Invicti Product Release Notes
14 May 2020
14-May-2020
NEW FEATURES
- Added Pivotal Tracker Send To integration
- Added test website (Target URL) configuration to enable the scanning of REST websites with selected XML and JSON mime type(s)
- Added ability to add, remove or edit request parameters, headers and edit the request body in pre-request scripts
- Added a Fragment Parsing checkbox to the Crawling tab of the Scan Policy Editor dialog
NEW SECURITY CHECKS
- Added a new vulnerability for Same Site Cookies that are set to None and not marked as secure
IMPROVEMENTS
- Improved the Webhook Send To Action to enable it to send data from the query string when the POST or PUT method is selected
- Improved the Jira Send To Action to include Epic Key and Epic Name fields
- Updated the default value for Allow Out-of-scope XHR requests from False to True, to improve the simulation process
- Improved Form Authentication to capture All Authorization Headers instead of just Bearer Authentication Tokens
- Improved the scan performance with memoization of Passive Security Checks
- Optimized Stored XSS checks to eliminate unnecessary DOM simulations in PermanentXssSignature
- Optimized signature detection to avoid executing unnecessary Regex checks
- Improved the attack payload of the Open - Integer (MySQL) pattern
FIXES
- Fixed the problem where the authentication header was parsing if an empty OAuth2 token type was provided
- Fixed a typo in the XSS vulnerability template
- Fixed a typo in Expect-CT engine error message
- The WAF Identified dialog is no longer displayed when Invicti is started from the command line in Silent Mode
- Fixed an issue that meant the Target URL was not crawled when the Override Target URL with authenticated page checkbox was enabled in the Form Authentication tab of the Start a New Website or Web Service Scan dialog
- Fixed the visibility of the scan search bar
- Fixed the Regex Pattern of the BREACH Engine's sensitive keywords
- Fixed an issue where the Possible OOB Command Injection Vulnerability was reported as confirmed
- Fixed the exception that was thrown if the script file name was empty when the Execute button was clicked in the Custom Scripts panel
- Fixed the problem where the XXE engine was reporting a false positive on possible XXEs
- Data Type Mismatch errors are now ignored while importing OpenAPI (Swagger) documents
- Fixed an issue where Authentication Verification was failing to complete in Silent Mode when the Target URL was unreachable
- Fixed an issue that caused the crawler to be exited abnormally and stopping the scan when Invicti Assistant changed the Scan Settings
- Fixed a NullReferenceException in the Custom Scripts panel
- Fixed an issue that caused the link to get stuck in Crawling causing the scan to take too long
- Fixed a NRE that occurred when a Retest was performed on an imported scan
- Fixed an issue that occasionally caused scans to hang when the Target URL timed out on requests
- Removed an extra semicolon from the Actions to Take section of the Insecure Transportation Security Protocol Supported vulnerability templates