Home
/
Documentation
/
18-Dec-2018
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
18 Dec 2018

18-Dec-2018

NEW FEATURES

  • Rewrote Sitemap and Issues trees which improves the performance and adds features like filtering, grouping, sorting and searching.
  • Added vulnerability families feature where similar types of vulnerabilities are not reported separately
  • Added support for Swagger 3 / OpenAPI link import
  • Added support for 64-bit smart card drivers for authentication
  • Added GitLab Send To integration
  • Added Bitbucket Send To integration
  • Added Unfuddle Send To integration
  • Added Zapier Send To integration
  • Added Azure DevOps Send To integration
  • Added support for importing links from IOdocs file format
  • Added automatic upload to Invicti Enterprise option
  • Added copy to clipboard buttons to request and response viewers
  • Added a new Knowledge Base item for Not Found pages
  • Added a hex view for binary responses in reports
  • Added options to switch Scan Profile, Scan Policy and Report Policy for the current scan
  • Added Uncheck by Severity context menu item to the Report Policy editor
  • Added ISO 27001 vulnerability classifications and report template
  • Added raw value support for Send To custom fields
  • Added option to report variations of vulnerabilities

NEW SECURITY CHECKS

  • Added a new pattern for CherryPy Version Disclosure
  • Added an LFI attack pattern for WEB-INF/web.xml
  • Added Ruby Error Disclosure detection
  • Added WP Engine Configuration File detection
  • Added CherryPy Stack Trace Disclosure detection
  • Added Intro.js out-of-date version detection
  • Added Axios out-of-date version detection
  • Added Fingerprintjs2 out-of-date version detection
  • Added XRegExp out-of-date version detection
  • Added DataTables out-of-date version detection
  • Added Lazy.js out-of-date version detection
  • Added FancyBox out-of-date version detection
  • Added Underscore.js out-of-date version detection
  • Added Lightbox out-of-date version detection
  • Added JBoss application server out-of-date version detection
  • Added SweetAlert2 out-of-date version detection
  • Added Lodash out-of-date version detection
  • Added Bluebird out-of-date version detection
  • Added Polymer out-of-date version detection

IMPROVEMENT

  • Separated the Scan Activity panel and Progress chart into their own dock panels below
  • Added a button to the Reporting tab for creating new Custom Report Templates
  • Improved Knowledge Base item updates to prevent unexpected scrolling to the top of the screen
  • Ordered several Knowledge Base items alphabetically
  • Concurrent Connection count of imported scans can be modified
  • Changed default Issue type to Story in JIRA Send To integration
  • Changed CallerId field to optional in ServiceNow Send To integration
  • Added PHP extension attack for Nginx vulnerability to File Upload engine
  • Added File Upload patterns for Nginx parsing vulnerability
  • Added settings to File Upload engine for configuring upload folders
  • Added errorlog.axd detection support
  • Improved elmah.axd detection
  • The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
  • Improved SSTI PHP Smarty attack detection
  • Retest All can now be started when the scan is paused
  • Improved the Swagger link importer to handle additional properties with integer and string value types
  • Improved the Expect-CT engine by only reporting a vulnerability once for each host
  • Improved RSA key confirmation by handling OpenPGP format
  • Added a Statistics tab to the HTTP response viewer
  • Increased the HSTS Not Enabled vulnerability severity from Information to Low
  • Improved HTTP 407 proxy authentication error handling
  • Improved missing license handling for non-interactive Windows sessions
  • Controlled scan is now cancelled when a new scan is imported
  • Added classifications to the HSTS Not Enabled vulnerability
  • Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
  • Improved the user experience of suggestions in the Scan Policy Optimizer when navigating back and forward in the wizard
  • New certificate imported for Client Certificate Authentication is automatically selected
  • Improved JSON request/response viewer performance for large documents
  • Spaces in URLs of vulnerabilities are encoded in the vulnerability viewer
  • Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
  • Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
  • Updated HTTP response data of vulnerabilities after retest
  • Scan Policy Optimizer now respects the security engine and pattern selections of the base policy
  • Improved JSON format detection
  • Replaced Unicode replacement characters with question marks in responses
  • Added a Scan Policy option to attack cookies
  • Improved element click DOM simulation for various element types
  • SRI Not Implemented will no longer be reported for localhost URLs
  • Improved ASP.NET error message detection
  • Added descriptions to PCI categories in the PCI Compliance Report
  • Improved Boolean SQL Injection detection
  • Improved the Blind Command Injection attack patterns
  • Improved the representation of Report Template compilation errors
  • Removed the dependency of Object Model Installer for using TFS Send To integration
  • Improved the language used in Retest and Controlled Scan results
  • Focused policies are now set to the currently used ones in Scan Policy Editor and Report Policy Editor
  • Misconfigured X-Frame-Options Header is now reported separately
  • Improved source code disclosure checks to prevent reporting JavaScript template pages
  • The link to a created Issue is now displayed on the status bar after sending a vulnerability to an integration
  • Status code, status description and content length information have been added to the Slowest Pages knowledge base node
  • Retest activities are marked on the Scan Activity panel
  • Added the list of failed vulnerabilities to retest results dialog
  • Improved WADL document parsing by ignoring DTDs
  • Improved Open Redirect DOM based confirmation performance
  • Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
  • Cookie vulnerabilities report where the cookie is set from
  • Improved the multi-line representation of LFI Exploitation data
  • Removed the redundant scan save confirmation dialog displayed when closing the app
  • Improved Swagger Document Format detection
  • Options dialog now remembers its location and size
  • File upload engine now detects new links in the response after the file is uploaded

FIXES

  • Fixed double URL encoding problem in various Report Templates
  • Fixed parsing issue that occurs when the upload folder contains a slash
  • Fixed the issue where authentication does not work when retesting
  • Fixed an exception thrown prior to scan when the language is set to Korean
  • Fixed the incorrect license holder name displayed on application title
  • Fixed a controlled scan issue where it fails if the connection check response status code is not 200 (OK)
  • Fixed Jira send to custom field values by HTML encoding them
  • Fixed double HTML encoding problem in TFS Send To template
  • Fixed the issue where the connection error is displayed during a controlled scan when the response status code is not 200 (OK)
  • Fixed a NullReferenceException thrown when a link label is clicked in a dialog
  • Fixed display of Post Scan ribbon group's caption text
  • Fixed the issue where the Swagger importer generates an invalid JSON request body
  • Fixed the ArgumentException thrown while performing Heartbleed security checks
  • Fixed visibility of fixed vulnerabilities in Report Templates
  • Fixed the issue where the wrong version was identified for Drupal
  • Fixed the UriFormatException thrown during SSRF (Hawk) URI validation
  • Fixed a disallowed HTTP method issue where some methods were still being allowed
  • Fixed a typo in the CSP Not Implemented vulnerability details
  • Fixed the issue where SRI Not Implemented URLs were not properly highlighted in the source code
  • Fixed an InvalidCastException thrown while loading the panel layout
  • Fixed a Form Authentication issue that occured on some React-based websites
  • Fixed the issue where the old scan's activities continued even when another scan was imported while performing a Retest All
  • Fixed a NullReferenceException thrown in Retest
  • Fixed signature detection for links found via the crawler
  • Fixed an issue in CSP engine where it reported an incorrect vulnerability
  • Fixed an URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
  • Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
  • Fixed the incorrect Retest Fail dialog in the InternalServerError vulnerability
  • Fixed the URL decoding issue when the URL was copied in the Issues panel
  • Fixed the comments that were injected via Invicti attacks reported in the Knowledge Base Comment node
  • Fixed duplicate parsing source field values reported for IFrame vulnerabilities
  • Fixed a corrupted PDF report
  • Fixed an issue where Apache MultiViews could not be detected in the target server
  • Fixed the incorrect Cookie Expire Date set during Form Authentication
  • Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
  • Fixed a Content-Type parsing issue in Form Authentication
  • Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
  • Fixed the NullReferenceException thrown by the Request Builder if there were no scans open
  • Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
  • Fixed an Out of Memory issue that occurred while trying to view a large document