🚀 Invicti Acquires Kondukto to Deliver Proof-Based Application Security Posture Management
100% Signal 0% Noise
Platform
Platform Overview
ASPM
API Security
DAST
SAST
SCA
Container Security
AI-Powered AppSec
Features
Pricing
Why Invicti
About Us
Case Studies
Contact Us
Resources
Resource Library
Blog
Webinars
White Papers
Podcasts
Case Studies
Invicti Learn
Live Training
Partners
Support
Get a demo
Home
/
Documentation
/
18-Dec-2018
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
18 Dec 2018

18-Dec-2018

NEW FEATURES

  • Rewrote Sitemap and Issues trees which improves the performance and adds features like filtering, grouping, sorting and searching.
  • Added vulnerability families feature where similar types of vulnerabilities are not reported separately
  • Added support for Swagger 3 / OpenAPI link import
  • Added support for 64-bit smart card drivers for authentication
  • Added GitLab Send To integration
  • Added Bitbucket Send To integration
  • Added Unfuddle Send To integration
  • Added Zapier Send To integration
  • Added Azure DevOps Send To integration
  • Added support for importing links from IOdocs file format
  • Added automatic upload to Invicti Enterprise option
  • Added copy to clipboard buttons to request and response viewers
  • Added a new Knowledge Base item for Not Found pages
  • Added a hex view for binary responses in reports
  • Added options to switch Scan Profile, Scan Policy and Report Policy for the current scan
  • Added Uncheck by Severity context menu item to the Report Policy editor
  • Added ISO 27001 vulnerability classifications and report template
  • Added raw value support for Send To custom fields
  • Added option to report variations of vulnerabilities

NEW SECURITY CHECKS

  • Added a new pattern for CherryPy Version Disclosure
  • Added an LFI attack pattern for WEB-INF/web.xml
  • Added Ruby Error Disclosure detection
  • Added WP Engine Configuration File detection
  • Added CherryPy Stack Trace Disclosure detection
  • Added Intro.js out-of-date version detection
  • Added Axios out-of-date version detection
  • Added Fingerprintjs2 out-of-date version detection
  • Added XRegExp out-of-date version detection
  • Added DataTables out-of-date version detection
  • Added Lazy.js out-of-date version detection
  • Added FancyBox out-of-date version detection
  • Added Underscore.js out-of-date version detection
  • Added Lightbox out-of-date version detection
  • Added JBoss application server out-of-date version detection
  • Added SweetAlert2 out-of-date version detection
  • Added Lodash out-of-date version detection
  • Added Bluebird out-of-date version detection
  • Added Polymer out-of-date version detection

IMPROVEMENT

  • Separated the Scan Activity panel and Progress chart into their own dock panels below
  • Added a button to the Reporting tab for creating new Custom Report Templates
  • Improved Knowledge Base item updates to prevent unexpected scrolling to the top of the screen
  • Ordered several Knowledge Base items alphabetically
  • Concurrent Connection count of imported scans can be modified
  • Changed default Issue type to Story in JIRA Send To integration
  • Changed CallerId field to optional in ServiceNow Send To integration
  • Added PHP extension attack for Nginx vulnerability to File Upload engine
  • Added File Upload patterns for Nginx parsing vulnerability
  • Added settings to File Upload engine for configuring upload folders
  • Added errorlog.axd detection support
  • Improved elmah.axd detection
  • The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
  • Improved SSTI PHP Smarty attack detection
  • Retest All can now be started when the scan is paused
  • Improved the Swagger link importer to handle additional properties with integer and string value types
  • Improved the Expect-CT engine by only reporting a vulnerability once for each host
  • Improved RSA key confirmation by handling OpenPGP format
  • Added a Statistics tab to the HTTP response viewer
  • Increased the HSTS Not Enabled vulnerability severity from Information to Low
  • Improved HTTP 407 proxy authentication error handling
  • Improved missing license handling for non-interactive Windows sessions
  • Controlled scan is now cancelled when a new scan is imported
  • Added classifications to the HSTS Not Enabled vulnerability
  • Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
  • Improved the user experience of suggestions in the Scan Policy Optimizer when navigating back and forward in the wizard
  • New certificate imported for Client Certificate Authentication is automatically selected
  • Improved JSON request/response viewer performance for large documents
  • Spaces in URLs of vulnerabilities are encoded in the vulnerability viewer
  • Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
  • Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
  • Updated HTTP response data of vulnerabilities after retest
  • Scan Policy Optimizer now respects the security engine and pattern selections of the base policy
  • Improved JSON format detection
  • Replaced Unicode replacement characters with question marks in responses
  • Added a Scan Policy option to attack cookies
  • Improved element click DOM simulation for various element types
  • SRI Not Implemented will no longer be reported for localhost URLs
  • Improved ASP.NET error message detection
  • Added descriptions to PCI categories in the PCI Compliance Report
  • Improved Boolean SQL Injection detection
  • Improved the Blind Command Injection attack patterns
  • Improved the representation of Report Template compilation errors
  • Removed the dependency of Object Model Installer for using TFS Send To integration
  • Improved the language used in Retest and Controlled Scan results
  • Focused policies are now set to the currently used ones in Scan Policy Editor and Report Policy Editor
  • Misconfigured X-Frame-Options Header is now reported separately
  • Improved source code disclosure checks to prevent reporting JavaScript template pages
  • The link to a created Issue is now displayed on the status bar after sending a vulnerability to an integration
  • Status code, status description and content length information have been added to the Slowest Pages knowledge base node
  • Retest activities are marked on the Scan Activity panel
  • Added the list of failed vulnerabilities to retest results dialog
  • Improved WADL document parsing by ignoring DTDs
  • Improved Open Redirect DOM based confirmation performance
  • Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
  • Cookie vulnerabilities report where the cookie is set from
  • Improved the multi-line representation of LFI Exploitation data
  • Removed the redundant scan save confirmation dialog displayed when closing the app
  • Improved Swagger Document Format detection
  • Options dialog now remembers its location and size
  • File upload engine now detects new links in the response after the file is uploaded

FIXES

  • Fixed double URL encoding problem in various Report Templates
  • Fixed parsing issue that occurs when the upload folder contains a slash
  • Fixed the issue where authentication does not work when retesting
  • Fixed an exception thrown prior to scan when the language is set to Korean
  • Fixed the incorrect license holder name displayed on application title
  • Fixed a controlled scan issue where it fails if the connection check response status code is not 200 (OK)
  • Fixed Jira send to custom field values by HTML encoding them
  • Fixed double HTML encoding problem in TFS Send To template
  • Fixed the issue where the connection error is displayed during a controlled scan when the response status code is not 200 (OK)
  • Fixed a NullReferenceException thrown when a link label is clicked in a dialog
  • Fixed display of Post Scan ribbon group's caption text
  • Fixed the issue where the Swagger importer generates an invalid JSON request body
  • Fixed the ArgumentException thrown while performing Heartbleed security checks
  • Fixed visibility of fixed vulnerabilities in Report Templates
  • Fixed the issue where the wrong version was identified for Drupal
  • Fixed the UriFormatException thrown during SSRF (Hawk) URI validation
  • Fixed a disallowed HTTP method issue where some methods were still being allowed
  • Fixed a typo in the CSP Not Implemented vulnerability details
  • Fixed the issue where SRI Not Implemented URLs were not properly highlighted in the source code
  • Fixed an InvalidCastException thrown while loading the panel layout
  • Fixed a Form Authentication issue that occured on some React-based websites
  • Fixed the issue where the old scan's activities continued even when another scan was imported while performing a Retest All
  • Fixed a NullReferenceException thrown in Retest
  • Fixed signature detection for links found via the crawler
  • Fixed an issue in CSP engine where it reported an incorrect vulnerability
  • Fixed an URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
  • Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
  • Fixed the incorrect Retest Fail dialog in the InternalServerError vulnerability
  • Fixed the URL decoding issue when the URL was copied in the Issues panel
  • Fixed the comments that were injected via Invicti attacks reported in the Knowledge Base Comment node
  • Fixed duplicate parsing source field values reported for IFrame vulnerabilities
  • Fixed a corrupted PDF report
  • Fixed an issue where Apache MultiViews could not be detected in the target server
  • Fixed the incorrect Cookie Expire Date set during Form Authentication
  • Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
  • Fixed a Content-Type parsing issue in Form Authentication
  • Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
  • Fixed the NullReferenceException thrown by the Request Builder if there were no scans open
  • Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
  • Fixed an Out of Memory issue that occurred while trying to view a large document
Invicti Security Corp
1000 N Lamar Blvd Suite 300
Austin, TX 78703, US
© Invicti {year}
Resources
FeaturesIntegrationsPlansCase StudiesRelease NotesInvicti Learn
Use Cases
Penetration Testing SoftwareWebsite Security ScannerEthical Hacking SoftwareWeb Vulnerability ScannerComparisonsOnline Application Scanner
Web Security
The Problem with False PositivesWhy Pay for Web ScannersSQL Injection Cheat SheetGetting Started with Web SecurityVulnerability IndexUsing Content Security Policy to Secure Web Applications
Comparison
Acunetix vs. InvictiBurp Suite vs. InvictiCheckmarx vs. InvictiProbely vs. InvictiQualys vs. InvictiTenable Nessus vs. Invicti
Company
About UsContact UsSupportCareersResourcesPartners

Invicti Security is changing the way web applications are secured. Invicti’s dynamic and interactive application security products help organizations in every industry scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.

LegalPrivacy PolicyCalifornia Privacy RightsTerms of UseAccessibilitySitemap
Privacy Policy