Home
/
Documentation
/
18-Mar-2015
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
18 Mar 2015

18-Mar-2015

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • DOM based cross-site scripting vulnerability scanning
  • Scanning of parameters in URLs
  • Nginx web server Out-of-date version check
  • Perl possible source code disclosure
  • Python possible source code disclosure
  • Ruby possible source code disclosure
  • Java possible source code disclosure
  • Nginx Web Server identification
  • Apache Web Server identification
  • Java stack trace disclosure

NEW FEATURES

  • Chrome based web browser engine for DOM parsing
  • URL rewrite rules configuration wizard to scan parameters in URLs
  • "Ignore Vulnerability from Scan" option to exclude vulnerabilities from reports

IMPROVEMENTS

  • Improved the correctness and coverage of Remote Code Execution via Local File Inclusion vulnerabilities
  • Improved cross-site scripting vulnerability confirmation patterns
  • Added support for viewing JSON arrays in document roots in request/response viewers
  • Added support for Microsoft Office ACCDB database file detection
  • Improved DOM parser to exclude non-HTML files
  • Improved PHP Source Code Disclosure vulnerability detection
  • Improved Nginx Version Disclosure vulnerability template
  • Improved IIS 8 Default Page detection
  • Improved Email List knowledgebase report to include generic email addresses
  • Improved Configure Form Authentication wizard by replacing embedded record browser with a Chrome based browser
  • Improved the form authentication configuration wizard to handle cases where Basic/NTLM/Digest is used in conjunction with Form Authentication
  • Added a cross-site scripting attack pattern which constructs a valid XHTML in order to trigger the XSS
  • Added double encoded attack groups in order to reduce local file inclusion vulnerability confirmation requests
  • Added status bar label which displays current VDB version and VDB version update notifications
  • Added login activity indicator to Scan Summary Dashboard
  • Added a new knowledgebase out-of-scope reason for links which exceed maximum depth
  • Updated external references in cross-site scripting vulnerability templates
  • Improved DOM parser by providing current cookies and referer to DOM/JavaScript context
  • Added several new DOM events to simulate including keyboard events
  • Improved the parsing of "Anti-CSRF token field names" setting by trimming each individual token name pattern
  • Added support for simulating DOM events inside HTML frames/iframes
  • Consolidated XSS exploitation function name (invicti()) throughout all the areas reported
  • Removed redundant semicolon followed by waitfor delay statements from time based SQLi attack patterns to bypass more blacklistings
  • Changed default user-agent string to mimic a Chrome based browser
  • Improved LFI extraction file list to extract files from target system according to detected OS
  • Removed outdated PCI 1.2 classifications

BUG FIXES

  • Fixed indentation problem of bullets in knowledgebase reports
  • Fixed path disclosure reports in MooTools JavaScript file
  • Fixed KeyNotFoundException occurs when a node from Sitemap tree is clicked
  • Fixed NullReferenceException thrown from Boolean SQL Injection Engine
  • Fixed an issue in WebDav Engine where an extra parameter is added when requesting with Options method
  • Fixed a bug where LFI exploitation does not work for double encoded paths
  • Fixed a bug in Export file dialog where .nss extension isn't appended if file name ends with a known file extension
  • Fixed a bug in Configure Form Authentication wizard where the number of scripts loaded shows incorrectly
  • Fixed a bug which occurs while retesting with CSRF engine
  • Fixed a bug where retest does not work after loading a saved scan session
  • Fixed a bug where Invicti reports out of date PHP even though PHP is up to date
  • Fixed a UI hang where Invicti tries to display a binary response in Browser View tab
  • Fixed an ArgumentNullException thrown when clicking Heartbleed vulnerability
  • Fixed a bug where Invicti makes requests to DTD URIs in XML documents
  • Fixed a bug in Scan Policy settings dialog where list of user agents are duplicated
  • Fixed a typo in ViewState MAC Not Enabled vulnerability template
  • Fixed a bug in auto updater where the updater doesn't honour the AutoPilot and Silent command line switches
  • Fixed XSS exploit generation code to handle cases where input name is "submit"
  • Fixed a bug that prevents invicti.exe process from closing if you try to close Invicti immediately after starting a new scan
  • Fixed a UI hang happens when the highlighted text is huge in response source code
  • Fixed issues with decoded HTML attribute values in text parser
  • Fixed session cookie path issues according to how they are implemented in modern browsers
  • Fixed scan stuck at re-crawling issue for imported scan sessions
  • Fixed highlighting issues for possible XSS vulnerabilities
  • Fixed a crash due to empty/missing URL value for form authentication macro requests
  • Fixed a NullReferenceException in Open Redirect Engine which occurs if redirect response is missing Location header
  • Fixed an error in authentication macro sequence player happens when the request URI is wrong or missing