🚀 Invicti Acquires Kondukto to Deliver Proof-Based Application Security Posture Management
100% Signal 0% Noise
Platform
Platform Overview
ASPM
API Security
DAST
SAST
SCA
Container Security
AI-Powered AppSec
Features
Pricing
Why Invicti
About Us
Case Studies
Contact Us
Resources
Resource Library
Blog
Webinars
White Papers
Podcasts
Case Studies
Invicti Learn
Live Training
Partners
Support
Get a demo
Home
/
Documentation
/
18-Dec-2015
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
18 Dec 2015

18-Dec-2015

FEATURES

  • Added Windows 10 support
  • Added the Scan Policy Optimizer
  • Added automatic configuration of URL rewrite rules
  • Added automated evidence collection to several confirmed vulnerabilities
  • Added Korean language option for application user interface (currently in beta)
  • Added support for detecting outdated versions of several popular JavaScript client-side libraries
  • Added HIPAA compliance report template
  • Added syntax highlighting for HTTP response viewer for responses like XML, JavaScript, CSS, etc.
  • Added syntax highlighting for HTTP request viewer for request bodies like XML, JSON, etc.
  • Added sessionStorage and localStorage support
  • Added send to Team Foundation Server (TFS) and GitHub feature
  • Added URL Rewrite knowledgebase node to list the URL patterns that have been discovered
  • Added SSL knowledgebase node that shows several SSL related configurations on target web server
  • Added CSS knowledgebase node
  • Added Slowest Pages knowledgebase node
  • Added no challenge option for basic authentication

NEW SECURITY CHECKS

  • Added Windows Short File Name security checks
  • Added several new backup file checks
  • Added web.config pattern for LFI checks
  • Added boot.ini pattern for LFI checks
  • Added a signature which checks against a passive backdoor affecting vBulletin 4.x and 5.x versions
  • Added a signature which checks against an error message generated by regexp function at MySQL database
  • Added DAws web backdoor check
  • Added MOF Web Shell backdoor check
  • Added RoR database configuration file detection
  • Added RoR version disclosure detection
  • Added RoR out-of-date version detection
  • Added RoR Stack Trace Disclosure
  • Added RubyGems version disclosure detection
  • Added RubyGems out-of-date version detection
  • Added Ruby out-of-date version detection
  • Added Python out-of-date version detection
  • Added Perl out-of-date version detection
  • Added RoR Development Mode Enabled detection
  • Added Django version disclosure detection
  • Added Django out-of-date version detection
  • Added Django Development Mode Enabled detection
  • Added PHPLiteAdmin detection
  • Added phpMoAdmin detection
  • Added DbNinja detection
  • Added WeakNet Post-Exploitation PHP Execution Shell (WPES) detection
  • Added Adminer detection
  • Added Microsoft IIS Log File detection
  • Added Laravel Configuration File detection
  • Added Laravel Debug Mode Enabled detection
  • Added Laravel Stack Trace Disclosure
  • Added S/FTP Config File detection

IMPROVEMENTS

  • Several performance improvements to reduce memory usage
  • Improved credit card detection to eliminate false positives
  • HTTP cookie handling code written from scratch to conform with the latest RFCs which modern browsers also follow
  • SSL cipher support check code has been rewritten to support more cipher suites
  • SSL checks are now made for target URLs even when protocol is HTTP
  • Improved logging code to decrease the performance overhead
  • Updated embedded chrome based browser engine to version 41
  • Improved logging when an error occurs if Invicti was started from command line with arguments
  • Added more ignored parameters for ASP.NET web applications
  • Improved JIRA send to action to support both old and new versions
  • Added activity details for singular security checks (SSL, Heartbleed, etc.) on scan summary dashboard
  • Improved authentication verifier to include keywords from alt and title attributes
  • Improved scan policy versioning where new security checks are automatically included or excluded by default on existing scan policies
  • Improved out-of-date vulnerability reporting on XML vulnerability list report to include references and affected versions elements
  • Improved LFI pattern that matches win.ini files
  • Improved XSS coverage by adding an attack pattern for email inputs which require an @ character
  • Improved cookie vulnerability details to show all cookies that are not marked as Secure or HttpOnly
  • Added descriptions for advanced settings
  • Improved out-of-date vulnerability templates by including severity information of vulnerabilities for that version of software
  • Improved out-of-date vulnerability reporting by increasing the severity of the vulnerability if that version of software contains an important vulnerability
  • Increased static resource finder limit from 75 to 100
  • Added several text parser settings to advanced settings
  • Improved Ruby version disclosure detection
  • Improved SQL injection vulnerability template by adding remedy information for more development environments
  • Improved common directory checks by adding more known directory names
  • Updated default user agent
  • Improved the default Anti-CSRF token name list
  • Improved database error messages vulnerability detection for Informix
  • Added new XSS attack pattern for title tag in which JavaScript execution is not possible
  • Improved XHTML attacks to check against XSS vulnerabilities
  • Missing Content-Type vulnerability is not reported when status code returns 304
  • Optimized confirmation of Boolean SQLi
  • Added exploitation for Remote Code Evaluation via ASP vulnerability
  • Revamped DOM based XSS vulnerability detail with a table showing XPath column
  • Changed SQLi attack patterns specific to MSSQL database with shorter ones
  • Improved SQLi attack pattern which causes a vulnerability in LIMIT clauses specific to MySQL database
  • DOM simulation is turned off for hidden input types which causes a false-positive confirmed XSS vulnerability
  • Improved the "Name" form value pattern to match more inputs
  • Improved confirmation of Expression Language Injection vulnerability
  • Improved Frame Injection vulnerability details
  • Added .phtml extension to detect code execution via file upload
  • Improved blind SQL injection detection on some INNER JOIN cases
  • Improved external references section of "Remote Code Evaluation (PHP)" vulnerability
  • Added retest support for several vulnerability types
  • Improved import link user interface
  • Improved CSRF engine
  • Displaying installer links for cases where auto update fails or auto updating is not possible
  • Improved Apache Tomcat detection patterns
  • Improved the message on "Reset to Defaults" dialog
  • Added severity column for Vulnerabilities List (CSV) report template
  • Increased the number of sensitive comments reported
  • Added exploitation support for "RCE via Perl" vulnerability
  • Added project selection to FogBugz send to action
  • Improved text parser improvements
  • Added the total number of attack counts per parameter for current scan policy to scan policy editor dialog
  • Added the passive engine names which are currently running to scan summary dashboard
  • Added separate checks in scan policy for each supported web app fingerprint application

FIXES

  • Fixed Extensive Security Checks policy to enable DOM simulation for open redirection
  • Fixed Extensive Security Checks policy to enable Prepend Original Value for XSS security tests
  • Fixed authentication verifier to omit empty keywords for keyword based authentication
  • Fixed authentication verifier to omit keywords longer than 200 characters for keyword based authentication
  • Fixed authentication verifier to omit keywords containing null bytes for keyword based authentication
  • Fixed URL rewrite analysis to respect case sensitivity settings
  • Fixed a form authentication issue which image submit elements were not clicked
  • Fixed send to extension context menu which does not focus Extensions section when Options dialog is opened
  • Fixed a form authentication verification issue which may crash when username and/or password is empty
  • Fixed a manual crawling issue when proxy was left open when you start a regular scan after a manual crawling
  • Fixed custom reporting sample code on user manual to match the latest reporting API
  • Fixed an issue occurs when the HTTP response body starts with unicode BOM
  • Fixed Open Redirect security checks where it should not perform DOM based checks if DOM checks are turned off
  • Fixed fiddler logging where form authentication requests were not being captured
  • Fixed static resource finder where it was not following a redirect if only the protocol portion of an URL changes
  • Fixed Start a New Scan dialog where Schedule Scan dialog was always shown when you first try to schedule a scan
  • Fixed DOM simulation hangs if a rogue JavaScript call enters an endless loop
  • Fixed slow XSS highlights on some responses
  • Fixed disk space detection on cases when there are no space left on disk where Invicti documents folder resides
  • Fixed the issue on Start a New Scan dialog where some check box values were not restored correctly
  • Fixed a bug where Full-Url LFI attack which is specific to Ruby-on-Rails applications could not be confirmed
  • Fixed a bug where XSS vulnerability could not be confirmed when injection occurs in the middle of a CSS style
  • Fixed a bug where generated XSS exploit did not work due to incorrect encoding
  • Fixed a bug where a false-positive file upload vulnerability was reported
  • Fixed a bug where maximum amount of hard fails was preventing next scan making HTTP requests
  • Fixed "Missing Content-Type" reporting issue where redirected responses should not be reported
  • Fixed Set-Cookie response headers being merged issue on response viewers
  • Fixed an issue where send failures were not being handled while making HTTP requests
  • Fixed credit card reporting issue where the value specified in default form values section should not be reported
  • Fixed the trimmed parameter name issue on controlled scan pane
  • Fixed ignore vulnerability issue function where it was not working for comparison reports
  • Fixed documentation for nginx vulnerability template that tells how to fix the issue
  • Fixed HSTS support for form authentication HTTP requests
  • Fixed a bug which prevents attacking from resuming when an existing session is imported
  • Fixed the issue of HttpRequests.saz file being truncated when a scan is resumed after import
  • Fixed fiddler log file saving issue where chunked response bodies were not being saved correctly
  • Fixed a URI parsing issue where non-HTTP(S) protocols are ignored
  • Fixed a DOM XSS scanner issue that crashes Invicti when a long URL is parsed
  • Fixed a bug where an attribute based attack could not be confirmed as XSS
  • Fixed a bug where an injection with "javascript:" protocol for XSS attacks occurs after a new line
  • Fixed a bug where exploitation goes into loop and causes an unresponsive UI for error based SQLi
  • Fixed a bug where redirection happens relatively and reported as Open Redirect vulnerability
  • Fixed an issue where importing links to an existing profile with imported links was failing
  • Fixed generated report name issue where and extra .htm extension is added to report file if run from command line
  • Fixed an unhandled ArgumentException raised from permanent XSS detection
  • Fixed the issue that Invicti hangs with a confirmation dialog upon scan completion when started with /auto command line parameter
  • Fixed an issue where a Groovy RCE is reported as Perl RCE
  • Fixed an issue where a scan started with Scan Imported Links option were attacking to links those are not imported
  • Fixed an issue where retest request is started with the attacked value and causes a vulnerability creation in a different injection point
  • Fixed a WSDL parsing issue where reference parameters were not handled
  • Fixed a WSDL parsing issue where XML types were not handled
  • Fixed a visual bug where "Security Check Groups" description text was clipped
  • Fixed a bug where illegal characters were causing invalid XML reports
  • Fixed an issue where RCE Perl exploitation could not be performed due to incorrect encoding
  • Fixed an issue with auto complete input reporting where highlighting was not correct
  • Fixed an issue with web app fingerprinting where pausing the scan was not pausing it
  • Fixed an issue that occurs during form authentication with an HSTS site that performs redirects to an URL with http protocol
  • Fixed a form authentication configuration issue where both keyword based and redirect based logout detection pattern could be configured
  • Fixed a bug where the hash is reported incorrectly in a DOM based XSS vulnerability
  • Fixed the misleading content in basic authentication over clear text vulnerability
Invicti Security Corp
1000 N Lamar Blvd Suite 300
Austin, TX 78703, US
© Invicti {year}
Resources
FeaturesIntegrationsPlansCase StudiesRelease NotesInvicti Learn
Use Cases
Penetration Testing SoftwareWebsite Security ScannerEthical Hacking SoftwareWeb Vulnerability ScannerComparisonsOnline Application Scanner
Web Security
The Problem with False PositivesWhy Pay for Web ScannersSQL Injection Cheat SheetGetting Started with Web SecurityVulnerability IndexUsing Content Security Policy to Secure Web Applications
Comparison
Acunetix vs. InvictiBurp Suite vs. InvictiCheckmarx vs. InvictiProbely vs. InvictiQualys vs. InvictiTenable Nessus vs. Invicti
Company
About UsContact UsSupportCareersResourcesPartners

Invicti Security is changing the way web applications are secured. Invicti’s dynamic and interactive application security products help organizations in every industry scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.

LegalPrivacy PolicyCalifornia Privacy RightsTerms of UseAccessibilitySitemap
Privacy Policy