Invicti Product Release Notes
26 Jan 2017
26-Jan-2017
New Features
- Authentication & session verification for form based authentication.
- Credentials test for Basic and NTLM/Kerberos authentication mechanisms.
- Support for the Invicti Hawk infrastructure, used for detecting SSRF and out-of-band vulnerabilities.
- Added HTTP request rate limiting options to Scan Policy.
- Added "Ignored Email Addresses" section in Scan Policy.
- Added accept and reject options for untrusted SSL certificates.
- Added an option to disable automatic detection of 404 error pages.
- Support for importation of Postman files.
New Security Checks
- New security checks for Server Side Request Forgery (SSRF) vulnerability
- New security checks for out-of-band vulnerabilities such as OOB SQL Injection, OOB XXE, Blind XSS, OOB RCE, OOB RFI etc.
- New security check for Stored DOM based XSS
- Added "Missing object-src in CSP Declaration" vulnerability detection.
- Added "Apache Multiple Choices" vulnerability detection.
Improvements
- Improved the performance of several link importers.
- Added "Bearer Token" support for form authentication.
- Added confirmation for Frame Injection vulnerabilities.
- Added http: and https: checks for CSP vulnerability detection.
- Improved link importers - redundant CONNECT requests are now excluded.
- Optimized attacker performance for links containing single parameter.
- Optimized crawling parser by skipping DOM simulation on pages with static content.
- Improved coverage of CORS security check with extra attacks.
- Removed GWT attacks from file upload security checks.
- Improved DOM simulation performance.
- Improved CSS parsing which now follows CSS import directives.
- Improved coverage of open redirect security checks by adding/updating attacks patterns.
- Improved logout detection by skipping JavaScript responses.
- Added support for "HTTP 410 Gone" and "HTTP 451 Unavailable For Legal Reasons" response status codes.
- Added CVSS information to more vulnerabilities.
- Updated vulnerability database.
- Added URL Rewrite mode to Detailed Scan Report.
- Added support for configuring websites on manage groups page.
- Improved the UI & UX of several pages.
Bug Fixes
- Fixed an issue where a āmultiple cookies issueā should not be reported.
- Fixed a JSON parsing issue with text parser.
- Fixed an HTTP response issue where the response could not be read because only BOM bytes are sent on first read attempt.
- Fixed an issue where a false positive file upload vulnerability might be reported.
- Fixed several DOM simulation issues on pages that have many iframe elements.
- Fixed a NullReferenceException while performing an internal MD5 encoding operation.
- Fixed an encoding issue on a proof URL of an XSS vulnerability.
- Fixed an issue where "Shell Script Identified" vulnerability is not found when retested.
- Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
- Fixed a text parsing issue where absolute URLs were converted to invalid relative URLs.
- Fixed incorrect protocol detection for protocol-relative URLs.
- Fixed an issue which occurs during importing websites with unix line endings.
- Fixed a retest issue which occurs if vulnerable URL contains a dash character.
- Fixed an issue where SSL details were not shown properly on knowledge base report.