Home
/
Documentation
/
12-Jan-2017
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
12 Jan 2017

12-Jan-2017

New Features

  • Included support for the Invicti Hawk infrastructure for detection of SSRF and OOB vulnerabilities.
  • Support for importation of Postman files.
  • Added "Copy as cURL" context menu item to sitemap.
  • Added "Copy sqlmap Payload" context menu item for SQL Injection vulnerabilities.
  • Added HTTP request rate limiting options to Scan Policy.
  • Added "Ignored Email Addresses" section for Scan Policy.
  • Added accept and reject options for untrusted SSL certificates.
  • Added an option to disable automatic detection of 404 error pages.

New Security Checks

  • New security checks for Server Side Request Forgery (SSRF) vulnerability
  • New security checks for out-of-band vulnerabilities such as OOB SQL Injection, OOB XXE, Blind XSS, OOB RCE, OOB RFI etc.
  • Added "Missing object-src in CSP Declaration" vulnerability detection.
  • Added "Apache Multiple Choices" vulnerability detection.
  • Added "Stored DOM based XSS" vulnerability detection.

Improvements

  • Improved the message displayed when trying to open an invalid session file.
  • Added /nopdf command line switch to prevent generating PDF reports while performing automated scans.
  • Added AttackPattern.GetAllEngines() and AttackPattern.GetAllPatterns() methods to reporting API to get the list of engine and pattern IDs.
  • Added "Test Credentials" support for Basic, NTLM/Kerberos authentication configuration screen.
  • Added progress dialog for importing links.
  • Improved the performance of several link importers.
  • Added global proxy options under Tools > Options to configure an application wide proxy.
  • Added "Bearer Token" support for form authentication.
  • Added confirmation for Frame Injection vulnerabilities.
  • Added http: and https: checks for CSP vulnerability detection.
  • Improved link importers where redundant CONNECT requests are now excluded.
  • Optimized attacker performance for links containing single parameter.
  • Added SSL protocol selection for scan policies.
  • Added context menu items to the Report Policy Editor to multiple selected vulnerabilities by severity.
  • Optimized crawling parser by skipping DOM simulation on pages with static content.
  • Improved coverage of CORS security check with extra attacks.
  • Removed GWT attacks from file upload security checks.
  • Improved DOM simulation performance.
  • Improved CSS parsing which now follows CSS import directives.
  • Improved coverage of open redirect security checks by adding/updating attacks patterns.
  • Improved logout detection by skipping JavaScript responses.
  • Added support for "HTTP 410 Gone" and "HTTP 451 Unavailable For Legal Reasons" response status codes.

Bug Fixes

  • Fixed an issue where a multiple cookies issue should not be reported.
  • Fixed a JSON parsing issue with text parser.
  • Fixed a request builder issue where the credentials on URL were not preserved.
  • Fixed a request builder issue where the port number change is not reflected to raw request tab.
  • Fixed a NullReferenceException which may have been thrown while closing the splash screen.
  • Fixed a NullReferenceException which may have been thrown while updating activities on scan summary dashboard.
  • Fixed clipped texts on several windows while using higher DPI settings.
  • Fixed a request builder issue where the port on pasted URL is not parsed.
  • Fixed a request builder issue where Cookie request header is not sent.
  • Fixed a request builder issue where Cache-Control request header value was being duplicated.
  • Fixed an HTTP response reading issue where the response could not be read when only BOM bytes are sent on first read attempt.
  • Fixed the list on LFI exploitation panel where the same files were being duplicated.
  • Fixed an issue in report policy editor that causes CVSS editing controls to disappear.
  • Fixed a NullReferenceException on scan policy editor dialog thrown while clicking select inverse context menu on some security check groups.
  • Fixed an issue where a false-positive file upload vulnerability might be reported.
  • Fixed several DOM simulation issues on pages that have many iframe elements.
  • Fixed a NullReferenceException while performing an internal MD5 encoding operation.
  • Fixed an issue where the vulnerabilities found on a scan lingers to the next scan started.
  • Fixed an encoding issue on a proof URL of an XSS vulnerability.
  • Fixed a hang issue occurs when too many email addresses found on the response.
  • Fixed an issue where "Shell Script Identified" vulnerability is not found when retested.
  • Fixed a scan profile load issue occurs when a link with binary body is imported.
  • Fixed the table layout on comparison report which was having too wide columns when the URLs were too long.
  • Fixed the duplicate request issue on "AJAX / XML HTTP Requests" knowledge base report.
  • Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
  • Fixed an ArgumentOutOfRangeException thrown while trying to match the redirected URL to configured logout detection pattern.