Home
/
Documentation
/
18-Mar-2015
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
18 Mar 2015

18-Mar-2015

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • Added support for parsing and attacking JSON and XML request payloads
  • CSRF engine is added
  • HTML5 engine is added
  • Updated vulnerability database (MySQL, Apache, PHP, Nginx, Tomcat, Wordpress, Joomla, MediaWiki, osCommerce, phpBB, Twiki)
  • Added Dynamic Payload - Slash/Backslash LFI patterns

NEW FEATURES

  • Added support for new HTML5 input types
  • Most of the global settings now moved to scan policy and they can be set per scan basis
  • Added a new knowledge base item where all out of scope links in current scan are listed with the reasons
  • Added a new knowledge base item where HTML, JavaScript and CSS comments on pages are listed and possible sensitive keywords are highlighted
  • Added a new knowledge base item where frames with external URLs are reported
  • Added a new knowledge base item where embedded objects such as Adobe Flash movies, Java Applets, ActiveX objects, etc. are reported
  • Added support for cookies set by meta tags
  • Added support for generating multiple reports at a time using command line
  • Added support for updating vulnerability database without requiring to update the application
  • Added logging feature to log HTTP requests/responses in Fiddler .saz file format

IMPROVEMENTS

  • DOM parser simulation is improved
  • Attack possibility calculation is improved
  • Rendering in severity bar chart in scan summary dashboard is improved
  • Added late confirmation support for Blind Command Injection engine
  • DOM parser print dialog prevention improved
  • Browser View tab now shows XML responses in a tree view
  • Tweaked sleep tolerance value of time based engines
  • Improved the impact sections of most of the vulnerability templates
  • Improved LFI Exploitation which now is capable of better file content extraction and highlighting on text editor
  • Form inputs listed under knowledge base are now grouped by their types
  • Improved PHP Source Code Disclosure pattern
  • Improved DOM parser to extract textarea elements
  • Improved LFI Exploitation to cover case where LFI vulnerable page contains extra HTML tags
  • Improved LFI confirmation patterns
  • Improved XSS confirmation for Full URL and Full Query String attacks
  • Optimized XSS confirmation phase to skip redundant patterns
  • Improved binary response detection
  • Added limit controls to the knowledge base items to prevent performance degradation of excessive amounts of items
  • Default user agent string is set to the one used in IE8
  • Improved the importers, manual proxy and Form Authentication Configuration wizard to support JSON, XML and multipart/form-data requests
  • Improved multipart/form-data request parsing
  • Improved threading code in DOM parser and made DOM parser run in multiple processes
  • Improved Knowledge base user interface
  • Improved form value pattern for URL inputs
  • Add vulnerability database version information to related vulnerability templates
  • Configure Form Authentication wizard clears persistent cookies when started
  • Added detailed crawling/attacking activity information to Scan Summary Dashboard
  • Added activity information to Scan Summary Dashboard for ReCrawling and Extra Confirmation phases

BUG FIXES

  • Fixed a bug where sitemap context menu was missing menu items when a scan is imported from a file
  • Fixed a bug where reports generated after an auto pilot scan may contain missing items
  • Fixed a bug where Invicti was telling "Scan Finished" even though Recrawling was still in progress
  • Fixed scrolling issue on HTTP response text editor when the highlighted text spans multi lines
  • Fixed a NullReferenceException thrown from Knowledge Base when a scan imported from file
  • Fixed an issue where Error dialog was showing in autopilot mode
  • Fixed an issue where Auto Update dialog was showing in autopilot mode
  • Fixed a bug where DOM parser was failing to trigger click event for button elements
  • Fixed a bug where DOM parser was failing to extract value attribute for button elements
  • Fixed a bug where Possible LFI is reported for a binary file
  • Fixed a bug where LFI Exploitation was combining two files if they were having same names in different folders
  • Fixed a DOM parser issue where forms with empty action values are not captured
  • Fixed a DOM parser issue where all callback links in an ASP.NET Web Forms page are not clicked
  • Fixed typo in "Only Entered Url" section of User Manual
  • Fixed a DOM parser issue where a form containing multiple submit buttons is submitted using only one of the buttons
  • Fixed a DOM parser issue where button element with empty value is parsed
  • Fixed scan policy editor to reject policies with empty names
  • Fixed include/exclude URLs list to reject empty patterns
  • Fixed wrong URLs for Permanent XSS vulnerabilities shown in Issues panel
  • Fixed a scan policy bug where cloning a policy doesn't copy the database type of Boolean SQL Injection engine
  • Fixed Burp importer where rn occurrences were normalized to n chars.
  • Fixed Burp importer which was failing to parse headers properly
  • Fixed Burp importer which was failing with base64 encoded requests
  • Fixed Paros importer which was failing to parse POST request bodies with multiple lines
  • Fixed a bug where XSS payload is not executed in javascript context however reported as possible XSS
  • Fixed misleading status message in dashboard after file import
  • Fixed a bug in fingerprinting which was causing a NullReferenceException
  • Fixed an issue where Anti-CSRF token extraction didn't work in crawling

NOTE: This update has a breaking change due to new Scan Policy settings feature. If you have customized some global settings, they will reset to their default values.