Invicti Product Release Notes
14 Jun 2022
6.6.0.36485
NEW FEATURES
- Added GraphQL Libraries detection support.
- Added the Shark node to the Knowledge Base.
- Added Acunetix XML to URL Import.
- Added built-in DVWA policies to scan policies.
IMPROVEMENTS
- Updated embedded Chromium browser.
- Added a new IAST vulnerability: Overly Long Session Timeout.
- Added new config vulnerabilities for the IAST Node.js sensor.
- Added new config vulnerabilities for the IAST Java sensor.
- Added support for detecting SQL Injections on HSQLDB.
- Added support for detecting XSS through file upload.
- Updated DISA STIG Classifications.
- Updated Java and Node.js IAST sensors.
- Improved time-based blind SQLi detection checks.
- Improved the Content Security Policy Engine.
- Updated XSS via File Upload vulnerability template.
- Updated License Agreement on the Invicti Standard installer.
- Added Extract Resource default property to DOM simulation.
- Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
- Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
- Added vulnerabilityType filter to add VulnerabilityLookup table.
- Added the agent mode to the authentication request.
- Added a default behavior to scan the login page.
- Added an option to disable anti-CSRF token attacks.
- Added an option to block navigation on SPAs pages.
- Added a default behavior to disable TLS1.3
FIXES
- Fixed basic authorization over HTTP bug.
- Fixed SQL Injection Vulnerability Family Reporting Bug.
- Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
- Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
- Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
- Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
- Fixed a typo bug on GraphQL importing window.
- Fixed the report naming bug that occurs users create a custom report from a base report.
- Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
- Fixed a bug that updates all built-in scan policies instead of edited scan policy.
- Fixed a typo on Skip Crawling & Attacking pop-up.
- Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
- Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
- Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
- Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
- Fixed missing template section migration on report policy.
- Fixed a bug that throws an error when a report is submitted upon error.
- Fixed the LFI Exploiter null reference.
- Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
- Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
- Fixed a bug that occurs when users search the Target URL on the New Scan panel.
- Fixed typo in the timeout error message.
- Fixed a bug that prevents the WSDL files from being imported.
- Fixed reporting "SSL/TLS not implemented" when scanning only TLS 1.3 supported sites.
- Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
- Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.
REMOVAL
- Removed Expect-CT security check.
- Removed the End-of-Text characters in URL rewrite rules.