Invicti Standard

IMPROVEMENTS

• Improved the Late-Confirmation Storage Mechanism to lower disc usage.
• Improved the Links/API definition to add links with a single click.
• Added the Block navigation on SPAs to built-in scan policies.
• Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

• Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
• Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
• Fixed the bug that throws null reference exception at the link pool.
• Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
• Fixed the bug that resulted in running many Chromium instances when a new scan is started.
• Fixed a null reference error when a new scan is started via the command line.

IMPROVEMENTS

• Improved the Late-Confirmation Storage Mechanism to lower disc usage.
• Improved the Links/API definition to add links with a single click.
• Added the Block navigation on SPAs to built-in scan policies.
• Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

• Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
• Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
• Fixed the bug that throws null reference exception at the link pool.
• Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
• Fixed the bug that resulted in running many Chromium instances when a new scan is started.
• Fixed a null reference error when a new scan is started via the command line.

NEW FEATURES

• Added GraphQL Libraries detection support.
• Added the Shark node to the Knowledge Base.
• Added Acunetix XML to URL Import.
• Added built-in DVWA policies to scan policies.

IMPROVEMENTS

• Updated embedded Chromium browser.
• Added a new IAST vulnerability: Overly Long Session Timeout.
• Added new config vulnerabilities for the IAST Node.js sensor.
• Added new config vulnerabilities for the IAST Java sensor.
• Added support for detecting SQL Injections on HSQLDB.
• Added support for detecting XSS through file upload.
• Updated DISA STIG Classifications.
• Updated Java and Node.js IAST sensors.
• Improved time-based blind SQLi detection checks.
• Improved the Content Security Policy Engine.
• Updated XSS via File Upload vulnerability template.
• Updated License Agreement on the Invicti Standard installer.
• Added Extract Resource default property to DOM simulation.
• Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
• Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
• Added vulnerabilityType filter to add VulnerabilityLookup table.
• Added the agent mode to the authentication request.
• Added a default behavior to scan the login page.
• Added an option to disable anti-CSRF token attacks.
• Added an option to block navigation on SPAs pages.
• Added a default behavior to disable TLS1.3

FIXES

• Fixed basic authorization over HTTP bug.
• Fixed SQL Injection Vulnerability Family Reporting Bug.
• Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
• Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
• Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
• Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
• Fixed a typo bug on GraphQL importing window.
• Fixed the report naming bug that occurs users create a custom report from a base report.
• Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
• Fixed a bug that updates all built-in scan policies instead of edited scan policy.
• Fixed a typo on Skip Crawling & Attacking pop-up.
• Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
• Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
• Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
• Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
• Fixed missing template section migration on report policy.
• Fixed a bug that throws an error when a report is submitted upon error.
• Fixed the LFI Exploiter null reference.
• Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
• Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
• Fixed a bug that occurs when users search the Target URL on the New Scan panel.
• Fixed typo in the timeout error message.
• Fixed a bug that prevents the WSDL files from being imported.
• Fixed reporting “SSL/TLS not implemented” when scanning only TLS 1.3 supported sites.
• Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
• Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.

REMOVAL

• Removed Expect-CT security check.
• Removed the End-of-Text characters in URL rewrite rules.

IMPROVEMENTS

• Updated embedded chromium browser
• Improved JWT confirmation to avoid false positives.

FIXES

• Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
• Fixed an issue that imports global servers as Swagger files.
• Fixed an issue where the OK button disappears during interactive login.
• Fixed an issue that adds interactive login buttons to iframes.
• Fixed a null reference exception at the LFI exploit panel.

NEW SECURITY CHECKS

• Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

IMPROVEMENTS

• Netsparker Standard now Invicti Standard. 
• Added a token matching rule when it is required to get the token from a website other than the target URL.
• Improved the GraphQL attacks to include non-string fields. 

FIXES

• Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities. 
• Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
• Fixed a null reference exception by adding a control whether the current scan policy is empty.
• Fixed a bug that the agent does not continue the scan after a pause.
• Fixed a bug that does not properly show all components detected by a software composition analysis after a retest. 

IMPROVEMENTS

• Implemented new Log4j attack patterns.
• Added the parameter types to exported reports for GraphQL.

FIXES

• Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
• Fixed an issue that results in false positive Cross-site Scripting.
• Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
• Fixed an issue that the page counter goes to zero in the Recent Scans window.
• Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.

IMPROVEMENTS

• Added the .deploy extension to Default Policy’s extension list.
• Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs.

FIXES

• Fixed a null reference error issue when a user right-clicks the target on the Sitemap. 
• Fixed the URL response error of the main node when Override Target URL check is enabled.
• Fixed the Imported Links date and time value in the body that is cropped. 
• Fixed an issue that opens the vulnerability panel instead of the HTTP Request and Response panel when the email node is selected in the Knowledge Base panel. 
• Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
• Fixed an issue that tries to stop the scan when the What’s New tab is closed.
• Fixed an issue that Invicti Standard starts a retest for a vulnerability randomly. 
• Fixed a payload for the GraphQL.

FIXES

• Fixed a scan policy migration issue that causes selecting all the security checks.

NEW FEATURES

• Added Software Composition Analysis (SCA) feature.
• Added OWASP Top 10 2021 classification and report.
• Added support for scanning GraphQL APIs.

NEW SECURITY CHECKS

• Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira.
• Added Stack Trace Disclosure Signature for Java.
• Added Shopify Identified Security Check.

IMPROVEMENTS

• Updated Invicti Standard .NET Framework version from 4.7.2 to 4.8.
• Allowed to enter hyphens for the proxy address on the Proxy Settings.
• Enabled that all child controlled scan parameters are listed in the Sitemap parent node.
• Changed classification for Cross-site Referrer Leakage and Breach in OWASP Top Ten 2021.
• Changed CryptographicException error log type.
• Added condition that when the max crawling link is reached, the DOM simulation stops.
• Updated Version Disclosure Signature for Apache Coyote.
• Added callback flag to prevent multi trigger of DOM parser view callback
• Improved the importing of RAML files includes other files.
• Added tags property to the Kenna Send to Action.
• Updated Freshservice integration not to send user agent header.
• Updated Version Disclosure Signature for Jolokia.
• Improved the Form Values to be entered into the relevant sections during the form authentication process in the React environment.
• Improved the login verification process by detecting page load properly.

FIXES

• Fixed an issue that created an incorrect issue link in Bitbucket Integration.
• Fixed an issue that occurred when the proxy information from the Proxy Auto-Configuration file cannot be transmitted in requests made by the browser.
• Fixed the null reference error (NRE) that occurred during importing the paused or canceled scan files.
• Fixed an issue that calculated total response time incorrectly.
• Fixed the bug related to Send To action of Kenna integration.
• Fixed the Jolokia version disclosure report to properly highlight the related lines.
• Fixed the OWASP classification links.
• Fixed an issue that does not show a vulnerability when sorted by the Vulnerability Type although it shows when sorted by Severity.
• Fixed the misleading tooltip in Scan Policy – Security Checks.
• Fixed the misaligned text on the PDF version of Executive Summary Report.
• Fixed an issue that Invicti Standard doesn’t show out-of-scope warning when out-of-scope link is imported.
• Fixed the inconsistent vulnerability count between reports and status bar.
• Fixed the manual authentication issue when links are imported from URL.
• Fixed the Sitemap multilevel group count.
• Fixed Scan Policy security check count.
• Fixed a naming issue that occurred when a new custom report name contains a dot.
• Fixed an issue while changing the Data Directory option on Storage tab.
• Fixed the issue that external references were not rendered correctly.

NEW SECURITY CHECKS

• Added Out of Band Code Evaluation (Log4j – CVE-2021-44228) a.k.a. Log4Shell detection support.

NEW FEATURES

• Added Node.js sensor for Invicti Shark (IAST).
• Added OWASP API Top 10 classification and report template.

NEW SECURITY CHECKS

• Added signature matching to Web app fingerprint checker.
• Added patterns for Base64 encoded DOM Cross-site Scripting.
• Added phpMyAdmin Version Disclosure security check.
• Added Atlassian Confluence Version disclosure and Out-of-date security checks.
• Added exclusion feature to JavaScript Library detection.
• Added PHP Version Detection via phpinfo() call.
• Added the Shopify Identified security check.

IMPROVEMENTS

• Added the Bridge URL and Shark token support for Invicti Shark (IAST).
• Added setting to configure Session Cookie Names.
• Updated CWE classification category orders for Out-of-date templates.
• Improved Cross-site Scripting attack pattern.
• Added support for exploiting local storage and session storage in the DOM XSS security checks.
• Added highlighting support for custom scripts.
• Added Web Application Firewall to the site profile.
• Changed the default ignored parameter comparison to case insensitive.
• Added ‘Is Encoded’ option to OAuth2 parameters.
• Added JWT Token pre-request script template.
• Added the CSP Not Implemented that will be reported as confirmed.
• Added the Subresource integrity not implemented that will be reported as confirmed.

FIXES

• Fixed the issue that Content-Type header missing was reported when there was no content in the response.
• Fixed the issue FP JWT was reported in a not found response.
• Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
• Marked weak TLS ciphers.
• Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
• Fixed FP WAF Identified.
• Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
• Fixed the issue source code disclosure is reported in binary responses.
• Fixed the issue fingerprint checker crashes when an applications file could not be found.
• Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
• Fixed the issue that some cipher suites are not reported as weak.
• Fixed the issue classification links were not rendered correctly when there are multiple values.
• Fixed the issue proof prefix was added when there were no more characters to be found.