Invicti Product Release Notes
16 Jun 2016
16-Jun-2016
NEW FEATURES
- Scanning of RESTful web services.
- Report Policies to customize the scan results and reports
- "Heuristic Rule Detection" support while using custom URL rewrite rules.
- Added an option to disable logout detection for form authentication.
- Added ASP.NET Web Application project import support.
NEW SECURITY CHECKS
- Added Samesite cookie attribute check.
- Added Reverse Tabnabbing check.
- Added Subresource Integrity (SRI) Not Implemented check.
- Added Subresource Integrity (SRI) Hash Invalid check.
IMPROVEMENTS
- Various memory usage improvements to handle large web sites.
- Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
- Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
- Improved coverage of LFI engine.
- Added name completion for profile save as dialog.
- Updated missing localized text for Korean translation.
FIXES
- Fixed the issue of form authentication remembers the cookies from the previous scan while using the same Invicti instance for a new scan.
- Fixed the incorrect progress bar while performing a controlled scan.
- Fixed the issue of DOM Based XSS security checks enabled status were not being logged.
- Fixed the "Cross-site Scripting via Remote File Inclusion" vulnerability was not being confirmed issue.
- Fixed JIRA Send To action issue where the port number of the JIRA service were being ignored.
- Fixed the synchronization issue on JavaScript Scan Policy section where UI elements are left enabled even though "Analyze JavaScript / AJAX" option is not checked.
- Fixed the NullReferenceException thrown when scan is paused and resumed during performing form authentication.
- Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
- Fixed the broken layout of input controls on basic authentication dialog shown during form authentication.
- Fixed the error reporting issue occurs when log file collection and/or compression fails.
- Fixed the HTTP Archive Importer issue where POST method was parsed as GET when postData is empty.
- Fixed the ObjectDisposedException thrown on form authentication verification dialog.
- Fixed a bug where GWT parameter cannot be detected which contains a Base64 encoded value.
- Fixed a time span parsing bug in Knowledge base report templates.
- Fixed an issue where some vulnerabilities are treated as fixed while retesting.
- Fixed an issue where XSS proof URL was missing alert function call.
- Fixed a typo on "Base Tag Hijacking" vulnerability template.
- Fixed the broken "Generate Debug Info" function of JavaScript simulation feature.