Changelogs

Invicti Standard

RSS Feed

v24.3.0 - 12 Mar 2024

This release includes new features, new security checks, and bug fixes.

New features

  • Added the ability to force authentication verifier agents to use incognito mode by default on Chromium browsers

New security checks

  • Added detection for ActiveMQ RCE to the OOB RCE Attack Pattern (CVE-2023-46604)

Fixes

  • Added a Cookie Source field to the Knowledge Base Cookies screen

v24.2.0.43677 - 20 Feb 2024

This release includes new features, new security checks, improvements, and bug fixes.

New features

  • Added a new BLR log providing details on BLR execution

New security checks

  • Implemented a detection and reporting mechanism for the Backup Migration WordPress plugin (CVE-2023-6553)
  • Added detection for TinyMCE

Improvements

  • Updated the “Insecure Transportation Security Protocol Supported (TLS 1.0)” vulnerability to High Severity
  • Updated the WSDL serialization mechanism
  • Implemented support for scanning sites with location permission pop-ups
  • Added support for FreshService API V2
  • Removed obsolete X-Frame-Options Header security checks

Fixes

  • Fixed a bug in the Request/Response tab of Version Disclosure vulnerabilities
  • Removed the target URL from the scope control list

v24.1.0.43434 - 30 Jan 2024

This release includes new security checks, improvements, and bug fixes.

New security checks

  • Added a check for dotCMS
  • Added a check for the Ultimate Member WordPress plugin
  • Added a new mXSS pattern
  • Added new signatures to detect JWKs

Improvements

  • Improved the recommendations for the Weak Ciphers Enabled vulnerability
  • Improved detection of swagger.json vulnerabilities
  • Added support for AWS WAFv2 rules
  • Improved more of our error and warning messages so they are more user friendly
  • Added Sentry implementation into the Agent repository

Fixes

  • Fixed a proxy issue that was impacting the detection of weak ciphers
  • Fixed a problem with importing WDSL files

v24.1.0.43434 - 09 Jan 2024

This release includes new features, improvements, and bug fixes.

New features

  • In the scan settings section, we’ve added a checkbox (under Authentication > Form) to collect all logs about the authentication progress
  • Enhanced reporting of DOM XSS vulnerabilities

Improvements

  • Updated the Shark Dotnet Sensor to .NET Core 6
  • Improved site-logout detection

Fixes

  • Resolved a problem with missing information in the report policy database
  • Fixed an issue with the import of scan data from Invicti Enterprise to Invicti Standard
  • Fixed a bug in the importing of links
  • Fixed some vulnerabilities on our Invicti Docker Image by updating the packages
  • Fixed reporting of some false/positive passive out-of-date vulnerabilities

v23.12.0.43017 - 13 Dec 2023

This release includes the addition of CVSS 4.0 categorization of vulnerabilities and support for PCI DSS 4.0. New security checks have been added for HSQLDB and Typo3 vulnerabilities and report templates.

New features

  • Added CVSS 4.0 categorization of vulnerabilities
  • Added support for PCI DSS 4.0
  • Added new messaging for when scans fail due to mistyped http/https protocols

 New security checks

  • Added new HSQLDB vulnerabilities and report templates
  • Added new Typo3 vulnerabilities and report templates

Improvements

  • Improved the vulnerability calculator for Boolean MongoDB
  • Improved the signature for .dockerignore file detected issues
  • Improved the request body rating algorithm
  • Improved the signature for Joomla detection
  • Improved the signature for other docker-related signatures
  • Improved the Postman collection parsing algorithm
  • Resolved an issue with adding a client certificate to set up a scan
  • Added logs for better traceability of BLR playbacks

Fixes

  • Fixed the NRE in the agent log if any authentication is adjusted
  • Fixed an issue that was causing verifiers to not use scan policy proxy settings
  • Fixed an auth verifier client certificate authentication path error

v23.11.0.42728 - 16 Nov 2023

This release includes a new ignored parameter type for scan policies, new security checks for WordPress, along with several improvements and fixes

New features

  • Added an option under New Scan Policy > Ignored Parameters to allow customers to set ‘Cookie’ as a type of ignored parameter

New security checks

  • Added new checks for the WordPress Login with Phone Number Plugin: CVE-2023-23492
  • Added new checks for the WordPress JupiterX Core Plugin: CVE-2023-38389, CVE-2023-38388

Improvements

  • Added support for custom authentication tokens without token type
  • Improved LFI attack patterns for better accuracy
  • Fixed some vulnerabilities in the Docker image
  • Stricter sensitive data rules
  • Improved bot detection bypass scenarios

Fixes

  • Fixed custom header values in scan profiles so that they are masked
  • Docker Cloud Stack check has been updated to reduce noise
  • Fixed an issue with adding configuration files to scan profiles
  • SSL/TLS classification updated from CWE-311 to CWE-319

v23.10.0.42447 - 18 Oct 2023

This release includes improvements and bug fixes.

Improvements

  • Added a MaxAuthenticationTime configuration and set the default value as 480 seconds

Fixes

  • Fixed a bug that was preventing the import of WSDL files to Invicti Standard
  • Fixed version information reported in Web App Fingerprint Vulnerabilities

v23.9.0.42218 - 28 Sep 2023

This release includes two new features and some new security checks, along with multiple improvements and bug fixes.

New features

  • Added encoding for sensitive data
  • Added the option to enable CSRF checks for authenticated scans only
  • Added a sensitive data (password, session cookie, token etc.) encoder

New security checks

  • Added JQuery placeholder detection methods
  • Added a new security check for the Missing X-Content-Type-Options vulnerability

Improvements

  • Improved the JS Delivery CDN disclosure check to increase stability
  • Improved the remediation part for the Weak Ciphers Enabled vulnerability
  • Reduced the certainty value to 90 for the Robot Attack Detected vulnerability
  • Improved the detection method for CSP
  • Improved the detection method for the Dockerignore File Detected vulnerability
  • Improved the detection method for the Docker Cloud Stack File Detected vulnerability

Fixes

  • Improved our XSS capabilities
  • Fixed an NTLM login issue
  • Fixed a bug that was overwriting proxy settings in scan policies
  • Fixed a unique analyzer bug for the WSDL importer
  • Fixed a custom proxy bypass list issue

v23.9.0 - 06 Sep 2023

This release includes a new feature that lets you set proxy configurations to Docker Agent as an environment variable when creating a container. We also made several improvements and fixed some bugs.

New feature

  • We’ve added the ability to set proxy configurations to Docker Agent as an environment variable when creating a container

Improvements

  • Disabled caching from the boolean-based MongoDB security engine to avoid possible false positives
  • Improved the content-type exemption for non-HTML content types in the CSP engine
  • Improved the typehead.js check to increase stability
  • Removed the X-XSS-Protection header check because it is deprecated by modern browsers
  • Fixed a scan coverage issue
  • Improved the remediation part for the JetBrains .idea detected vulnerability
  • Added functionalities to prevent bot detection and fixed an issue that was causing cookie loss after authentication

Fixes

  • Fixed the update agent command that was not working correctly
  • Fixed the internal Linux v23.7 AV agent that wasn’t sending header configurations
  • Encrypted the proxy password used in the scan policy file
  • Fixed an issue with missing links when importing a .nss file from Invicti into Acunetix 360
  • Fixed the external SOAP web service import problem
  • Fixed a custom script issue so that now passwords written to the logs are encrypted
  • Fixed an issue that might cause broken functionality for popup pages
  • Fixed an issue where vulnerabilities could not be generated as CloudFlare WAF rules via API
  • Fixed a bug with Multiple Declarations in the X-Frame-Options Header
  • Fixed a localized time issue in the Files area
  • Fixed a problem that was causing default values to be filled incorrectly, resulting in false negatives

v23.8.0.41720 - 17 Aug 2023

This release includes new security checks, improvements, and fixes. We added security checks for XSS and improved detection for File Inclusion, Sensitive Data Exposure, and Dockerfiles. We also fixed some bugs.

New security checks

  • Added new patterns to detect XSS

Improvements

  • Improved detection and reporting of File Inclusion vulnerabilities
  • Improved detection and reporting of Sensitive Data Exposure vulnerabilities
  • Improved detection and reporting of Dockerfiles
  • Added a custom authentication support header to scan policy

Fixes

  • Fixed incorrect reporting of outdated technology versions
  • Fixed a bug that was preventing reports from being saved
  • Fixed the navigation check error on the dom parsing phase
  • Fixed an issue that can cause too much browser user data to be left in the temp folder
  • Fixed a custom script that was preventing successful basic authentication in some scenarios

v23.7.0.41392 - 19 Jul 2023

This release includes new improvements and fixes. We improved logout detection for OAuth2 websites, and implemented several fixes.

Features

  • Added Diana.jl support for GraphQL Library Detection
  • Added Hot Chocolate support for GraphQL Library Detection
  • Added Zero Day Vulnerability for MOVEit Software

Improvements

  • Improved logout detection for OAuth2 authenticated websites
  • Improved detection of IT Hit WebDav Server .Net versions
  • Improved Internal Path Disclosure detection
  • Improved Remediation Advice for Autocomplete Enabled vulnerability
  • Improved detection logic for LFI vulnerability
  • Improved identification and version disclosure for PopperJS, CanvasJS, and Next.js
  • Improved WAF Detection for F5 BIG IP

Fixes

  • Fixed issue with scans stopping with the Find & Follow New Links option enabled
  • Fixed issue with agent compression of chromium and node files
  • Fixed InvalidCastException with REST API
  • Fixed ArgumentNullException with Custom Security Checks
  • Fixed BLR cannot fill address fields
  • Fixed adding some MongoDB vulnerabilities to Knowledge Base report
  • Fixed scans unauthenticated after successful authentication verification
  • Fixed rare stuck scan issue
  • Fixed false positive due to TLS v1.3 not enabled
  • Fixed ArgumentNullException during scan launch
  • Fixed Authentication Verifier fails creating a new scan while another scan is running
  • Fixed GraphQL import OutOfMemoryException

v23.6.0.40861 - 07 Jun 2023

This release includes new security checks, improvements, and fixes. We added security checks for public Docker files, MongoDB, and WordPress. We improved the wordlist for forced browsing and signature detection patterns. We also fixed some bugs.

New security checks

  • Added the check for Boolean-based MongoDB injection.
  • Added the check for MongoDB Operator Injector.
  • Implemented the XML external entity check for IAST.
  • Added the ISO/IEC27001:2022 Classification.
  • Added the report template and attack pattern to the Out-of-band RCE.
  • Added passive check for Lua.
  • Added a security check to detect public Docker files.
  • Implemented a new engine to identify WordPress themes and Plugins.
  • Added new security checks for SAML.
  • Added security check for IT Hit WebDAV Server .Net Version Disclosure.
  • Added security check for MS Exchange Version Disclosure.
  • Added new payloads for Command Injection.
  • Added support for PopperJS.
  • Added support for CanvasJS.
  • Added new security check for the SQLite Database Detection.
  • Added new payloads for Header Injection.
  • Added new security check for Spring Boot Actuator Detection.
  • Added security check for NodeJS Stack Trace Disclosure.
  • Added security check for SailsJS and ActionHero Identified.
  • Added security check for JetBrains .idea Detected.
  • Added security check for GraphQL Stack Trace Disclosure.
  • Added security checks for Javascript Libraries.
  • Added security checks for Web Application Fingerprinter Engine.
  • Added new security checks for WordPress Hello Elementor Theme Detection.
  • Added new security checks for WordPress Twenty Twenty-Three Theme Detection.
  • Added new security checks for WordPress Twenty Twenty-Two Theme Detection.
  • Added new security checks for WordPress Astra Theme Detection.
  • Added new security checks for WordPress Twenty Twenty-One Theme Detection.
  • Added new security checks for WordPress Twenty Twenty Theme Detection.
  • Added new security checks for WordPress OceanWP Theme Detection.
  • Added new security checks for WordPress Twenty Seventeen Theme Detection.
  • Added new security checks for WordPress Kadence Theme Detection.
  • Added new security checks for WordPress Twenty-Sixteen Theme Detection.
  • Added new security checks for WordPress Twenty Nineteen Theme Detection.
  • Added new security checks for WordPress PopularFX Theme Detection.
  • Added new security checks for WordPress GeneratePress Theme Detection.
  • Added new security checks for WordPress Inspiro Theme Detection.
  • Added new security checks for WordPress Go Theme Detection.
  • Added new security checks for WordPress Smash Balloon Social Photo Feed Plugin Detection.
  • Added new security checks for WordPress Contact Form 7 Plugin Detection.
  • Added new security checks for WordPress Yoast SEO Plugin Detection.
  • Added new security checks for WordPress Elementor Website Builder Plugin Detection.
  • Added new security checks for WordPress Classic Editor Plugin Detection.
  • Added new security checks for WordPress Akismet Spam Protection Plugin Detection.
  • Added new security checks for WordPress WooCommerce Plugin Detection.
  • Added new security checks for WordPress Contact Form by WPForms Plugin Detection.
  • Added new security checks for WordPress Really Simple SSL Plugin Detection.
  • Added new security checks for WordPress Jetpack Plugin Detection.
  • Added new security checks for WordPress All-in-One WP Migration Plugin Detection.
  • Added new security checks for WordPress Wordfence Security Plugin Detection.
  • Added new security checks for WordPress Yoast Duplicate Post Plugin Detection.
  • Added new security checks for WordPress WordPress Importer Plugin Detection.
  • Added new security checks for WordPress LiteSpeed Cache Plugin Detection.
  • Added new security checks for WordPress UpdraftPlus WordPress Backup Plugin Plugin Detection.
  • Added new security check for EZProxy Identified.

Improvements

  • Updated the Signature Detection pattern.
  • Improved the wordlist for Forced Browsing checks.
  • Changed the Session Cookie not marked as Secure severity from High to Medium.
  • Improved the task queue by optimizing code.
  • Improved Drupal and Joomla detection.
  • Improved the Next.js version detection.
  • Improved Django debug mode enabled.
  • Updated the SSL/TLS report template.

Fixes

  • Fixed the navigational error by ignoring initial requests other than the document-type resources.
  • Fixed an issue about HTTP Status codes on the crawler performance in the Knowledge Base Report.
  • Fixed the importing GraphQL introspection issue.
  • Fixed the weak Nonce detection in Content Security Policy.