Home
/
Documentation
/
22-Nov-2019
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
22 Nov 2019

22-Nov-2019

NEW FEATURES

  • Added a scan search feature which is accessible from the CTRL+K shortcut that allows searching for anything in the scan
  • Added a configuration wizard for GitLab Send To Action
  • Added a Web Application Firewall tab to the Options dialog
  • Added AWS WAF integration
  • Added Cloudflare WAF integration
  • Added SecureSphere WAF integration
  • Added an Auto WAF Rule tab to the Scan Policy Editor dialog
  • Added a Send To Tasks dialog to display the Send To Action and WAF Rule task's status
  • Added a configuration wizard for "rest.testsparker.com" into the Start a New Website or Web Service Scan dialog
  • Added a What's New panel to the right hand side of the Welcome Dashboard, which shows the latest blog posts
  • Added OTP support to the Form Authentication tab in the Start a New Website or Web Services Scan dialog
  • Added "localhost.invicti" host resolution support to allow remote connections to localhost

NEW SECURITY CHECKS

  • Added a new Security Check – HTTP Parameter Pollution (HPP)
  • Added a new Security Check – BREACH Attack Detection
  • Added Out-of-Date checks for Ext JS
  • Added Oracle Cloud and Packet Cloud SSRF attack patterns

IMPROVEMENTS

  • Improved progress bar estimation by populating engine runtimes instead of request count
  • Improved the Scan Performance node by including engine runtimes in the Knowledge Base
  • The Download buttons in the Local File Inclusion Exploitation panel are renamed to Get
  • Improved statistical information in the scan reports
  • Improved Custom 404 settings in the Knowledge ase report
  • Improved the Knowledge Base check icon
  • Improved the display of OAuth2 Authentication information on reports
  • Added Culture Info to error reporting information
  • Renamed the F5 Big-IP ASM WAF Rules button in the Reporting tab
  • Added an Apply button to the Options window, so the dialog stays open until the Save button is clicked
  • Improved the Custom Field Editor dialog to validate custom field values before saving them
  • Improved the I/O Docs Importer to support the latest version
  • Improved the Jira Send To Action to support a new Security Level field
  • Updated Trello Send To Action wizard to hide inactive boards
  • Improved the Crawler and Attacker to identify links separately according to their Accept header. (application/json and application/xml are commonly used in Rest APIs. Invicti can identify and attack for both mime types.)
  • Improved the OpenAPI (Swagger) parser to import links more than once according to their Accept header
  • Updated the AdNetworks file which is used by Invicti to block ad networks
  • Improved the Update Available dialog UI
  • Improved the Report Policy Editor UI.
  • Improved Apache Struts attack patterns by randomizing the attack payloads
  • Improved the Custom Scripting API docs
  • Improved parsing the JavaScript code written inside HTML element attributes
  • Improved the Crawler to detect links with application/xml and application/json headers commonly used in REST APIs, so Invicti can attack each link separately
  • Improved Progress panel's Request per Second setting, to that its value can be viewed by clicking its label
  • Added the ability to parse OAuth2 access token response headers to get the access token value

FIXES

  • Fixed an issue that caused very long URLs to become invisible in the vulnerability report
  • Fixed an issue that caused the Target Website or Web Service URL dropdown list's delete button to become invisible in the Start a New Website or Web Service Scan dialog
  • Fixed a false-positive report of a Windows Username Disclosure in the vulnerability report issue
  • Fixed the problem where the Windows Username Disclosure attack pattern did not match invalid file characters
  • Fixed the problem where a null Scan Profile name was displaying when opening a scan file
  • Fixed an issue where headers were duplicating when imported from a Swagger file.
  • Fixed the license expiration to occur a day after the license Expiration date
  • Fixed an issue that caused a Collection Modified exception when restarting Invicti after changing the storage directory
  • Fixed an issue where the HTTP Request / Response panel did not open when the Sitemap root node was selected
  • Fixed an issue in the Request Builder where the changes in the Raw request tab were not being saved
  • Fixed an issue that caused the name of the vulnerability to be blank in the Report Policy Editor dialog
  • Fixed a High dpi issue in the Update Available dialog
  • Fixed an issue that caused the Context button to overlay information counts in the File menu
  • Fixed the URI format exception that occured on the SSRF configuration screen
  • Fixed an issue that caused the tab key not to work in the Request Builder
  • Fixed an issue where encoded characters and new line characters appeared in the exploit responses in JSON format
  • Fixed an issue where the application name was captured as the version in the Java Servlet Version Disclosure pattern
  • Fixed an issue where some console commands were reported as proofs of exploit even though they had not been executed in the code evaluation
  • Fixed an issue where the Report Policy Editor dialog was showing html encoded values in the grid view and in the Edit dialog
  • Fixed an issue where report template changes were lost when the Cancel button clicked while searching in the Report Policy Editor dialog
  • Fixed an issue where the Dom Parser occasionally made requests to excluded or out of scope URLs
  • Fixed an issue where relative links found during a DOM simulation were sometimes not added to the link pool
  • Fixed a request timeout default value tooltip that was displaying in the HTTP Request settings
  • Fixed property names in the Redmine Send To Actions fields
  • Fixed an issue that caused the vulnerability URL to change when running a custom script on a vulnerability originally detected also by using a custom script
  • Fixed an issue that caused the UI to freeze when activating or deactivating licenses
  • Fixed an issue that caused the UI to freeze when verifying OAUTH settings
  • Disabled layout customization in the Manual Authentication and Test Credential screens
  • Fixed an issue that caused the scan manager to request a login URL in the OAuth2 Authentication settings when the Web Cache Deception security check group was disabled
  • Fixed an issue that caused late UI loading when the Scan Profile contained too many Imported Links
  • Fixed JSON and XML request identifiers to detect the type properly when content contains whitespace characters
  • Handled communication errors that occured while testing credentials
  • Fixed the log for corrupted variation information
  • Fixed a NullReferenceException that was occasionally thrown in the Additional Websites tab in the Start a New Website or Web Service Scan dialog
  • Fixed a performance issue caused when the number of the Sitemap nodes increases
  • Fixed the Regex Pattern of SQLite error message patterns
  • Updated the Remedy sections of some vulnerability report templates.
  • Fixed the internal proxy localhost's handling when adding the loopback override to the system's {roxy settings
  • Fixed misleading logout detection warnings shown during the retest of cookie vulnerabilities
  • Fixed an issue that caused the system to crash when sorting the Sitemap
  • Improved ApacheStruts to report where it would be possible for the attack to succeed at least one time
  • Fixed a NRE in the Signature Detection
  • Fixed the issue where some proofs were duplicated in the Knowledge Base
  • Fixed extensive CPU usage on cloud instances and virtual machines
  • Fixed a Set-Cookie response header parsing issue that occured where empty name/value pairs were skipped and cookie attributes were incorrectly parsed as name/value pairs
  • Fixed the ArgumentNullException error that occured when a null parameter value was sent to the Request Builder
  • Fixed the Knowledge ase's Out of Scope Links resource problem
  • Fixed I1 item's title in the Vulnerability Editor dialog, available from the Report Policy dialog to display as 'No Message'
  • Fixed the Asana Send To Action field, as an identifier field has changed in the Asana API
  • Fixed the issue where Raw and Builder tabs were not synchronized in the HTTP Request Builder
  • Fixed an incorrect localization issue that occurred while displaying custom field values of vulnerabilities
  • Fixed an issue that caused the Issues and Sitemap panels to open before opening a scan session
  • Fixed a problem where the Search box background color changed when there were no results
  • Users are now allowed to enter custom HTTP methods in the Request Builder panel when the Raw request body is enabled
  • Fixed an ArgumentNullException that was thrown when trying to refresh the OAuth2 access token after resuming an imported scan
  • Fixed a couple of alignment problems in reports
  • Fixed the last file name cache problem
  • Fixed the Request response word wrap and border problem solved.
  • Removed capitalization from titles in reports
  • Fixed an issue where the AutoComplete Enabled Vulnerability was being falsely reported if input fields included a new password option
  • Fixed a NullReferenceException that was thrown when the headers were null in the Webhook Send To Action