct 2017

FIX Fixed the incorrect percentage encoding on Detailed Scan Report template.

FIX

  • Fixed the incorrect percentage encoding on Detailed Scan Report template.

06 Oct 2017

NEW SECURITY CHECK Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-12611). IMPROVEMENTS Improved the stability of DOM and JavaScript simulation. Improved report templates.

NEW SECURITY CHECK

  • Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-12611).

IMPROVEMENTS

  • Improved the stability of DOM and JavaScript simulation.
  • Improved report templates.

22 Sep 2017

NEW SECURITY CHECK Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-9805).

NEW SECURITY CHECK

  • Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-9805).

18 Sep 2017

FIX Fixed an out of memory issue.

FIX

  • Fixed an out of memory issue.

13 Sep 2017

IMPROVEMENTS Improved the form authentication element click API by providing the mouse coordinates. FIXES Fixed an object leak causing performance issues during scans. Fixed a backup file check where scan policy selections were not honoured. Fixed the broken Basic, NTLM/Kerberos “Test Credentials” button. Fixed the unencrypted credentials saved with profile files. Fixed the JavaScript parsing …

IMPROVEMENTS

  • Improved the form authentication element click API by providing the mouse coordinates.

FIXES

  • Fixed an object leak causing performance issues during scans.
  • Fixed a backup file check where scan policy selections were not honoured.
  • Fixed the broken Basic, NTLM/Kerberos “Test Credentials” button.
  • Fixed the unencrypted credentials saved with profile files.
  • Fixed the JavaScript parsing issue by checking the mime type of the script tags.
  • Fixed the broken email disclosure detection which was not able to match multiple emails.
  • Fixed the incorrect links parse on JavaScript source map files.