Invicti Product Release Notes
11 Apr 2016
11-Apr-2016
New Features
- Added the functionality to pause and resume scans.
- Added support for automatic crawling and scanning of Parameter-Based Navigation websites.
- Added a new option in the Scan Policy to allow users to add new extensions for the crawler to text parse.
- Added support to allow users to select a scanning agent for a scan in an on-premises installation.
New Security Checks
- Added Missing X-XSS-Protection Header vulnerability check.
- Added Video.js JavaScript library detection.
- Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.
Improvements
- Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid multiple scanning of the same or similar parameters.
- Improved "Not Found Analyzer" to better handle binary responses and long strings.
- Added a link to the proof URL for XSS vulnerabilities.
- Added link generation to Text Parser for all select element options.
- Improved DOM parser to skip redirect responses.
- Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
- Added support for modifying asynchronous javascript executions in order to increase DOM Parser coverage.
- Improved relative link parsing on JavaScript files.
- Improved the coverage of file upload security checks.
- Improved the coverage of XSS security checks.
- Improved UI of the scan policy optimized wizard.
- API authentication method updated for backward compatibility.
Bug Fixes
- Fixed an issue where LFI attack patterns were being reported as internal path disclosure.
- Fixed the incorrect raw response representing SSL connections.
- Fixed an issue where forms containing ignored parameters were not reported as a CSRF vulnerability.
- Fixed a case where dynamically generated HTML option elements' change event were not being triggered.
- Fixed cross-domain document access errors on DOM parser and XSS scanner.
- Fixed an issue where a JSON request's method was incorrectly recognized as POST rather than GET.
- Fixed a retest issue where a vulnerability fix is reported by mistake.
- Fixed form values target setting to use Name as the default value when a Target is not selected.
- Fixed a file extension parsing issue related with File Extension List knowledgebase item.
- Fixed a hang issue that occurs while performing JavaScript library security checks.
- Fixed a custom form authentication API issue where "ns" namespace was conflicting with a global variable on target website - auth API has been moved to "netsparker" namespace preserving the "ns" backward compatibility.
- Fixed a DOM Parser and XSS scanner bug that incorrectly followed redirects.
- Fixed a form values issue - empty form values should not set any default values for parameters.
- Fixed an issue during which the setting of the Connection request header failed.