Home
/
Documentation
/
14-May-2019
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
14 May 2019

14-May-2019

NEW FEATURES

  • Added auto update support for scanner agents
  • Improved the Manage Agents page to support filtering and allow the running of commands
  • Added notifications section to top bar. It displays application specific notifications such as updates and background jobs
  • Added new API endpoints for managing issues
  • Added a Do not differentiate HTTP and HTTPS protocols option to the Scan Scope tab's settings
  • Added OAuth2 Authentication support
  • Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical
  • Added an option to report only confirmed issues while generating reports
  • Added an option to exclude addressed issues while generating reports
  • Added F5 WAF rule generation
  • Added RESTful API Modeling Language (RAML) link import support
  • Added the ability to exclude certain URLs from URL Rewrite Detection
  • Added support for importing links from WordPress REST API files
  • Added a Scan Policy for OWASP Top 10 vulnerabilities
  • Added a Scan Policy for PCI vulnerabilities

NEW SECURITY CHECKS

  • Added new XSS pattern that injects the attack payload into the HREF attribute
  • Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340)
  • Added a Unicode Transformation (Best-Fit Mapping) security check
  • Added detection for possible Header Injections
  • Added out-of-date detection for Oracle Database Server
  • Added out-of-date detection for Mithril
  • Added out-of-date detection for ef.js
  • Added out-of-date detection for Match.js
  • Added out-of-date detection for List.js
  • Added out-of-date detection for RequireJS
  • Added out-of-date detection for Riot.js
  • Added out-of-date detection for Inferno
  • Added out-of-date detection for Marionette.js
  • Added out-of-date detection for GSAP
  • Added a config.json check to the Resource Finder
  • Added detection support for TS Web access
  • Added detection support for .travis.yml

IMPROVEMENTS

  • Improved the Import Links section on the Imported Links tab on the New Scan page. Now imported links can be viewed immediately after the target file is uploaded.
  • Added CreatedAt and UpdatedAt fields to WebsiteGroup API endpoints
  • Improved the responsive design for several pages
  • Changed some wording for vulnerability details to use same wording as Invicti Standard
  • All clicked external links now open in a new window
  • The Target website URL cannot also be added as an Additional Website on the New Scan page
  • New logo has been added to the top bar
  • Improved Resource Finder step on the Scan Policy Optimization Wizard
  • Jira issues are now assigned to the person who started the scan
  • Improved the queue performance for scans running on cloud scanner agents
  • Improved the layout for reports where no vulnerabilities are detected
  • Added a new Manage Issues (Restricted) permission, which disallows marking issues as Accepted Risk or False Positive
  • Added Reporter (account id type) to the JIRA integration page
  • Updated SSRF ipv6 pattern names
  • Improved Scan performance by allocating computer resources better
  • Added XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families
  • Added a description that explains why only 10 pages are reported on the Slowest Pages node in the Knowledge Base
  • Updated Code Evaluation (PHP) attack patterns
  • Improved DOM Simulation performance and fixed several issues
  • Improved React JavaScript framework support on Form Authentication
  • HTML Select elements without event listeners are simulated in DOM Simulation
  • The File Upload engine searches newly discovered file names in the upload response and in the upload folders
  • Improved operating system detection by the Site Profile node in the Knowledge Base
  • Added support for attacking the name of POST parameters
  • Improved the External References for several vulnerabilities
  • Added ISO 27001 information to the Executive Summary Report
  • CSP vulnerabilities will no longer display a 'certainty' value if they are already marked as Confirmed
  • Fixed an issue in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework
  • Added support for exploiting XSS in text and XML content types
  • Out of Date SQL vulnerabilities are reported as Confirmed
  • Added a Cookie Whitepaper reference to cookie vulnerability templates
  • Added External References to ExpressJS, CakePHP and Possible Stored XSS templates
  • Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details
  • More commands are executed in the Code Evaluation exploitation to generate proofs
  • References to 'Manuscript' have been replaced with 'FogBugz'
  • Improved RFI confirmation for URL Rewrite parameters
  • Improved signatures of Nginx Version Disclosure patterns
  • Optimized the attack speed of XSS and LFI engines
  • Added extra information to Out-of-date vulnerability templates to explain the vulnerability reason
  • Cookie checks will analyze session cookie names to detect platform-specific default session names
  • Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved
  • Added a Jira Account ID field for Jira Send To Action to assign issues to a user, since the JIRA Api does not accept the username

BUG FIXES

  • Notifications tab appears empty when the Target URL is not selected on the New Scan page
  • Removed client side console logs from several pages
  • Fix the issue where the Preferred agent was not being set as expected for the selected scan profile on the New Scan page
  • Fixed an issue where the Discovery Settings page was not working properly for low resolution views
  • Fixed an issue where the Authentication Verifier was not capturing authentication settings
  • Fixed a bug where the default Scan Completed notification was overwriting the custom JIRA notification
  • Fixed a bug where PDF reports were not generated on the tryout console on the API docs page
  • Removed the Contains filter option for numeric fields
  • Fixed an issue where scans configured with a Scantime Window were blocking other scans
  • Removed the redundant ReportType parameter and added a ReportFormat parameter to the CustomReport API endpoint
  • Fixed a bug where ordering Issues using the Last Seen column was throwing an exception on the Issues page
  • Fixed a validation issue in the Header Authorization settings in the New Scan page
  • Fixed an issue where DOM simulation might conflict with some JavaScript frameworks
  • Fixed the garbled configuration sample in the Remedy section of the HSTS Policy Not Enabled vulnerability
  • Fixed an issue where an extra ampersand was appended to the query string while generating the URL of a Swagger imported link
  • Fixed an XmlException that was thrown while trying to parse a sitemap.xml response that is not found
  • Fixed a GZip decoding issue that occured while decoding a compressed sitemap.xml
  • Fixed a stuck scan issue on websites using the React JavaScript framework
  • Fixed a Postman file importing issue where the response was not base64 encoded
  • Fixed a NullReferenceException thrown while checking mutations on DOM
  • Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes
  • Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes
  • Fixed an issue where JavaScript file parsing was taking longer than expected on some occasions
  • Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie
  • Fixed HTTP 400 errors raised by the ServiceNow Send To integration
  • Fixed an issue in the CSP engine where the 'strict-dynamic' directive was reported as an unsupported hash
  • Fixed incorrect nonce detected without matching script block vulnerability
  • Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored
  • Fixed an issue that caused FP Insecure Reflected Content to be reported
  • Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type
  • Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server
  • Fixed the value of double encoded null byte in LFI and XSS attack patterns
  • Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized
  • Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload
  • Fixed the value of the double encoded null byte in the Header Injection pattern
  • Fixed the encoding of the % sign in the base64 payload in XSS attacks
  • Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern
  • Fixed the encoding issue in the SQL Injection confirmation attack
  • Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured
  • Fixed an issue where the Max Simulated Elements option was causing the simulation to hang
  • Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang
  • Fixed an issue where an incorrect Subresource Integrity (SRI) Hash Invalid vulnerability was reported because of a hash miscalculation