Invicti Standard Change Log
Invicti Standard 6.7.0.37625 - 31st August 2022

SECURITY CHECKS

  • Added pattern for XSS via file upload SVG.

IMPROVEMENTS

  • Added the Cache By CSS Selector and Max Cache Elements to the scan policies.
  • Added the GraphQL endpoints and libraries to the Knowledge Base.
  • Updated the Jira tooltip for the access token or password field.
  • Removed the target URL health check that lets the scan continue despite getting error messages such as 403.
  • Improved the raw scan file expired information message.
  • Improved the scan profile test coverage.
  • Updated regex for Stack Trace Disclosure (Java) - Java.Lang Exceptions.
  • Improved the JSON Web Tokens secret list.
  • Improved the re-login process when the logout is detected.

FIXES

  • Fixed the retest issue.
  • Fixed the null reference error thrown during the late confirmation.
  • Fixed an issue of using the disposed objects.
  • Fixed the exception error when cloning the report policy.
  • Fixed the broken links on the report policy.
  • Fixed mistaken NIST and DISA classifications.
  • Fixed a bug that threw the database locked error when Invicti is restarted after a scan.
  • Fixed an issue where a JavaScript Setting option blocks inputs for the single-page applications to be reported in the Web Pages with Inputs node.
  • Fixed a bug that caused the scan session failure when the scan is paused and resumed.
  • Fixed failed scans where the Target URL is IPv6 and starting with ::1
  • Fixed the Postman collection parsing by removing / in front of the query in the URL.
  • Fixed the Shark validation issue that threw exceptions while validating.
  • Fixed the issue with proxy settings, so Invicti prioritizes the settings in the scan policy.
  • Fixed NodeJS RCE-OOB security check.

Invicti Standard 6.6.1.36926 - 19th July 2022

IMPROVEMENTS

  • Improved the Late-Confirmation Storage Mechanism to lower disc usage.
  • Improved the Links/API definition to add links with a single click.
  • Added the Block navigation on SPAs to built-in scan policies.
  • Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

  • Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
  • Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
  • Fixed the bug that throws null reference exception at the link pool.
  • Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
  • Fixed the bug that resulted in running many Chromium instances when a new scan is started.
  • Fixed a null reference error when a new scan is started via the command line.

Invicti Standard 6.6.0.36485 - 14th June 2022

NEW FEATURES

IMPROVEMENTS

  • Updated embedded Chromium browser.
  • Added a new IAST vulnerability: Overly Long Session Timeout.
  • Added new config vulnerabilities for the IAST Node.js sensor.
  • Added new config vulnerabilities for the IAST Java sensor.
  • Added support for detecting SQL Injections on HSQLDB.
  • Added support for detecting XSS through file upload.
  • Updated DISA STIG Classifications.
  • Updated Java and Node.js IAST sensors.
  • Improved time-based blind SQLi detection checks.
  • Improved the Content Security Policy Engine.
  • Updated XSS via File Upload vulnerability template.
  • Updated License Agreement on the Invicti Standard installer.
  • Added Extract Resource default property to DOM simulation.
  • Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
  • Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
  • Added vulnerabilityType filter to add VulnerabilityLookup table.
  • Added the agent mode to the authentication request.
  • Added a default behavior to scan the login page.
  • Added an option to disable anti-CSRF token attacks.
  • Added an option to block navigation on SPAs pages.
  • Added a default behavior to disable TLS1.3

FIXES

  • Fixed basic authorization over HTTP bug.
  • Fixed SQL Injection Vulnerability Family Reporting Bug.
  • Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
  • Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
  • Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
  • Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
  • Fixed a typo bug on GraphQL importing window.
  • Fixed the report naming bug that occurs users create a custom report from a base report.
  • Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
  • Fixed a bug that updates all built-in scan policies instead of edited scan policy.
  • Fixed a typo on Skip Crawling & Attacking pop-up.
  • Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
  • Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
  • Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
  • Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
  • Fixed missing template section migration on report policy.
  • Fixed a bug that throws an error when a report is submitted upon error.
  • Fixed the LFI Exploiter null reference.
  • Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
  • Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
  • Fixed a bug that occurs when users search the Target URL on the New Scan panel.
  • Fixed typo in the timeout error message.
  • Fixed a bug that prevents the WSDL files from being imported.
  • Fixed reporting "SSL/TLS not implemented" when scanning only TLS 1.3 supported sites.
  • Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
  • Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.

REMOVAL

  • Removed Expect-CT security check.
  • Removed the End-of-Text characters in URL rewrite rules.

Invicti Standard 6.5 - 29th April 2022

IMPROVEMENTS

  • Updated embedded chromium browser
  • Improved JWT confirmation to avoid false positives.

FIXES

  • Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
  • Fixed an issue that imports global servers as Swagger files.
  • Fixed an issue where the OK button disappears during interactive login.
  • Fixed an issue that adds interactive login buttons to iframes.
  • Fixed a null reference exception at the LFI exploit panel.

Invicti Standard 6.4.3.35616 - 4th April 2022

NEW SECURITY CHECKS

  • Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.
Invicti Standard 6.4.0.35166 - 8th March 2022

IMPROVEMENTS

  • Netsparker Standard now Invicti Standard
  • Added a token matching rule when it is required to get the token from a website other than the target URL.
  • Improved the GraphQL attacks to include non-string fields. 

FIXES

  • Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities. 
  • Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
  • Fixed a null reference exception by adding a control whether the current scan policy is empty.
  • Fixed a bug that the agent does not continue the scan after a pause.
  • Fixed a bug that does not properly show all components detected by a software composition analysis after a retest. 

Invicti Standard 6.3.3.34686 - 14th February 2022

IMPROVEMENTS

FIXES

  • Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
  • Fixed an issue that results in false positive Cross-site Scripting.
  • Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
  • Fixed an issue that the page counter goes to zero in the Recent Scans window.
  • Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.

Invicti Standard 6.3.2.34187 - 20th January 2022

IMPROVEMENTS

  • Added the .deploy extension to Default Policy's extension list.
  • Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs.

FIXES

  • Fixed a null reference error issue when a user right-clicks the target on the Sitemap. 
  • Fixed the URL response error of the main node when Override Target URL check is enabled.
  • Fixed the Imported Links date and time value in the body that is cropped. 
  • Fixed an issue that opens the vulnerability panel instead of the HTTP Request and Response panel when the email node is selected in the Knowledge Base panel. 
  • Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
  • Fixed an issue that tries to stop the scan when the What's New tab is closed.
  • Fixed an issue that Invicti Standard starts a retest for a vulnerability randomly. 
  • Fixed a payload for the GraphQL.

Netsparker Standard 6.3.1.33855 - 29 December 2021

FIXES

  • Fixed a scan policy migration issue that causes selecting all the security checks.

Invicti Standard 6.3.033782 - 23 December 2021

NEW FEATURES

NEW SECURITY CHECKS

  • Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira.
  • Added Stack Trace Disclosure Signature for Java.
  • Added Shopify Identified Security Check.

IMPROVEMENTS

  • Updated Invicti Standard .NET Framework version from 4.7.2 to 4.8.
  • Allowed to enter hyphens for the proxy address on the Proxy Settings.
  • Enabled that all child controlled scan parameters are listed in the Sitemap parent node.
  • Changed classification for Cross-site Referrer Leakage and Breach in OWASP Top Ten 2021.
  • Changed CryptographicException error log type.
  • Added condition that when the max crawling link is reached, the DOM simulation stops.
  • Updated Version Disclosure Signature for Apache Coyote.
  • Added callback flag to prevent multi trigger of DOM parser view callback
  • Improved the importing of RAML files includes other files.
  • Added tags property to the Kenna Send to Action.
  • Updated Freshservice integration not to send user agent header.
  • Updated Version Disclosure Signature for Jolokia.
  • Improved the Form Values to be entered into the relevant sections during the form authentication process in the React environment.
  • Improved the login verification process by detecting page load properly.

FIXES

  • Fixed an issue that created an incorrect issue link in Bitbucket Integration.
  • Fixed an issue that occurred when the proxy information from the Proxy Auto-Configuration file cannot be transmitted in requests made by the browser.
  • Fixed the null reference error (NRE) that occurred during importing the paused or canceled scan files.
  • Fixed an issue that calculated total response time incorrectly.
  • Fixed the bug related to Send To action of Kenna integration.
  • Fixed the Jolokia version disclosure report to properly highlight the related lines.
  • Fixed the OWASP classification links.
  • Fixed an issue that does not show a vulnerability when sorted by the Vulnerability Type although it shows when sorted by Severity.
  • Fixed the misleading tooltip in Scan Policy - Security Checks.
  • Fixed the misaligned text on the PDF version of Executive Summary Report.
  • Fixed an issue that Invicti Standard doesn't show out-of-scope warning when out-of-scope link is imported.
  • Fixed the inconsistent vulnerability count between reports and status bar.
  • Fixed the manual authentication issue when links are imported from URL.
  • Fixed the Sitemap multilevel group count.
  • Fixed Scan Policy security check count.
  • Fixed a naming issue that occurred when a new custom report name contains a dot.
  • Fixed an issue while changing the Data Directory option on Storage tab.
  • Fixed the issue that external references were not rendered correctly.

Netsparker Standard 6.2.1.33642 - 14 December 2021

NEW SECURITY CHECKS

  • Added Out of Band Code Evaluation (Log4j - CVE-2021-44228) a.k.a. Log4Shell detection support.
Invicti Standard 6.2.0.33156 - 16 November 2021

NEW FEATURES

NEW SECURITY CHECKS

  • Added signature matching to Web app fingerprint checker.
  • Added patterns for Base64 encoded DOM Cross-site Scripting.
  • Added phpMyAdmin Version Disclosure security check.
  • Added Atlassian Confluence Version disclosure and Out-of-date security checks.
  • Added exclusion feature to JavaScript Library detection.
  • Added PHP Version Detection via phpinfo() call.
  • Added the Shopify Identified security check.

IMPROVEMENTS

  • Added the Bridge URL and Shark token support for Invicti Shark (IAST).
  • Added setting to configure Session Cookie Names.
  • Updated CWE classification category orders for Out-of-date templates.
  • Improved Cross-site Scripting attack pattern.
  • Added support for exploiting local storage and session storage in the DOM XSS security checks.
  • Added highlighting support for custom scripts.
  • Added Web Application Firewall to the site profile.
  • Changed the default ignored parameter comparison to case insensitive.
  • Added 'Is Encoded' option to OAuth2 parameters.
  • Added JWT Token pre-request script template.
  • Added the CSP Not Implemented that will be reported as confirmed.
  • Added the Subresource integrity not implemented that will be reported as confirmed.

FIXES

  • Fixed the issue that Content-Type header missing was reported when there was no content in the response.
  • Fixed the issue FP JWT was reported in a not found response.
  • Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
  • Marked weak TLS ciphers.
  • Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
  • Fixed FP WAF Identified.
  • Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
  • Fixed the issue source code disclosure is reported in binary responses.
  • Fixed the issue fingerprint checker crashes when an applications file could not be found.
  • Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
  • Fixed the issue that some cipher suites are not reported as weak.
  • Fixed the issue classification links were not rendered correctly when there are multiple values.
  • Fixed the issue proof prefix was added when there were no more characters to be found.
Invicti Standard 6.1.0.31760 - 1st July 2021

NEW FEATURES

NEW SECURITY CHECKS

  • Implemented JSON Web Token (JWT) security check
  • Added the SSL Certificate is About to Expire security check
  • Added StackPath Web Application Firewall (WAF) detection.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Proxy Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for JavaServer Pages
  • Added Identified, Version Disclosure, and Out-of-date security checks for Kong Server
  • Added Identified, Version Disclosure, and Out-of-date security checks for Liferay Digital Experience Platform.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Taleo Web Server
  • Added Version Disclosure and Out-of-date security checks for Sugar Customer Relationship Management (CRM)
  • Added Version Disclosure and Out-of-date security checks for Squid
  • Added Identified and Out-of-date security checks for Magento
  • Added Out-of-date security check for Daiquiri
  • Added Identified security check for Plesk (Windows)
  • Added Identified security check for Vegur
  • Added Identified security check for HupSpot
  • Added Identified security check for DataDome
  • Added Identified security check for Craft CMS
  • Added Identified security check for Windows Azure Web Apps
  • Added Identified security check for OpenVPN Access Server
  • Added Identified security check for Squarespace
  • Added Identified security check for Plesk (Linux)
  • Added Identified security check for Lighthouse
  • Added Identified security check for BitNinja Captcha Server
  • Added Identified security check for Pardot Server

IMPROVEMENTS

  • Added Scan Paused, Scan Resumed, Scan Canceled, and Scan Finished states to the log category.
  • Send to Request Builder option is now visible for Issue Group Nodes
  • Added page type field to vulnerability reports
  • Added Authentication Profile name to reports
  • Improved RAML Importer to import the ZIP files
  • Added application name and version information to a vulnerability report
  • Implemented Swagger path parameter default value
  • Fixed a Dom XSS scan stuck issue
  • Fixed Daiquiri Identified reporting redundant custom field issue.
  • Improved Common Weakness Enumeration (CWE) classifications for Out-of-Date Version vulnerabilities
  • Added a new Akamai Content Delivery Network (CDN) detection signature
  • Added a new Varnish Cache detection signature
  • Added missing Identified security checks for the existing technologies
  • Improved the summary section of the Version Disclosure template for SharePoint
  • Improved TRACE/TRACK Method Detected security check
  • Improved SVN Detected security check
  • Improved Version Disclosure security check and report template for Phusion Passenger
  • Improved Caddy Web Server Identified security check.
  • Improved WAF Identifier security check.
  • Added Blind SQL Injection security check with a new XOR payload for MySQL
  • Proxy credential passed to Chrome page authentication
  • Vulnerabilities ordered by severity in the Comparison Report

FIXES

  • Fixed Invicti license decrypt problem
  • HTTPS Requests are recorded as HTTP
  • Fixed the requested security protocol is not supported error
  • Fixed handling Protocol Buffers encoding type
  • Fixed miswritten product name
  • Fixed Phusion Passenger version disclosure template and added Out-of-Date mapping
  • Fixed analyzing headers even if the identification source is the crawler
  • Fixed an issue that may cause deadlock during adding items to Sitemap
  • Fixed an issue that caused out-of-scope URLs to be scanned when the override target URL option is enabled and the authentication is failed while scanning.
  • Fixed issue where headers in Postman collection were not replaced with variables
  • Fixed an issue that cause SSL validation callback returns invalid SSL certificates as out-of-scope links
  • Added disable-feature flag to the browser manager
  • Fixed a null reference exception while generating Knowledge Base report
  • Rare error when loading overlay window showed was ignored
  • Fixed out-of-scope imported links showing in Knowledge Base Rest API List
  • Fixed a detection issue with the Akamai CDN signature.
  • Fixed a detection issue with Tomcat Identified security check.
  • Fixed the signatures of phpMyAdmin Identified security check
  • Fixed big size upload error
  • The Exclude Authentication Page option will be checked if there is a selected authentication profile
  • Fixed DPI settings at Custom Script Dialog
  • Disabled GPU acceleration to prevent rendering errors and black bars
  • Fixed UI bugs at General Scan Profile Settings
  • Fixed issue max page visit was not received but showing in Knowledge Base because of max signature limit
  • Fixed Custom 404 Regex in Invicti Enterprise scan data is shown as Auto 404 at Invicti Standard
  • Fixed malformed VDB exception while getting the latest version of the application
  • Severity null control added to the Vulnerability Profile dialog
  • Fixed a non-recurring parameter while logging in with auto-authenticator
  • Fixed Scan Policy Report migration primary key error
  • Fixed saving Crawl & Attack option to the Scan Profile
  • Fixed Logout detection window shows first entered URL for every login simulation error
  • Fixed reporting false positive HSTS vulnerability

Invicti Standard 6.0.2.30446 - 7th April 2021

NEW FEATURES

  • Added TLS 1.3 support
  • Added the character limit setting for Blind SQL Injection proof generation and enabled proof generation by default
  • Added the Common Vulnerability Scoring System field to the known vulnerabilities
  • Added the Vulnerability Database version to the scan logs

IMPROVEMENTS

  • Improved IPv6 support to cover all SSL checks
  • Added an advanced setting option to turn on/off the "disable-web-security" command line option while launching chromium
  • Added the redirect navigation support for DOM Parser
  • Fixed Ghost Chromium problems and DOM simulation leaks
  • Added multiple ISO Classification support
  • Added alphabetical order to the Knowledge Base nodes
  • Updated Invicti Shark (IAST) licensing
  • Improved WAF Identification checks to prevent false positives
  • Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled
  • Improved Open Redirection checks
  • Updated Capture Group for OpenResty Version Disclosure
  • Updated DS_Store File Found Report Template
  • Changed the Referrer-Policy Report Template names to be more accurate
  • Refined Possible Stored XSS Vulnerability template
  • Added missing external references to SSL Templates that are removed after the merge
  • Added IAST suffix to titles of vulnerability detected by Invicti Shark
  • Updated OpenSSL regex
  • Updated OpenSSL version disclosure regex
  • Updated SSTI patterns to use specific type to match code execution patterns

NEW SECURITY CHECKS

  • Added Short XSS Attack to bypass character limit checks
  • Added Revoked SSL Certificate check
  • Added SSL Certificate's Name and Hostname Mismatch security check
  • Added SSL Certificate is not signed by a trusted root certification authority security check
  • Added Daiquiri Identified security check
  • Added Expired SSL Certificate security check
  • Added ZSH History File Detected
  • Added DOM XSS pattern for the script SRC Injection

FIXES

  • Fixed an issue with simultaneous access to the same object while updating the sitemap during scanning
  • Fixed unexpected error when saving parse from URL in form values screen
  • Fixed the Chrome address bar displaying in different resolutions on the verify login form
  • Fixed the detected logout status when an unreachable link is given
  • Fixed the customization menu at the form authentication's custom script dialog
  • Fixed unsupported browser issue for Headless Chromium
  • Fixed weak ciphers not reported for additional websites issue
  • Fixed ignoring weak ciphers check because of the ROBOT attack
  • Fixed logging HTTPS requests as HTTP when LogHttpRequests option is enabled
  • Updated Invicti Updater icons
  • Fixed an issue where the Postman Importer ignores the authorization header that is defined in a request item
  • Updated requester not to send Accept-Language header if it is not enabled in a scan policy
  • Fixed an issue that occurred when exporting custom reports generated from Compliance, Detailed Scan, and Executive Summary report
  • Fixed a synchronization problem while creating puppeteer instances
  • Fixed an issue where external schema was not added when importing WSDL
  • Fixed the Write Lock Leak in LinkPool
  • Disabled mouse wheel on the Include/Exclude URLs with Regex radio group
  • Fixed the typo in the jQuery validation out-of-date vulnerability type
  • Fixed the issue Untrusted Root certificate was not reported on the self-signed certificates
  • Fixed the issue that the wrong version was reported in the web app fingerprinting
  • Fixed False Positive weak credentials vulnerability
  • Fixed the issue that logs were not correctly formatted in the Logs panel
  • Fixed the issue that SSL vulnerabilities found in additional sites might be reported in the wrong URL
  • Fixed the issue that authenticated link was not crawled
  • Fixed the issue that the proof URL was not added to XSS
  • Fixed word-wrapping in Tags label in the Azure DevOps Send to Action Configuration Wizard
  • Removed the logging for the replacing control characters in headers
  • Changed the log level of DOM simulation timeout from Error to Warning
  • Fixed the issue that another hash was appended to URLs with a fragment on DOM XSS attacks
  • Fixed the issue that SSL certificates were not analyzed for each website when there are additional websites
  • Fixed the issue that URI fragment was parsed incorrectly
  • Fixed OpenSSL version disclosure regex
  • Fixed WS_FTP Log check
  • Fixed F5 BIG-IP WAF detection
  • Fixed the typo in the jQuery Validation Out-of-date Vulnerability type
  • Fixed Extractor for Lodash in repository.json by adding a new function
  • Fixed WildFly regex for the WildFly Application Server Identified
  • Fixed Whoops Error Handling framework signature
  • Fixed the signature for Liferay Portal Identified
  • Fixed Version Disclosure for Artifactory by adding missing custom field tag
  • Fixed regex of Grafana Version Disclosure
  • Fixed OpenResty regex for Version Disclosure
  • Fixed the regex of Liferay Portal Version Disclosure pattern

Invicti Standard 6.0.1.29866 - 11th February 2021

IMPROVEMENTS

  • Added IAST suffix to titles of vulnerabilities identified by Invicti Shark 

FIXES

  • Fixed the issue that custom fields were removed when a vulnerability was cached
  • Fixed a typo in the Invicti Shark dialog
  • Fixed the issue that Invicti Shark responses were reported as comments in the Knowledge Base
  • Fixed the issue that Invicti Shark engines were not enabled on old scan policies
  • Fixed renaming default scan profile while using the Invicti Shark configuration with test websites
  • Fixed setting explicit logout URL from the authentication verification dialog
  • Fixed an NRE that occurred while opening the Invicti Enterprise options panel in Invicti Standard
Invicti Standard 6.0.0.29750 - 28th January 2021

NEW FEATURES

  • Added NIST SP 800-53 compliance classification and report template.
  • Added DISA STIG compliance classification and report template.
  • Added the OWASP ASVS 4.0 classification and report template.
  • Added header and footer section to customize reports.
  • Added an option to customize POST attacks for the Open Redirect engine.

NEW SECURITY CHECKS

  • Added PHP magic_quotes_gpc Is Disabled security check.
  • Added PHP register_globals Is Enabled security check.
  • Added PHP display_errors Is Enabled security check.
  • Added PHP allow_url_fopen Is Enabled security check.
  • Added PHP allow_url_include Is Enabled security check.
  • Added PHP session.use_trans_sid Is Enabled security check.
  • Added PHP open_basedir Is Not Configured security check.
  • Added PHP enable_dl Is Enabled security check.
  • Added ASP.NET Tracing Is Enabled security check.
  • Added ASP.NET Cookieless Session State Is Enabled security check.
  • Added ASP.NET Cookieless Authentication Is Enabled security check.
  • Added ASP.NET Failure To Require SSL For Authentication Cookies security check.
  • Added ASP.NET Login Credentials Stored In Plain Text security check.
  • Added ASP.NET ValidateRequest Is Globally Disabled security check.
  • Added ASP.NET ViewStateUserKey Is Not Set security check.
  • Added ASP.NET CustomErrors Is Disabled security check.
  • Added PHP session.use_only_cookies Is Disabled security check.
  • Added new Blind SQL Injection attack pattern.
  • Added Jinjava SSTI security check.
  • Added Whoops Framework Detected security check.
  • Added CrushFTP server detected security check.
  • Added database error message signature pattern for Hibernate.
  • Added Identified, Version Disclosure, and Out-of-date security checks for W3 Total Cache.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Next.JS React Framework.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Twisted Web HTTP Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Werkzeug Python WSGI Library.
  • Added Identified, Version Disclosure, and Out-of-date security checks for OpenResty.
  • Added Identified, Version Disclosure, and Out-of-date security checks for GlassFish.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Resin Application Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Plone CMS.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Trac Software Project Management Tool.
  • Added Identified, Version Disclosure, and Out-of-date security checks for IBM RTC.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Tornado Web Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Jetty Web Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Axway SecureTransport Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Artifactory.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Gunicorn Python WSGI HTTP Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for IBM Security Access Manager (WebSEAL).
  • Added Identified, Version Disclosure, and Out-of-date security checks for Nexus OSS.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Cowboy HTTP Server.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Python WSGIserver.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Restlet Framework.
  • Added Identified, Version Disclosure, and Out-of-date security checks for Phusion Passenger.
  • Added Version Disclosure and Out-of-date security checks for Liferay Portal.
  • Added Version Disclosure and Out-of-date security checks for Tracy debugging tool.
  • Added detection for Varnish HTTP Cache Server.
  • Added detection for SonicWall VPN.
  • Added detection for Play Web Framework.
  • Added detection for Private Burp Collaborator Server.
  • Added detection for LiteSpeed Web Server.
  • Added detection for JBoss Enterprise Application Platform.
  • Added detection for JBoss Core Services.
  • Added detection for WildFly Application Server.
  • Added detection for Oracle HTTP Server.
  • Added version disclosure Daiquiri security check.

IMPROVEMENTS

  • Added Wordlist Entries feature to the Resource Finder security check group
  • Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled.
  • Improved Open Redirect attack patterns.
  • Improved TLS 1.0 issue remediation reference.
  • Added WCF service support to WSDL importer.
  • Added a fix to reduce the possibility of an out-of-memory problem.
  • Added authentication support to system proxy for PAC file.
  • Verification dialog remembers old logout keywords.
  • Added scan profile information and URL to all reports.
  • Added bypass list for scan policy settings.
  • Added scan scope variables to the Pre-Request Scripts.
  • Added information label to the Pre-Request Script settings panel
  • Added a fail tolerance to Puppeteer launch.
  • Improved Tomcat signature patterns.
  • Improved authenticator not to store the plain password in the request data
  • Added HTTP Request Logger to authentication
  • Added Canada region to the Invicti Enterprise settings
  • Added tooltip to the Excluded Usage Trackers feature.
  • Removed X-Scanner header from default scan policies
  • Added new sensitive comment patterns.
  • Revised the description of the Resource Finder checks option.
  • Removed header and footer settings for reports that do not contain header and footer in the save report dialog.
  • Added Incremental Scan to Knowledge Base reports.
  • Updated Invicti Standard splash screen.

FIXES

  • Fixed Lodash Identified security check signature.
  • Fixed WebLogic Version Disclosure security check signature.
  • Fixed Whoops Error Handling Framework Identified security check signature.
  • Fixed Zope Web Server Version Disclosure security check signature.
  • Fixed Grafana Version Disclosure security check signature.
  • Fixed ASP.NET MVC Version Disclosure security check signature.
  • Fixed Telerik Version Disclosure vulnerability severity to be low.
  • Fixed IIS Version Disclosure vulnerability severity to be low.
  • Fixed the grammar issues at the CSP Not Implemented report template.
  • Hide the scope tooltip at the manual authentication panel.
  • Fixed the order of Out-of-Date vulnerabilities; now sorting vulnerabilities by their severities.
  • Fixed the issue "link stuck error" was repeated many times in the scan logs.
  • Fixed the typo in the Pre-Request Scripts Menu.
  • Fixed a few typos in the Impact descriptions.
  • Fixed validating WAF settings before trying to test WAF connection
  • Fixed the issue where the Exclude Authentication Pages option could not be manually disabled when the Form Authentication is enabled.
  • Fixed an issue where the Form Authentication verification dialog loses focus and disappears.
  • Fixed directory modifiers limit usage
  • Fixed sending previous request headers while navigating to the Form Authentication's latest response URL.
  • Fixed an issue where the custom script dialog failed to display login page when requests encoded with Brotli
  • Fixed an issue that causes Reflected Parameter analyzer attacks to the ignored parameters when the breach engine is disabled
  • Fixed an issue that may cause the null reference exception when reflected parameter analyzer working
  • Fixed an issue that caused WASC ID is not sent properly in the Kenna Send To Action
  • Fixed an issue where the HTTP request is not redirected to HTTPS when Strict Transport Security is enabled
  • Fixed an issue that caused DOM simulation to fail because of the null windows and elements
  • Fixed an issue that is caused by NTLM, Kerberos, Negotiate authentication credentials send with every request without challenge
  • Fixed an issue that causes the Pre-Request Script requests to be ignored when its method is disallowed from the Scope settings
  • Fixed an issue that causes raw request created without cookies
  • Added SSL, Attack Possibility, and JavaScript files to Knowledge Base
  • Fixed the order of classification report ribbon menu.
  • Fixed handling the invalid characters of request headers set from the Pre-Request Scripts.
  • Fixed the tooltip of Send To Tasks button at the ribbon
  • Fixed unwanted warning on the auto authenticator
  • Fixed date and time zone problem on Swagger file.
  • Fixed null reference exception on excluded URL check.
  • Fixed multiple instance knowledge base render problem.
  • Fixed reporting style issues.
  • Fixed relativity of the charts in the Comparison Report.
  • Fixed grid showing on the logout detection screen.
  • Fixed scan resuming problem on unavailable host.
  • Fixed pop-up problem on the DOM simulation for better performance.
  • Fixed the logo at the Knowledge Base render error page.
  • Fixed an issue which causes unhandled exception when the link clicked multiple times on authentication verify dialog when interactive login is enabled
  • Fixed internet connection problem at test site configuration dialog.
  • Added information label to the Azure Configuration wizard.
  • Fixed request and response results in out-of-band vulnerabilities.
  • Fixed Blind SQL Injection cache issue.
  • Fixed wrong expiry time for cookie which occurs at DOM simulation.
  • Fixed the null reference exception while checking the source type.
  • Fixed the Basic Authentication header problem for chromium requests.
  • Fixed the null reference exception while getting authorization tokens.
  • Fixed an issue where XSLT requests are not intercepted.
  • Fixed Netsparker Helper Service dll not found issue.
  • Fixed the client certificate selection issue while logging in to the target website.
  • Fixed session storage problem at DOM simulation.
  • Fixed upload request problem that creates false positive at LFI engine.
  • Fixed chromium errors at authentication
  • Fixed the unhandled multiple choices redirect status code at requester.
  • Fixed the keyword-based logout detection stuck when the pop-up opened at chromium browsers.
  • Fixed the Generate Exploit button label in the ribbon menu and vulnerability pop-up menu.
  • Fixed an issue where the form value parser was not working.
  • Fixed unauthorized request handling in the license view.
  • Fixed an issue that causes invalid parent issue selection if Check Inverse is used at Security Checks
  • Fixed maximum logout detection issue.
  • Fixed the typo in the Pre-request Scripts menu.
  • Fixed a few typos in the Impact descriptions.
  • Fixed the issue that email disclosure was reported without identified email addresses.
  • Fixed an issue in the scan policy optimizer where the DOM preset was set wrong.
  • Removed URL signature field from the phpinfo detection pattern.
  • Fixed Perl version disclosure pattern.
  • Fixed the issue that movable type cannot be detected because the app name contained whitespace.
  • Removed the Fiddler core dependency from Fiddler Importer that caused issues in Linux agents.
  • Fixed the custom script dialog title.
  • Fixed the signature of Python version disclosure pattern.
  • Fixed the issue that charset error was repeated many times in the logs.
  • Fixed the issue that the attack parameter name was not displayed on error based SQL injection vulnerabilities.
  • Fixed an ArgumentNullException that was thrown when the proxy bypass list is null.
  • Fixed the request parsing error in TCP Requester.
  • Fixed the issue that header and footer were mixed up in the reports.
  • Fixed info icons position in the Knowledge Base reports.
  • Fixed the issue XSS payload was not highlighted correctly.
  • Fixed the typo in the base scan CLI argument.
  • Fixed the issue that the confirmation dialog was not displayed when the delete rows button in the context menu is used.
  • Fixed the inconsistencies in the summary page of Asana configuration wizard.
  • Fixed tooltip enabled/disabled states in Form Authentication, Client Certificate, and Smart Card Authentication settings.
  • Fixed the issue that search results were not highlighted correctly.
  • Fixed the issue that URL was not correctly encoded in Send To Action templates.
  • Fixed the issue request.Headers was empty in custom script API.
  • Fixed the issue Mithril version could not be detected.
  • Fixed the issue that SSTI could not be detected consistently because the code execution patterns were not loaded correctly.
  • Fixed the issue that version disclosure vulnerabilities were always fixed in retest.
  • Fixed the issue that causes FP Open Redirection because of the improper decoding of location header
  • Fixed Swagger parser that caused importing object with a parent node while the object is inside an array

Netsparker Standard 5.9.1.29030 - 6th of November 2020

NEW SECURITY CHECKS

  • Added Oracle WebLogic Server Remote Code Execution (CVE-2020-14882)
  • Added Oracle WebLogic Server Authentication Bypass (CVE-2020-14883)
Invicti Standard 5.9.0.28895 - 30th of September 2020

NEW FEATURES

  • Added a new signature limit for URL Rewrite matched links
  • Added a crawling limit for Not found (404) links
  • Added a WASC Classification Report template
  • Added an option to exclude authentication pages and removed authentication related regexes from the default settings

NEW SECURITY CHECKS

  • Added Out-of-date security checks for the Liferay portal
  • Added Version Disclosure and Out-of-date security checks for Jolokia
  • Added Nested XSS security checks
  • Added an ASP.NET Razor SSTI security check
  • Added a Java Pebble SSTI security check
  • Added a Theymeleaf SSTI security check
  • Added Version Disclosure and Out-of-date security checks for Grafana

IMPROVEMENTS

  • Improved custom scripting to send raw requests
  • Improved the authenticator to hide passwords in request data in order to prevent exposing them in reports
  • Added an Auto Follow Redirect setting to the Advanced settings
  • Added request and response details to Out of Band vulnerabilities
  • Improved logging for timed out regexes in the Javascript Library Checker
  • Updated signature of Stack Trace/Custom Stack Trace (Python)
  • Improved the memory consumption on long running scans

FIXES

  • Fixed an error that was caused when parsing duplicate response content-type headers
  • Updated Invicti logos, splash screen and icons
  • Fixed reporting of Crawl Performance for crawl-only scans
  • Fixed an issue where Form Value Errors were occurring after simulation was finished
  • Fixed the Maximum Body Length exceeded log message
  • Fixed the log level of the Dom Parser's ignored link message
  • Fixed the Jira Send To application description
  • Fixed an issue that occured when the content-type and accept header was used in a parameter in the Open API (Swagger) file
  • Fixed an issue where the custom Comparison Report was not generated
  • Fixed an ArgumentNullException that was occuring in the TestSiteConfiguration dialog
  • Disabled the LFI button for possible xxe
  • Fixed a certificate error problem on the new ssl checker
  • Fixed the timezone problem on reports
  • Fixed the Executive Summary Report title
  • Fixed an ArgumentException that was thrown when the URI was empty
  • Fixed HIPAA classification links
  • Fixed the issue where the Invicti session importer did not import all links from the session
  • Fixed the bug where the URL was split incorrectly when a segment contained the file extension
  • Fixed the issue responses that were not being analyzed in the Signatures engine during the re-crawl phase
  • Fixed the HIPAA classification link when there are multiple classifications
  • Removed plugin functions that are used to detect bootstrap to prevent false positive versions from being reported
  • Fixed NRE in the static detection engine
  • Fixed the Swagger parser that caused an object to be imported with a parent node while the object was inside an array

Netsparker Standard 5.8.2.28358 - 10th of July 2020

IMPROVEMENTS

  • Added a highlight icon to the attack parameters on the vulnerability reports
  • Added a report URL to the scheduled reports

FIXES

  • Fixed a ObjectDisposedException that was occasionally thrown when the attacker started in manual proxy mode
  • Fixed a NRE that occurred when exporting a report from a scheduled scan
  • Fixed an issue caused when the login page identifier was disabled in the Scan Policy
  • Fixed an issue where the Jira Send To Action failed to create an issue when the components field did not exist in the project
  • Fixed the issue where the content type was not parsed correctly when there were multiple Content-type headers
  • Fixed the issue where responses were not being analyzed in signature detection in the re-crawl phase.
  • Fixed the list of enabled security checks on reports
  • Changed the Sans Top 25 classification name to CWE on reports

NEW SECURITY CHECKS

  • Added an F5 Big IP LFI (CVE-2020-5902) attack pattern
  • Added out of date checks for Apache Traffic Server
  • Added version disclosure for Undertow Server
  • Added out of date checks for Undertow Server
  • Added version disclosure for Jenkins
  • Added out of date checks for Jenkins
  • Added signature detection for Kestrel
  • Added detection for Tableau Server
  • Added detection for Bomgar Remote Support Software
  • Added version disclosure for Apache Traffic Server