Invicti Product Release Notes
14 Dec 2017
14-Dec-2017
NEW FEATURES
- Realtime scan results
- Added out of the box integration support for: FogBugz, Github and TFS issue tracking systems.
- Grouping of notifications so a single email or SMS alert is sent with a list of all alerts rather than multiple individual alerts.
- New API endpoint for launching group scans.
- Scheduling for incremental scans both from the web UI and API.
- New API endpoint for generating custom scan reports.
- New scan policy setting to define Web (Session and Local) Storage.
- New Header Authentication settings to manually add request headers with authentication information.
- Added support to import links from CSV files.
- Added support for parsing of gzipped sitemaps.
NEW SECURITY CHECKS
- Check for reflected Code Evaluation in Apache Struts 2 (CVE-2017-12611).
- Check for Remote Code Execution in Apache Struts (CVE-2017-5638).
IMPROVEMENTS
- Scan Time Window setting is now available to new group scans page.
- Improved scan stability and performance.
- Improved default Form Values settings.
- Updated external references for several vulnerabilities.
- Updated default User-Agent HTTP request header string.
- Changed API endpoints to return 201-Created response status code for new resources.
- Added several UI improvements for WCAG guidelines compliance.
- Improved the email template that reports issues.
- Added "Attack Parameters" information to Scanned URLs report.
- Renamed the "Important" vulnerability severity to "High".
- Added Form Authentication performance data to Scan Performance knowledge base node.
- Improved Active Mixed Content vulnerability description.
- Improved DOM simulation for events attached to document object.
- Added parsing of "Alternates", "Content-Location" and "Refresh" response headers.
- Improved CSP engine performance by checking CSP Nonce value per directory.
- Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
- Added --batch argument to sqlmap payloads.
- Removed Markdown Injection XSS attack payloads.
- Added ALL parameter type option to the Ignored Parameters settings.
- Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
- Updated the Accept HTTP header value for default scan policy.
- Added CSS exclusion selector supports frames and iframes.
- Added embedded space parsing for JavaScript code in HTML attribute values.
- Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
- Email disclosure will not be reported for email addresses used in form authentication credentials.
- Added focus and blur event simulation for form authentication set value API calls.
- Added more information about HTML forms and input for vulnerabilities found in HTML forms.
- Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
- Added Parameter Value column to the Vulnerabilities List report in CSV format.
- Added match by HTML element id for form values.
- Added "Ignore document events" to JavaScript settings to ignore triggering events attached to document object.
- Improved Windows Short Filename vulnerability details Remedy section.
- URL Rewrite parameters are now represented as asterisks in sqlmap payloads.
BUG FIXES
- Fixed an issue where AutoSave filename is missing during resuming a scan.
- Fixed an issue where "Test" button of authentication settings does not work as expected.
- Fixed an issue where model binding does not work as expected for scan profile API endpoints.
- Fixed CSRF vulnerability reporting on change password forms.
- Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
- Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
- Fixed various source code disclosure issues.
- Fixed an escaping issue with CSS exclusion selectors.
- Fixed the issue where the basic authentication credentials were not being sent on logout detection phase.
- Fixed a random DOM simulation exception occurs when site creates popup windows.
- Fixed a RemotingException occurs on Form Authentication Verifier.
- Fixed a possible NullReferenceException on Form Authentication.
- Fixed the broken form authentication custom script when the last line of the script is a single line comment.
- Fixed huge parameter value deserialization memory usage.
- Fixed the wrong URLs added with only extension values.
- Fixed a NullReferenceException which may be thrown while importing a swagger file.
- Fixed form authentication not triggered on retest.
- Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
- Fixed a swagger file parsing issue where target URL should be used when host field is missing.
- Fixed swagger importer by ignoring any metadata properties.
- Fixed a NullReferenceException occurs during DOM simulation.
- Fixed the incorrect URLs parsed on attack responses.
- Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
- Fixed ignore parameter issue for parameters containing special characters.
- Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
- Fixed missing vulnerabilities requiring late confirmation for incremental scans.
- Fixed a NullReferenceException may occur on iframe security checks.