Home
/
Documentation
/
17-Jan-2019
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
17 Jan 2019

17-Jan-2019

NEW FEATURES

NEW SECURITY CHECKS

  • Added a new pattern for CherryPy Version Disclosure
  • Added an LFI attack pattern for WEB-INF/web.xml
  • Added Ruby Error Disclosure detection
  • Added WP Engine Configuration File detection
  • Added CherryPy Stack Trace Disclosure detection
  • Added Intro.js Out-of-date Version detection
  • Added Axios Out-of-date Version detection
  • Added Fingerprintjs2 Out-of-date Version detection
  • Added XRegExp Out-of-date Version detection
  • Added DataTables Out-of-date Version detection
  • Added Lazy.js Out-of-date Version detection
  • Added FancyBox Out-of-date Version detection
  • Added Underscore.js Out-of-date Version detection
  • Added Lightbox Out-of-date Version detection
  • Added JBoss application server Out-of-date Version detection
  • Added SweetAlert2 Out-of-date Version detection
  • Added Lodash Out-of-date Version detection
  • Added Bluebird Out-of-date Version detection
  • Added Polymer Out-of-date Version detection

IMPROVEMENTS

  • Added Content Security Policy (CSP) to the Invicti Enterprise web application
  • Changed enum values to display in alphabetical order in the Value column in the Filter popup
  • Added an Audit Log for Rate Limited requests
  • Highlighted selected option for JavaScript section on the New Scan Policy page
  • Highlighted relevant tabs for validation errors on the New Scan Policy page
  • Improved the Report Policy page to make it more responsive and added a scroll bar
  • Improved help text for Application and Service Discovery pages
  • Added a Check/Uncheck by Severity filtering option on the Report Policy page
  • Added PHP extension attack for Nginx vulnerability to the File Upload engine
  • Added File Upload patterns for the Nginx Parsing vulnerability
  • Added settings to the File Upload engine for configuring upload folders
  • Added errorlog.axd detection support
  • Improved elmah.axd detection
  • The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
  • Improved SSTI PHP Smarty attack detection
  • Improved the Swagger link importer to handle additional properties with integer and string value types
  • Improved the Expect-CT engine by only reporting a vulnerability once for each host
  • Improved RSA key confirmation by handling OpenPGP format
  • Increased the HSTS Not Enabled vulnerability severity from Information to Low
  • Improved HTTP 407 Proxy Authentication error handling
  • Added classifications to the HSTS Not Enabled vulnerability
  • Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
  • Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
  • Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
  • Improved JSON format detection
  • Replaced Unicode replacement characters with question marks in responses
  • Added a Scan Policy option to attack cookies
  • Improved element click DOM simulation for various element types
  • SRI Not Implemented will no longer be reported for localhost URLs
  • Improved ASP.NET error message detection
  • Added descriptions to PCI categories in the PCI Compliance Report
  • Improved Boolean SQL Injection detection
  • Improved the Blind Command Injection attack patterns
  • Improved the representation of Report Template compilation errors
  • Misconfigured X-Frame-Options Header is now reported separately
  • Improved Source Code Disclosure checks to prevent the reporting of JavaScript template pages
  • Status Code, Status Description and Content Length information have been added to the Slowest Pages node in the Knowledge Base
  • Improved WADL document parsing by ignoring DTDs
  • Improved Open Redirect DOM based confirmation performance
  • Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
  • Cookie vulnerabilities report where the cookie is set from
  • Improved Swagger Document Format detection
  • The file upload engine now detects new links in the response after the file is uploaded

BUG FIXES

  • Fixed the issue where Authentication did not work when retesting
  • Fixed the issue where the Swagger importer generated an invalid JSON request body
  • Fixed the ArgumentException thrown while performing Heartbleed security checks
  • Fixed the issue where the wrong version was identified for Drupal
  • Fixed a disallowed HTTP method issue where some methods were still being allowed
  • Fixed a typo in the CSP Not Implemented vulnerability details
  • Fixed a Form Authentication issue that occured on some React-based websites
  • Fixed signature detection for links found via the crawler
  • Fixed an issue in the CSP engine where it reported an incorrect vulnerability
  • Fixed a URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
  • Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
  • Fixed duplicate parsing source field values reported for IFrame vulnerabilities
  • Fixed an issue where Apache MultiViews could not be detected in the target server
  • Fixed the incorrect Cookie Expire Date set during Form Authentication
  • Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
  • Fixed a Content-Type parsing issue in Form Authentication
  • Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
  • Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
  • Fixed a bug in cookie handling code during Form Authentication
  • Fixed the incorrect severity reported for the Cookie not Marked as Secure vulnerability on some scans
  • Fixed an ArgumentOutOfRangeException thrown on some long scans