Home
/
Documentation
/
24-Aug-2017
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
24 Aug 2017

24-Aug-2017

NEW FEATURES

  • New Basic, NTLM, Digest and Kerberos authentication settings to support multiple credentials for different URL paths.

NEW SECURITY CHECKS

  • Checks for default pages of IIS 10.0, 8.5, 7.5, 7.0 web servers.
  • Checks for WordPress Setup Configuration File.
  • Remote Code Execution checks for Node.js on Windows.

IMPROVEMENTS

  • Improved Local File Inclusion (LFI) attack patterns.
  • Improved DOM XSS attack patterns.
  • Improved Blind Command Injection detection on Linux systems.
  • Added response compression and length information to HTTP Request Builder.
  • Displaying times in 24-hour format on scan reports.
  • Improved DOM/JavaScript simulation.
  • Improved the performance of email address disclosure detection.
  • Improved the performance of database connection string disclosure detection.
  • Improved the performance of JavaScript library detection.
  • Improved the performance of RoR database configuration detection.
  • Improved "Enter Links" dialog by adding format selection for all the supported import formats.
  • Added parameter type information to nodes on "Issues" panel.
  • Improved scan import performance significantly.
  • Added context menu item for sitemap root node to open the scan folder.
  • Improved resource finder to find more hidden resources.
  • Time zone information added to reports.
  • Improved support for simulating customized select elements.
  • Improved NTLM, Digest and Kerberos authentication support.
  • Improved DOM simulation stability and performance.
  • Added the list of URLs that do not match the rewrite rules on URL Rewrite knowledge base.
  • Added number of links that match to a URL Rewrite rule on URL Rewrite knowledge base.
  • Added out of scope links count information to the knowledge base.
  • Improved the default parameter name list for Parameter Based Navigation.
  • Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
  • Improved boolean and blind SQL injection checks for MySQL databases.
  • Improved blind SQL injection checks for PostgreSQL databases.
  • Added excluded URLs list to the detailed scan report.
  • Improved reflected and stored XSS detection.
  • HSTS checks now reports missing preload directives.
  • Updated Korean translation.
  • Added XML report types for Crawled URLs List and Scanned URLs List reports.
  • Added toolbar to open and copy URLs for Browser View tab.
  • Improved JSON response parsing.
  • Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
  • Improved email disclosure checks by checking host names against to public suffix list.

FIXES

  • Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
  • Fixed an incorrect "Password Transmitted over HTTP" issue for relative URLs on pages redirected to HTTPS addresses.
  • Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
  • Fixed the missing activities while performing a controlled scan.
  • Fixed the missing DOM parsing activity when "Override Target URL with authenticated page" option is selected.
  • Fixed the incorrect total security check count while performing controlled scans on activity list.
  • Fixed incorrect "Interesting Header" report for Content-Security-Policy header.
  • Fixed the redundant extra headers added to requests while using request builder.
  • Fixed the disabled "Start Proxy" button when Invicti is opened after an application crash.
  • Fixed directory listing is not reported issues on some IIS versions.
  • Fixed page break issues on reports.
  • Fixed the issue where comments in CSS files are not parsed.
  • Fixed the incorrect URL found in CSS comments.
  • Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
  • Fixed an IndexOutOfRangeException caused by CSP checks.
  • Fixed the signature pattern which fails to match "Programming Error Message (PHP)" in multiple lines.
  • Fixed markdown XSS attack patterns causing incorrect findings.
  • Fixed the double quote encoding issue on generated sqlmap commands.
  • Fixed incorrect "Interesting Header" reports for some headers.
  • Fixed the incorrect http protocol displayed for SSL vulnerabilities.
  • Fixed the duplicate delete confirmation message while deleting the scan and report policies using a keyboard shortcut.
  • Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
  • Fixed the incorrect progress report during controlled scans.
  • Fixed the encoding issue on reported DOM XSS stack traces.
  • Fixed the highlighting issue of multiple custom data reported on vulnerabilities.
  • Fixed the incorrect rows deleted issue when multiple rows are selected on imported links section.
  • Fixed the incorrect behaviour of move up/down controls on custom URL rewrite section.
  • Fixed the maximum crawled URL limit exceeded issue.
  • Fixed duplicate resource finder requests.
  • Fixed CSS escaping in CSS selector generation.
  • Fixed the failing error report when the unexpected exception title is too long.
  • Fixed the WADL import issue where the operation fails for responses with no status codes.
  • Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
  • Fixed incorrect cURL and sqlmap commands when basic authentication is used.
  • Fixed the incorrect missing object-src report on CSP checks.
  • Fixed an issue where default crawled value is double-encoded instead of single.
  • Fixed the problem where the unique links added twice while importing Postman files.
  • Fixed the "Property set method not found" that occurs while using FogBugz send to action
  • Fixed the missing content for Site Profile section of Knowledge Base report.
  • Fixed "The selected task no longer exists." error when trying to run a scheduled scan on some Windows machines.