Invicti Standard

IMPROVEMENTS

• Added Authentication mode and Scheduled Scan information to new reports
• Added Include and Exclude pattern difference information to new reports

FIXES

• Fixed an issue where local scans got lost when the Invicti root directory was changed
• Fixed an issue where the Dark theme was not applied in the Comparison Report dialog
• Fixed an issue where true responses could not be processed correctly because of the ’00’ suffix
• Fixed the cookie parser by removing the whitespace and disallowed character checks for cookie names
• Fixed typos in the HSTS warning and error template
• Fixed a NullReferenceException that was thrown during Authentication verification
• Fixed a NullReferenceException that was thrown while the scan is moving from one phase to the next
• Fixed a NullReferenceException that was thrown when a new root node was being added to the Sitemap
• Fixed an issue where headers were duplicated in the Swagger importer
• Fixed an issue where 201 (Created) responses occasionally caused incorrect redirects during Form Authentication and DOM simulation
• Fixed an issue where the Update button icon was not changing when the download started
• Fixed the problem where PDF reports did not generate when exporting reports on a network share path
• Fixed the problem where it was not possible to change the default logo to a custom logo on new reports
• Fixed the Summary information alignment on PDF reports
• Fixed the problem of empty response information in XML reports
• Fixed various localization problems in reports

FIXES

• Fixed duplicate report templates when updated from an older version
• Fixed Axway XXE payload injected to the wrong position
• Fixed the incorrect Edition displayed on About dialog
• Fixed several dark theme issues for messages displayed when an invalid value set to an option
• Fixed IIS capitalization problem in the Site Profile Knowledge Base

NEW FEATURES

• Added the ability to create custom Security Checks via a Scripting feature
• Added a new authentication, Manual Authentication, which allows you to import and replay your pre-recorded requests
• Added custom Vulnerability creation support to the Report Policy Editor
• Added a new 3-Legged Token flow type for OAuth2 authentication
• Added Microsoft Teams Send To integration
• Added Webhook Send To Integration
• Added Clubhouse Send To Integration
• Added Trello Send To Integration and configuration wizard
• Added Asana Send To Integration and configuration wizard
• Added a configuration wizard to the Jira Send To Action
• Added a Configuration Wizard to the Redmine Send To Action
• Added an option to the Save Report dialog for including and excluding Unconfirmed vulnerabilities
• Added an option to configure the file upload folder that the File Upload Engine attacks to find uploaded files
• Added information about SSL implementation in the Target Website to the Site Profile node in the Knowledge Base
• Added support for importing authentication settings from Postman files
• Added support for importing pre-request scripts from Postman files
• Added an ‘Enable or Disable logging recurring parameter detection’ option to the Advanced tab in the Options dialog
• Added a Delete button to the ‘Start a New Website or Web Service Scan’ dialog to enable the deletion of the current profile
• Added support for importing multiple IO/docs files from a zip file

NEW SECURITY CHECKS

• Added Web Cache Deception engine to the list of Security Checks
• Added a new XXE pattern for detecting the Axway SecureTransport 5.x XXE vulnerability
• Added new attack patterns for DOM based XSS
• Added new attack patterns for Remote Code Execution in Ruby
• Added new attack patterns for Out-of-band Remote Code Execution in Ruby
• Added new attack patterns for Remote Code Execution in Python
• Added new attack patterns for Open Redirect security check
• Added an email validation bypass payload for XSS
• Added a header injection XSS pattern
• Added a security check to determine whether an http website has implemented SSL/TLS
• Added a security check for File Content Disclosure in Ruby on Rails via exploiting Accept header
• Added mutation XSS patterns
• Fixed the SSRF confirmation problem
• Added Apple’s App-Site Association file detection
• Added exploitation support for File Content Disclosure in Ruby On Rails, CVE-2019-5418
• Added new LFI attack patterns for the access.log file
• Added support for exploiting JSONP endpoints with the format parameter in Ruby On Rails
• Added support for detecting Python remote code execution
• Added RFC compatible SSRF IPv6 patterns
• Improved the Apache Struts (CVE-2013-2251) attack pattern
• Added PHP Injection fixed one time Referrer attack
• Updated the attack value of the PHP Injection fixed one time attack pattern to use short notation instead of the print function
• Improved the regex pattern of the WebLogic version disclosure pattern
• Added a PoC pattern for Apache Struts (CVE-2013-2251)
• Added out-of-date checks for the Slick JavaScript library
• Added out-of-date checks for the ScrollReveal JavaScript library
• Added out-of-date checks for the MathJax JavaScript library.
• Added out-of-date checks for the Rickshaw JavaScript library
• Added out-of-date checks for the Highcharts JavaScript library
• Added out-of-date checks for the Snap.svg JavaScript library
• Added out-of-date checks for the Flickity JavaScript library
• Added out-of-date checks for the D3.js JavaScript library
• Added out-of-date checks for the Google Charts JavaScript library
• Added out-of-date checks for the Hiawatha and Cherokee server
• Added out-of-date checks for the Oracle WebLogic server
• Added out-of-date check for IIS
• Added version disclosure detection for the Hiawatha Server
• Added version disclosure detection for the Cherokee Server
• Added source code disclosure checks for Java Servlets
• Added source code disclosure checks for Java Server Pages
• Added new source code disclosure patterns for Java
• Added detection for .htaccess file Identified
• Added detection for Opensearch.xml files
• Added detection for SQLite error messages
• Added detection for security.txt files
• Added detection for swagger.json files
• Added detection for OpenSearch files

IMPROVEMENTS

• Redesigned all HTML reports
• Updated browser engine to Chromium v70
• Added support for array parameters in GET and POST requests
• Security Check Groups are now arranged into sub-groups in the Scan Policy Editor dialog
• Moved the vulnerability severity level, Best Practice, so that it takes precedence over the Information level
• Implemented scrolling to the bottom of the page after each DOM simulation completes
• Added support for generating HTML element code from select elements in the Form Authentication Custom Script Editor dialog
• Added the ability to search for Invicti Enterprise scans using the Target URL
• Changed the Password field to Token in the Jira Send To Actions integration
• Added scrollbar annotations to the Sitemap to indicate vulnerability locations
• Added Vulnerability Export Options to the Schedule Scan dialog
• Improved the accuracy of the scan progress calculation displayed in the Progress panel
• Added Postman variable support to the Postman Importer
• Added an option to the Advanced tab of the Options dialog to configure the maximum number of variations that will be reported
• Improved the Site Profile node in the Knowledge Base to display Database name and username information
• Improved the Site Profile node in the Knowledge Base to information about whether the exploited Database user has admin privileges
• Moved the Accept header’s related options to the Custom Headers panel
• Improved the error message displayed when an invalid Swagger file is imported
• Added an improvement to the application’s ‘remember last opened folders’ feature
• Optimized the size of late confirmation files to improve disk space consumption
• Added a new Invicti Assistant check to handle an excessive amount of application logs
• Added an application level notification to remind the user to restart the scan after profile or policy switch operations
• Updated the Ruby on Rails File Content Disclosure (CVE-2019-5418) vulnerability template
• Added generated proof data to the RoR File Content Disclosure report
• Improved the Proof list in the Knowledge Base to display multiple proofs with different values for the same website
• Improved the MimeType list to display request mime types
• Improved the display format of the redirect URL in the Open Redirect (DOM based) vulnerability
• Improved the Weak Ciphers Enabled vulnerability description
• Added zone.js support to the DOM simulation
• Removed Jira (Legacy) Send To Actions integration
• Changed the Unfuddle Send To Action’s create issue method’s request body data format from XML to JSON
• Updated the progress message displayed when multiple vulnerabilities are being sent via the Send To Action
• Improved TFS and Azure Send To Action to send issue details according to the Work Item type, and the Repro Steps field is set for bugs, while the Description field is set for issues or features
• Added a code block view to the Report Template viewer
• Added an information message to be displayed when closing Invicti if a Send To Action task is still executing
• Added custom field support to the ServiceNow Send To Action
• Added a message to be displayed if the Send To Actions settings have been configured incorrectly
• Updated the Remedy section of the Insecure Transportation Security Protocol Supported (SSLv2) vulnerability template
• Added a RAML option to the Enter Links/HTTP Requests dialog
• Optimized attack patterns environments to enable the Scan Policy Optimizer to produce more optimized policies
• Added a log to display when a vulnerability is discarded due to the Vulnerability Families feature
• Added an update to the progress warning on application closing
• Improved the calculation of attack possibilities of DNS-based SSRF attacks to prevent unnecessary attacks
• Included Ruby and Python RCE vulnerabilities in the vulnerability family
• Added a web server field to the access.log patterns for optimization
• Included SSRF vulnerabilities in the vulnerability family
• Improved the XSS vulnerability report to be more explicit about the data shown
• Added ‘Do not expect challenge (Basic Authentication)’ option to Form Authentication logout detection
• Updated the Impact sections of all Cross-site Scripting vulnerability templates
• Added ISO27001 information to the Vulnerabilities List (Detailed) XML report
• Added an injection prefix to the attack parameter and value name in the vulnerability templates when the vulnerability has an injection request and response
• Moved Code Execution via SSTI vulnerabilities to the Code Evaluation family
• Added highlighting to Stored XSS
• Improved User Agent settings in the Scan Policy editor
• Added missing environment information for attack patterns
• Increased the Start New Scan dialog’s default height to prevent showing the inner scroll bars
• Added logs for URL Rewrite settings
• Added logs for Form Authentication settings
• Added a warning message to be displayed a used Scan Policy is deleted
• Added the attack pattern name to the debug header information
• Updated the Remedy sections of all Cross-site Scripting vulnerability templates
• Added command search capability to the application’s main menu
• Improved the Update Available dialog
• Improved the X-Frame-Options header check to report misconfiguration when two different settings are used at the same time
• Improved parsing in nested JSON OAuth2 token responses
• Added missing HIPAA classifications to Out-of-Date vulnerability templates.
• Added an explanation to the Controlled Scan Summary popup about vulnerability families
• Improved the Swagger parser to read multipart/form-data mime types
• Improved system registry related Remedy sections in the vulnerability templates
• Added drag and drop capability to URL Rewrite settings
• Added verification to Authentication settings
• Added an additional External Reference to the IIS Out of Date vulnerability template
• Added a default initial directory to Imported Links and the scan Import dialog box
• Updated the Save Report dialog UI
• Updated broken reference links in the Report Policy
• Added validation that checks empty Header Authentication settings
• Set the default folder of the Open File dialog to Invicti Scans during the importing of a scan

FIXES

• Fixed an ObjectDisposedException that was thrown when activities were cancelled in the Activity Panel
• Fixed the capitalization of server-side applications in the Site Profile
• Fixed an issue where all Proofs were not listed in the Knowledge Base node
• Fixed an exception that occurred when updating the Proof data in the Site Profile
• Fixed an issue in the exploitation of the Code Evaluation vulnerability where a wrong proof was generated.
• Fixed an issue where the Proof Of Exploit title was displayed on the vulnerability template when there was no proof
• Fixed a double encoding issue in the Generate Exploit template for XSS
• Fixed an encoding issue in the confirmation phase of PHP wrapper-based LFI attacks
• Fixed incorrect behavior in the Internal Proxy
• Fixed VDB update requests that don’t use the upstream proxy issue
• Fixed a Code Evaluation pattern that attacks URL Rewrite parameters
• Fixed an issue where similar kinds of SQL Injection vulnerabilities were being reported in the same URL Rewrite parameter
• Fixed an issue where the value of the Accept-Language header of the Imported Links were overwritten during a scan
• Fixed an issue where the Cache-Control header was added by default to Imported Links
• Fixed an issue causing Report Policy Editor to fail while saving new template references.
• Fixed duplicate template references in the Default Report Policy
• Fixed the problem of the Progress dialog not displaying while importing links from CSV files
• Fixed an issue that occured when the re-crawling phase was skipped
• Fixed the Suggested Action for the Best Practice severity in the report templates
• Fixed the problem of the progress not being updated in the Link Importer
• Fixed the problem of the progress not being displayed correctly while importing links from an Invicti session file
• Fixed the Remedy and External References links in the Vulnerability Viewer so that they open in the default browser
• Fixed a problem where the value of the User-Agent header was overwritten for imported link requests
• Fixed an issue where Invicti was attacking the HTTP endpoint of a URL instead of attacking the HTTPS protocol
• Fixed various typos in the vulnerability templates
• Fixed several Cookie related issues by updating Cookie parsing and storage according to the latest RFC 6265
• Fixed an issue in the Sitemap where it was displaying 404 pages
• Fixed the attack payload of the Function – End Comment – Double Quote – Encoded pattern
• Fixed the issue where the header values of the Imported Links were not prioritized over header policy settings
• Fixed an issue where the Base64 payload was not being encoded properly during the confirmation of PHP wrapper-based attacks
• Fixed a CVSS scores rendering issue in the Vulnerability panel
• Fixed the issue where the plus character was not encoded in PHP cookie attacks
• Fixed the Double Encoding problem in the Static Resource Finder attacks
• Fixed the URL Encode problem in the Static Resource Finder attacks
• Fixed an issue where variations were not shown in the report when a vulnerability was ignored
• Prevented the attacker from attacking the Sitemap.xml file
• Fixed an issue where Resource Finder requests were not carried out when the server returned a 403 Forbidden error
• Fixed a NullReferenceException that was thrown during the execution of the late confirmation phase
• Fixed the Double Encoding problem in PHP Wrapper Confirmation attacks
• Fixed the problem where the request was loaded to the request builder following injection and identification requests
• Fixed a problem in the filtered Issues panel that prevented vulnerabilities from being ignored
• Fixed an issue where the Force Pause button icon and label were overlying each other
• Fixed the custom field names in the Version Disclosure templates
• Fixed the problem where an AppDomainUnloadedException was sometimes thrown when the Custom dialog was closing
• Fixed an ObjectDisposedException that was sometimes thrown when Invicti was closing
• Fixed the escaping of forward slashes in custom scripts
• Fixed the Not operand issue in the Sitemap filter function
• Fixed an issue where the favicon of the scanned website was not updated in the Sitemap
• Fixed the problem where the attack payload was not properly encoded during the Code Execution check
• Fixed an issue where a vulnerability that was found in a different parameter on the same link was discarded due to Vulnerability Families
• Fixed an issue that caused vulnerabilities that came from static resources to be added to the wrong parent in the Sitemap
• Fixed the Proof generation for the Ruby Remote Code Execution vulnerability
• Fixed a bug in the XSS vulnerability confirmation
• Fixed the empty message displayed in the Sitemap where the filtered view did not display any data on loading
• Fixed the localization issue on scans that occured when the application language was modified
• Fixed inconsistent reporting of DNS-based SSRF
• Fixed the format of the confirmation attack payload in XSS to be hex-based
• Fixed the XSS exploitation template to handle injection request
• Fixed the CSS selector generation inside iframes in the Custom Script dialog
• Fixed the XSS confirmation that failing with a Base64 payload
• Fixed an exception that was thrown by displaying a warning message when a read-only Scan Policy file is used
• Fixed the issue where the responses of Full URL attacks were not parsed for links
• Fixed an issue where the Too Many Logouts error messages were displayed even when Form Authentication was disabled
• Fixed the problem where invalid Send To Action settings were removed from the Options dialog
• Fixed the problem where the Hawk test results were cleared during Scan Policy optimization
• Fixed an issue where Invicti was mistakenly making requests to Excluded URLs even when they were JS or CSS files
• Fixed an issue where Ignored Parameters were not ignored while analyzing recurring parameters
• Fixed the incorrect Sitemap root node size for high DPI screens
• Fixed a bug in the XSS vulnerability confirmation where the name of the triggered JS function was incorrect
• Fixed an issue with code generation in the Custom Script dialog while the IDs of input elements contained username or password literals
• Fixed a NullReferenceException that was thrown from the Internal Proxy
• Fixed the problem of light toolbars displayed when the Dark Theme was configured
• Fixed the argument exception in the File menu
• Fixed the grammar error in the Trial License error message
• Fixed auto start problem that occurred following installation
• Fixed the inconsistent state of the Start a New Website or Web Service Scan dialog where an unauthorized Scan Policy file exists
• Removed the ‘ps aux’ command from exploitation process
• Fixed an issue where the Invicti UI tabs were occasionally throwing exceptions
• Fixed a NullReferenceException that was caused during the handling of XHR requests in DOM simulation
• Fixed a comparison error that occured when the Sitemap panel attempted to order its nodes
• Fixed an issue that occurred with the Exclude This Branch From Attack option that caused missing operations during authenticated scans
• Fixed the problem where previous session data was cleared during Form Authentication
• Fixed the problem of an empty file name in the LFI proof data
• Fixed the issue where the cloud settings dialog was displayed repeatedly on the Scan Import screen
• Fixed the Sitemap and Issues panel’s button paddings
• Fixed an issue where the error logs in the Swagger importer were displayed twice
• Fixed an issue in the Request Builder where the request method changed to POST while a PATH request was being edited
• Fixed an issue where cookies that were set in a JavaScript context were not being captured properly
• Fixed an issue where Invicti was occasionally conducting requests with stale cookie values
• Fixed the resetting of the Activity Viewer’s column sizes layout reset
• Fixed a persistence issue in the Invicti Assistant notifications
• Fixed the customization menu displayed in the Auto Send to Settings panel.
• Fixed an issue where the attack payload was not carried out for some URL Rewrite attacks
• Fixed an Insecure HTTP use reported on a redirected response
• Fixed the activation of the Progress Panel displayed after the resumption of a scan
• Fixed an issue where the Authorization header was duplicated when it was provided via Imported Links
• Fixed the column sizes in the Request Builder
• Fixed a bug that occurred while parsing the favicon image source of the Target Website.
• Fixed the issue where the default Content-Type was treated as text/html when no Content-Type was specified
• Fixed an issue that caused the Exclude by CSS Selector field to be cleared in the JavaScript section of the Scan Policy Editor dialog when loading preset values
• Fixed the grouped node’s count in the Sitemap panel
• Fix the attack value that was not implemented correctly in RFI confirmation attacks
• Fixed the issue where the request identifier could not be detected due to invalid characters in the JSON value
• Fixed the GET icon that was displayed for POST requests in the Issues panel
• Fixed an issue where a confirmed vulnerability was removed because of Vulnerability Family checks
• Fixed an issue where an eval block was treated as a non-executable block in XSS confirmation
• Fixed an issue where some links were treated as the same when parameter-based navigation was configured
• Made the Progress panel’s percentage label more precise
• Fixed some character encoding problems in the Request Builder
• Fixed an exception that occurred when updating the Site Profile node in the Knowledge Base panel
• Updated the Send To Action template files in order to render vulnerability fields properly
• Fixed the grouped node filter issue in the Sitemap panel
• Fixed several stability issues with the browser engine
• Fixed a NullReferenceException in the Content Security Policy engine
• Fixed some Korean text
• Fixed the problem where the JavaScript settings tab scrollbar was not displaying properly in the Scan Policy Editor
• Fixed an issue where the Content-Type header was not always set properly for POST requests
• Fixed the Knowledge Base Viewer search issue where adding a space and clearing caused a loss of styles in the report
• Fixed a validation error in the Swagger Importer
• Fixed the bug where the XXE engine made a confirmation attack using the same payload
• Fixed an issue that caused a NullReferenceException to be thrown when a filter was applied on the Sitemap
• Fixed the problem where an obsolete column was deleted during migration of an old Report policy
• Fixed a typo in the WASC classification link
• Fixed the issue where the database username was being added incompletely to the Site Profile node of the Knowledge Base
• Fixed an issue where obsolete vulnerability types were listed in the Report Policy Editor
• Fixed setting OAuth2 label to unmodified state while using the default Scan Profile
• Fixed the problem where the user-agent was not set for requests when the user agent was forced in the Scan Policy Editor
• Fixed the issue where Request Builder columns were not resized correctly in high DPI environments
• Fixed the default height of the Browser View panel which caused inconsistent scrollbar behaviour
• Fixed the digit color in the HTTP Request/Response panel
• Fixed an issue that caused a NullReferenceException to be thrown when accessing the Identification node in the sSitemap
• Fixed an issue that prevented the Cookie Analyzer Engine settings from being reset
• Fixed a JavaScript exception from being thrown during the simulation of React websites
• Fixed an issue that caused the Target URL to also be scanned when a scan was configured for Imported Links only
• Fixed an issue that allowed duplicate headers in the Scan Policy Editor
• Fixed an issue where removed vulnerability types were still listed in the Vulnerability ProfileEditor dialog
• Fixed the precedence values of Possible SSRF vulnerabilities
• Fixed the signature pattern of the IIS Version Disclosure template
• Fixed the culture-specific date format used in the Vulnerability List Report templates
• Fixed the custom report’s duplicate name extension problem
• Fixed an issue that caused vulnerabilities to be reported on 404 pages
• Fixed an issue that allowed invalid characters to be entered in the Target Website or Web Service URL field
• Fixed a KeyNotFoundException that was sometimes thrown when a request’s Content-Type was not set
• Fixed an issue concerning the auto-complete behaviour of the SQL Injection panel
• Fixed the issue where proof generation did not work correctly for redirected URLs in Boolean SQL Injection engine
• Fixed an issue where the SSL Checker engine stopped working when. the user unchecked the ‘Do not differentiate HTTP and HTTPS protocols’ option in the Scope settings
• Fixed the problem where the SQL injection exploitation continued indefinitely
• Fixed the padding of dialogs where users are using the application within high DPI screens
• Fixed the default width of the Activity Viewer’s columns
• Fixed an issue where some engines were not working in Controlled Scan because some attacks are skipped due to Vulnerability Families
• Fixed an issue that prevented the Custom 404 Analyzer from detecting 404 pages
• Fixed an issue where the Invicti Assistant-generated Scan Policy file name was exceeding the length limit
• Fixed an Internal Proxy error caused by the PATCH method
• Fixed a NullReferenceException that was causing the Controlled Scan to continue indefinitely
• Fixed a confirmation bug in the SQL engine
• Fixed the problem caused when users were importing links with the authentication header by overriding the existing OAuth2 token
• Fixed an issue that caused an update error when multiple Invicti Standard instances were opened
• Fixed an issue where the selected policy showed Default Security Checks after restarting the scan via the Invicti Assistant
• Fixed an issue in the CSRF engine where non-hidden inputs could be treated as anti CSRF tokens
• Fixed a duplicate link creation issue in the Report Policy editor when you update and save the remedy section
• Fixed the problem that occured while sending hidden vulnerabilities via the Auto Send To feature
• Fixed the failure of the Auto Send To feature that occured when the Send To Action values had been changed
• Fixed the width of Activity Viewer columns for high DPI screens
• Fixed the setting of the OAuth2 token name while using a fixed token type
• Fixed the setting of the OAuth2 token to override empty authentication headers while importing links
• Fixed an issue where empty headers were added to requests imported from Postman
• Fixed the problem of the hanging progress bar that occurred during scanning
• Fixed an issue where a request with an empty body was treated as a JSON request
• Fixed an issue where an XSS vulnerability was reported inside of non-executable HTML tags
• Fixed an issue where the scan folder was deleted after deleting a scan from the Local Scans folder
• Fixed a NullReferenceException that was thrown when running a Controlled Scan after importing a scan file
• Fixed a bug where a Link not Selected error was shown, even though it was selected in the Controlled Scan panel
• Fixed an issue where Invicti was missing passive vulnerability checks for endpoints that occured as XmlHttpRequests
• Fixed a bug where Controlled Scans could not be started for the selected nodes
• Fixed an issue that caused an ArgumentException to be thrown when activating a license
• Fixed the button height in the Controlled Scan panel to remove an empty area
• Fixed the problem where the OAuth2 refresh token timer stopped after a scan was finished
• Fixed an issue that caused the PathTooLongException when checking effective scope at start new scan dialog.
• Fixed the newline in the Regex Pattern of SVN disclosures
• Fixed an issue where the URL Rewrite settings panel was not highlighted when a setting had been changed
• Fixed the issue where the Controlled Scan was stuck when the scan state had been paused
• Fixed the status of the taskbar icon following the end of a Retest scan
• Resource Finder activities will now be stopped faster when the scan is paused
• Fixed a bug that occurred during the parsing of the refresh token of Implicit OAuth2 flow’s response
• Fixed the problem where it was impossible to get a new OAuth2 token if refresh token was not set
• Fixed the problem that occurred when navigating the Sitemap and Knowledge Base nodes with the keyboard
• Disabled the Save option in the Default profile in the Start New Website or Web Service Scan dialog
• Fixed a bug that occurred when setting the Scan Profile before testing OAuth2 credentials
• Fixed an issue where no warnings were displayed when Basic/NTLM authentication settings were left empty
• Fixed the Vulnerability Severity Level order in the Report Policy Editor’s context menu
• Fixed the Best Practice severity level’s caption in the Report Policy Editor’s context menu
• Fixed the Vulnerability Severity Level’s order in the profile list in the Report Policy Editor dialog
• Fixed an ArgumentNullException that was thrown when the F9 key was pressed
• Fixed an issue that caused an invalid file name error in the ave Report dialog
• Fixed the issue where a Base64 value could not be decoded due to an invalid length in the Encoder panel
• Fixed the proxy authentication problem in manual crawling when a custom proxy is configured
• Fixed an issue to prevent the ampersand character from being encoded in an XML attack
• Fixed the Azure DevOps Send To Action to enable it to send vulnerabilities to the TFS
• Fixed an issue where the attack parameter was not shown for some vulnerabilities in the Detailed Scan Report
• Fixed an issue where redundant logs were written for enforced Basic Authentication setting
• Fixed the issue where auto-complete enabled was not reported when there was only one password input
• Fixed the issue where auto-complete was treated as enabled when the attribute value was ‘new-password’
• Fixed the problem where multiple OAuth2 refresh token requests were sent while refreshing tokens
• Fixed the stale activities still remaining on the list at the end of the scan
• Fixed the broken order function of External References in the Report Policy Editor
• Fixed an unhandled UnauthorizedAccessException that was occasionally thrown while closing the Form Authentication Custom Script dialog
• Fixed the issue where some special XML chars were encoded when the parameter was already encoded

FIXES

• Fixed a bug where HTTPS endpoints might not be crawled properly upon a navigation action during DOM simulation
• Fixed a bug with Manual Crawl mode where the execution might stop after the initial crawling phase ends
• Fixed an issue where form authentication might fail to execute in some React websites
• Fixed an issue where the process may crash due to a NullReferenceException

IMPROVEMENT

• Improved stability of scan by dynamically adjusting the thread count according to system resources

FIXES

• Fixed high CPU usage caused by connectivity issues that were occurring during a scan
• Fixed the issue where Referrer Policy Not Implemented was being reported for redirect responses
• Fixed the issue where CSP Not Implemented was being reported for redirect responses
• Fixed the issue where Missing X-XSS Protection was being reported for redirect responses
• Fixed the issue where Missing X-Frame-Options Header was being reported for redirect responses
• Fixed a bug where cookies were reported as not secure in authenticated scans
• Fixed an automatic Logout Detection issue during form authentication verification, where the login required URL was requested with an HTTP POST method
• Fixed clearing internal web browser’s cache while executing authentication process
• Fixed the broken Crawled and Scanned URLs List (JSON) Report Templates
• Fixed the incorrect error message that was displayed while generating a Comparison Report with no selected scan files
• Fixed the Browser View that stayed open when a non-HTML response was selected
• Fixed the incorrect severity colors on Comparison Reports
• Fixed an issue where some of the toolbar items were not displayed on the Sitemap and Issues panels
• Fixed the broken ModSecurity WAF Rules Report Template
• Fixed a time based security check issue occurs when the target web server is not accessible
• Fixed the bug on issues panel where the number of vulnerabilities displayed next to severity group node was incorrect
• Fixed the incorrect send to icon size on high DPI screens
• Fixed an issue where browser viewer could not show content when content type of request was text/html
• Fixed an issue where React controlled fields may not be updated during  Form Authentication
• Fixed an issue where Invicti Enterprise options are displayed while trying to import a scan file on back stage view
• Fixed a bug on issue panel where group node was shown as ignored when child node is ignored
• Fixed an issue on sitemap tree where number of nodes are reported incorrect when it is grouped
• Fixed an InvalidCastException thrown while browsing a response

IMPROVEMENT

• Improved Source Code Disclosure (ColdFusion) attack pattern

FIXES

• Fixed multiple logout detection popups being unnecessarily shown
• Fixed an issue that was causing Scheduled Scans to run slower than regular scans
• Fixed an issue where redundant scan folders are created when scans are auto saved
• Fixed a performance issue caused in scans with excessive amount captured links
• Fixed a NullReferenceException thrown by Expect CT security checks
• Fixed an ArgumentNullException thrown by Expect CT security checks
• Fixed a NullReferenceException thrown by Sitemap tree
• Fixed the broken paddings on RFI knowledgebase proof representation of tasklist command

FIXES

• Fixed an InvalidOperationException thrown from several operations during scan
• Fixed the incorrect favicon rendered on Sitemap tree

FIX

• Fixed a NullReferenceException thrown when a vulnerability variation is ignored from Issues tree

NEW FEATURES

• Added “Do not differentiate HTTP and HTTPS protocols” option to scope settings
• Added 3-Legged Token flow for OAuth2 authentication
• Added an option to be able to use a fixed OAuth2 token type

NEW SECURITY CHECK

• Added new XSS pattern that injects attack payload to HREF attribute

IMPROVEMENTS

• Added reporter account id to JIRA Send To
• Updated SSRF ipv6 pattern names
• Improved the visibility of Resume button while performing a Manual Crawling
• Improved the error message displayed while importing Swagger links

FIXES

• Fixed retrying getting OAuth2 token
• Fixed a NullReferenceException thrown when OAuth2 enabled scan is loaded
• Fixed an UnhandledException thrown during DOM Simulation in some rare cases
• Fixed pausing scan when OAuth2 authentication failed
• Fixed logging OAuth2 error messages
• Fixed showing context menu for activity viewer’s group rows
• Fixed a NullReferenceException thrown when mouse is moved over sitemap
• Fixed the missing space character on Best Practice severity text on issues panel
• Fixed the incorrect position of Force Pause button on high DPI screens
• Fixed the white screen flashed on dark theme while navigating between KB screens
• Fixed the tiny progress animation on license popup dialog
• Fixed the dark theme issues on Advanced Settings screen
• Fixed a KeyNotFoundException thrown when the scan has finished
• Fixed the issue where ignoring first vulnerability variation ignores all variations
• Fixed a NullReferenceException thrown while Security Checklist panel is being activated if Scan Policy Editor dialog is opened by Assistant
• Fixed an issue where DOM simulation might conflict with some JS frameworks
• Fixed the broken Ignore From this Scan context menu action on Sitemap panel
• Fixed a NullReferenceException thrown from Invicti Assistant
• Fixed the NullReferenceException thrown when a Manual Crawling scan is imported and then resumed
• Fixed the issue where recently optimized scan policy is not selected when the Start a New Scan window is opened again
• Fixed an issue where multiple persona could be selected on Form Authentication settings
• Fixed the garbled configuration sample in Remedy section of HSTS Policy Not Enabled vulnerability
• Fixed the incorrect behavior on Notifications panel when it is scrolled to the end
• Fixed a NullReferenceException thrown while generating a report from a scan that contains a File Upload Vulnerability
• Fixed an issue where an extra ampersand is appended to query string while generating URL of a Swagger imported link
• Fixed an XmlException while trying to parse a sitemap.xml response that is not found
• Fixed a GZip decoding issue while trying to decode a compressed sitmeap.xml
• Fixed an unhandled NullReferenceException thrown from Sitemap
• Fixed parsing OAuth2 response regardless of the response content type
• Fix parsing JSON content type in Swagger parser to handle unexpected content types instead of creating a request for them
• Fixed performance issues caused by excessive logging when Activity Tracking is enabled
• Fixed a stuck scan issue on web sites using React JavaScript framework
• Fixed a Postman file importing issue where the response is not base64 encoded
• Fixed a NullReferenceException thrown while checking mutations on DOM
• Fixed an unhandled “InvalidOperationException: Object is currently in use elsewhere” error
• Fixed an error where XML and JSON responses could not be rendered on response viewers
• Fixed an unhandled NullReferenceException thrown from Assistant
• Fixed several NullReferenceException errors thrown while viewing knowledgebase items
• Fixed an issue where the current ongoing scan could be deleted from Local Scans section
• Fixed an InvalidOperationException “Database is not open” error

NEW FEATURES

• Added Invicti Assistant, a smart scan assistant that will guide you through a Scan
• Added OAuth2 Authentication support
• Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical
• Added Azure DevOps Send To integration
• Added an option to report only Confirmed vulnerabilities while generating reports
• Added Redmine Send To integration
• Added Bugzilla Send To integration
• Added F5 WAF rule generation
• Added Dark UI theme
• Added RESTful API Modeling Language (RAML) link import support
• Added facility to exclude certain URLs from URL Rewrite Detection
• Added support for importing links from WordPress REST API files
• Added a Scan Policy for OWASP Top 10 vulnerabilities
• Added a Scan Policy for PCI vulnerabilities
• Added support for deleting a Scan from Local Scan files

NEW SECURITY CHECKS

• Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340)
• Added Unicode Transformation (Best-Fit Mapping) security check
• Added detection for possible Header Injection
• Added out-of-date detection for Oracle Database Server
• Added out-of-date detection for Mithril
• Added out-of-date detection for ef.js
• Added out-of-date detection for Match.js
• Added out-of-date detection for List.js
• Added out-of-date detection for RequireJS
• Added out-of-date detection for Riot.js
• Added out-of-date detection for Inferno
• Added out-of-date detection for Marionette.js
• Added out-of-date detection for GSAP
• Added config.json check to Resource Finder
• Added detection support for TS Web access
• Added detection support for .travis.yml

IMPROVEMENTS

• Improved Scan performance by allocating computer resources better
• Included XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families
• Out-of-date server-side apps are highlighted in the Site Profile
• Clicking on links displayed in Knowledge Base items will navigate to the related node
• Added URL to the Email List Knowledge Base
• Added URL to the request which cookie is set on Cookies Knowledge Base
• Custom URL Rewrite Rules can be sorted by clicking the column header
• Added a description that tells why only 10 pages are reported on Slowest Pages Knowledge Base
• The URL Rewrite Rules that are found automatically during the scan are sorted alphabetically in the Knowledge Base
• Added an option to prevent the operating system from going to sleep while there is a scan in progress
• Added an Exploit context menu item to the Sitemap and Issues nodes
• Vulnerable parameters are now highlighted in the Sitemap and Issues nodes
• Updated Code Evaluation (PHP) attack patterns
• Due Date setting has been replaced with Due Days on some of the Send To integrations
• Improved the icons used in the Sitemap and Issues nodes
• Removed deleted scan files from the File Import list
• Improved DOM Simulation performance and fixed several issues
• Improved react JavaScript framework support on Form Authentication
• HTML Select elements without event listeners are simulated in DOM Simulation
• Improved the performance of the Activity pane’s viewer
• Added a Copy URL context menu item to the Activity viewer
• The File Upload engine searches newly discovered file names in the upload response and in the upload folders
• Improved operating system detection by the Site Profile node in the Knowledge Base
• Added Activity Status information to the Sitemap nodes
• Added support for attacking the name of POST parameters
• Improved the layout for Reports on scans that detected zero vulnerabilities
• Improved the External References for several vulnerabilities
• Added ISO 27001 information to the Executive Summary Report
• CSP vulnerabilities will no longer display a ‘certainty’ value if they are already marked as Confirmed
• Fixed an issues in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework
• Added support for exploiting XSS on text and XML content types
• Users can now resize the Activity Viewer columns
• Out of Date SQL vulnerabilities are reported as Confirmed
• Added clarification for branch logic in the latest versions of the Report Template for Out of Date vulnerabilities
• Added hyperlinks for Folders.txt in the Common Directories engine and GenericEmails.txt to Ignored Email Address settings for easy access
• All security engines are checked when the Controlled Scan panel is manually opened
• Added Cookie Whitepaper reference to cookie vulnerability templates
• Added External References to ExpressJS, CakePHP and Possible Stored XSS templates
• Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details
• Added support for highlighting input elements that are used to send passwords over query strings
• Improved rendering performance of the Knowledge Base’s Comments page when there are too many comments
• More commands are executed in the Code Evaluation exploitation to generate proofs
• Improved Out of Band SSTI attack payloads
• Added automatic selection in the Form Authentication dialog when all fields are filled up
• Added case sensitive search for Raw Response viewer
• Added an overlay to display longer scans are being imported, to block user activity and show progress
• Added Show/Hide Password button in Form Authentication settings
• Added an information dialog displayed when a scan is finished and Invicti window is in the background
• Improved highlight function for detected JavaScript libraries
• Improved reports to display the product version on which the Scan is performed
• Improved the HTTP Request Builder panel to display generic headers
• Manuscript has been renamed FogBugz
• Scan Profile, Scan Policy and Report Policy comboboxes are disabled when the Scan is finished
• Improved RFI confirmation for URL Rewrite parameters
• Improved adding Out of Date Information Database information to the Site Profile
• Improved signatures of Nginx Version Disclosure patterns
• Optimized the attack speed of XSS and LFI engines
• The Concurrent Connection slider in the Scan Policy Editor has been changed to Request Per Second to comply with new scan performance improvements
• Added a piece of extra information to Out-of-date vulnerability templates to explain the vulnerability reason
• Security Checks search has been improved in the Scan Policy Editor by tagging the SSL/TLS related security checks
• Cookie checks will analyze session cookie names to detect platform-specific default session names
• Missing HIPAA classifications in Insecure Transportation Security Protocol Supported Default Report Policy templates have been added
• Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved
• Phishing by Navigating Browser Tabs Default Report Policy vulnerability description have been improved
• Added Jira Account ID field for Jira Send To Action to assign issues to a user as JIRA Api will not accept username after 29 April 2019

FIXES

• Fixed failing VDB update when multiple instances were running
• Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes
• Fixed the issues where extra vulnerabilities were added to the Sitemap during a Retest All
• Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes
• Fixed an issue where JavaScript file parsing was taking longer than expected in some occasions
• Fixed an issue where copied URL Rewrite Rules from Knowledge Base cannot be pasted in URL Rewrite settings
• Fixed an issue where JavaScript file parsing might take longer than expected in some occasions
• Fixed a NullReferenceException that was thrown while saving the layout of panes
• Fixed an ObjectDisposedException that was thrown when cancelling a Retest
• Fixed the Listening Port so that it is no longer set for the next Manual Crawl
• Fixed the issue where Finished Scans were displayed a Paused Scan icon
• Fixed the issue where the Fixed notice text was missing for fixed vulnerabilities
• Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie
• Fixed the incorrect order of the vulnerabilities in the Issues panel
• Fixed the Trial Licence dialog that was popping up twice
• Fixed the issue where data from a previous scan was displaying in the Activity panel
• Fixed HTTP 400 errors raised by the ServiceNow Send To integration
• Fixed the ObjectDisposedExceptions error that was thrown during Blind SQL Injection checks
• Fixed an issue where the SSL client handshake code was having issues while trying to communicate with a specific server with different configuration
• Fixed the issue where the status bar displayed the incorrect number of remaining trial days
• Fixed the oversized icons displayed in the Logs panel caused when the screen DPI was set too high
• Fixed the filtering issue in the Issues panel which caused new vulnerabilities discovered to be displayed even though they did not match the filter
• Fixed the incorrect vulnerability count, caused by variations, that was displayed in the Status Bar
• Fixed an UnauthorizedAccessException that was thrown while attempting to select restricted folders during the Export to Cloud process
• Fixed an issue in the CSP engine where the ‘strict-dynamic’ directive was reported as an unsupported hash
• Fixed the problem where the application was hanging on shutdown
• Fixed missing Authentication cookies in the Knowledge Base
• Fixed incorrect nonce detected without matching script block vulnerability
• Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored
• Fixed a Retest issue where Out-of-Band SSTI vulnerabilities were marked as retestable
• Fixed the issue where the tiny Validation Error icon was displaying in screens when the screen DPI was set too high
• Fixed the issue where cookies were sent during the request for the Favicon image of the target URL      
• Fixed the handling of newline characters while rendering the Proof of Concept section of the Vulnerability details
• Fixed the high DPI issues in the Bulk Export to Enterprise panel
• Fixed the issue where the uninstall process was interrupted if an Invicti instance was still running
• Fixed high DPI issues in the Local Scans panel during Import
• Fixed a NullReferenceException that occurred while rendering Vulnerability Details
• Fixed the issue where the Activity Viewer automatically scrolled to the top following updates to activities
• Fixed the Knowledge Base Report’s header, where the image, title and severity level were overlapping
• Fixed the issue where Internal Path Disclosure was reported on script and stylesheet files
• Fixed an issue that caused FP Insecure Reflected Content to be reported
• Fixed the issue where the CSRF engine did not highlight the vulnerable HTML form when the name and action were not specified
• Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type
• Fixed an issue in the Request Builder where the POST parameters were removed after switching tabs
• Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server
• Fixed an issue in the Response Viewer tab where the selected text remained highlighted even after the search was cleared
• Fixed the issue where vulnerability fields were not updated after a Retest
• Fixed the value of double encoded null byte in LFI, XSS attack patterns
• Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized
• Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload
• Fixed an issue in the Request Builder where duplicate headers could be added because header names were treated as Case Sensitive
• Fixed the problem where the wrong error message was displayed when a file parameter was selected in the Request Builder
• Fixed an unnecessary Header Warning dialog that popped up when the Edit Link button was clicked in the Request Builder
• Fixed an issue where an imported link could be saved without correcting the errors in the Request form
• Fixed an issue where links generated in Invicti attacks were added to the Sitemap
• Fixed the value of the double encoded null byte in the Header Injection pattern
• Fixed the encoding of the % sign in the base64 payload in XSS attacks
• Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern
• Fixed an issue where version numbers were not correctly displayed in the Affected Versions section of VDB vulnerabilities
• Fixed an issue where the wrong importer format was selected by default in the Enter Links dialog
• Fixed the selection issue in the filtered Security Checks of the Scan Policy panel
• Fixed the encoding issue in the SQL Injection confirmation attack
• Fixed the validation issue of the Send to Action configuration
• Fixed the unnecessary node selection when the Expand/Collapse button was clicked on the Sitemap tree
• Fixed the grouping issue on vulnerability variations and instances
• Fixed HTTP method icons in the Sitemap
• Fixed issues caused by language changes
• Fixed the scrolling problem in the Vulnerability viewer
• Fixed the confusion over which persona was used during Form Authentication verification
• Fixed an order issue in the Sitemap tree
• Fixed the incorrect variation count presentation issue in the Issues tree
• Fixed the broken tab key in the Request Builder panel
• Fixed the incorrect Remaining Day presentation in the License reminder
• Fixed the issue where the Back button was clickable during the Bulk Export to Invicti Enterprise, causing the export to fail
• Fixed the issue where an error was displayed instead of the Proof in Blind SQL injection attacks
• Fixed the wrong proxy display after resetting settings to the default
• Fixed a performance issue that occurred while exporting a large Scan to Invicti Enterprise
• Fixed duplicate cookie names that were reported on a Cookie vulnerability
• Fixed a high DPI issue in the message box
• Fixed visual issues in the binary Response viewer
• Fixed an issue where the DOM engine failed to restart on some occasions
• Fixed an issue where Local/SessionStorage values were not persisting throughout the scan
• Fixed an issue where Form Authentication sometimes failed while trying to login to some websites that are built with React.JS
• Fixed a NullReferenceException that was sometimes thrown while saving Scan data
• Fixed HTML form simulation for cases where the form did not have an element with the Submit type
• Fixed HTML form simulation to take the Exclude by CSS Selector option into account to ignore required form elements
• Fixed an issue where overriding the Unicode Replacement characters in binary and JavaScript files sometimes broke the files and did not execute
• Fixed an issue where Invicti sometimes prevented Windows from shutting down while a Scan was running
• Fixed an issue where NTLM Authentication was being ignored during Logout Detection
• Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured
• Fixed an issue where the Max Simulated Elements option was causing the simulation to hang
• Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang
• Fixed an issue where Signature checks were adding false-positive Site Profile information to the Knowledge Base issue
• Fixed an issue where ignored vulnerabilities were retested while performing an Incremental Scan
• Fixed an issue where an incorrect “Subresource Integrity (SRI) Hash Invalid” vulnerability was reported because of hash miscalculation

FIXES

• Fixed an InvalidOperationException thrown when application is forced to close during computer shutdown
• Fixed the clipboard format of Knowledgebase URL Rewrite List item
• Fixed a race condition that causes an ArgumentOutOfRangeException when rate limiting option is used

IMPROVEMENTS

• Added proof generation and Get Shell support for Code Evaluation (ASP) vulnerability
• Added Retest support for several cookie vulnerabilities
• Moved the target URL to the first position on Site Profile Knowledgebase

FIXES

• Fixed the Retest All button also retests the issues on additional web sites too
• Fixed the popup hide issue on custom form authentication script dialog
• Fixed a few unexpected NullReferenceException issues
• Fixed the broken arrow key navigation on Sitemap and Issues panels
• Fixed the incorrect vulnerability count reported on Issues panel tree groups
• Fixed the representation of fixed vulnerability on Issues panel
• Fixed the incorrect duplicate export dialog shown when trying to import a scan from cloud
• Fixed the issue where Issues panel were not being refreshed when retest is finished
• Fixed the initial panel shown by changing it from Progress panel to Activity panel
• Fixed the process cannot access the file issue while updating VDB
• Fixed a bug in cookie handling code during form authentication
• Fixed the incorrect severity reported for Cookie not Marked as Secure vulnerability on some scans
• Fixed an ArgumentOutOfRangeException thrown on some long scans
• Fixed an InvalidOperationException thrown while closing the application
• Fixed the incorrect Filter menu state on Sitemap panel