🚀 Invicti Acquires Kondukto to Deliver Proof-Based Application Security Posture Management
100% Signal 0% Noise
Platform
Platform Overview
ASPM
API Security
DAST
SAST
SCA
Container Security
AI-Powered AppSec
Features
Pricing
Why Invicti
About Us
Case Studies
Contact Us
Resources
Resource Library
Blog
Webinars
White Papers
Podcasts
Case Studies
Invicti Learn
Live Training
Partners
Support
Get a demo
Home
/
Documentation
/
3-Oct-2016
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
03 Oct 2016

3-Oct-2016

NEW FEATURES

  • Added the ability to configure the scanner to scan websites which are linked from the target website.
  • Added the Common Vulnerability Scoring System (CVSS) in vulnerability reports.
  • Added ability to play sounds while certain program events occur (i.e. scan finished, vulnerability found).
  • Added OWASP Proactive Guide to classification list.

NEW SECURITY CHECKS

  • Added security checks for Content Security Policy (CSP) web security standard.
  • Added DOM based open redirection security check.

IMPROVEMENTS

  • Improved XSS security checks coverage.
  • Improved the Report Policy Editor.
  • Improved the default filename of generated exploits.
  • Renamed "Permanent XSS" vulnerability to "Stored XSS".
  • Authentication credentials are now stored encrypted in profile files.
  • Increased the number of vulnerabilities for which the scanner highlights the text related to the vulnerability in the HTTP response viewer.
  • Added an option to follow redirects for the HTTP Request Builder.
  • Added auto completion support to Scan Policy > Headers grid for well-known request headers.
  • Added the version information of Invicti to the reports.
  • Added type ahead search functionality for Scan Policy > Security Checks.
  • Added HTTP methods to AJAX / XML HTTP Requests knowledgebase section.
  • Added editing support for imported links.
  • Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
  • Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
  • Added JavaScript dialog support for form authentication verification dialog.
  • Improved HTTP request logging by splitting log files once a certain amount of requests are logged.
  • Improved DOM simulation by simulating "contextmenu" events.
  • Added "Attacked Parameters" column to "Scanned URLs List" report.
  • Improved Manual Crawl (Proxy Mode) feature to work as passive and not re-issue the requests made during manual crawl phase.
  • Increased the default values for "Maximum Page Visit" and "Max. Number of Parameters to Attack on a Single Page" settings.
  • Improved XML parsing during crawling by parsing empty XML elements as parameters too.
  • Added the ability to attack parameter names.
  • Added a note to vulnerability detail for non-exploitable frame injection.
  • Added .jhtml and .jsp attacks to file upload engine.
  • Improved CORS security checks.
  • Improved Open Redirect engine to detect CNAME injection such as example.com.r87.com.
  • Added tooltips for long texts shown on activity dashboard.
  • Added current DOM XSS attack information to activity pane.
  • Improved XSS confirmation for vulnerabilities found inside noscript tags.
  • Added a new method (Vulnerability.GetTemplateSections) for reporting API to be able to get vulnerability template section content separately.
  • Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.
  • Added /resumescan parameter to command line options to resume the loaded scan.

FIXES

  • Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
  • Fixed the position of clipped auto update notification.
  • Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
  • Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
  • Fixed an issue where switching between builder and raw tabs causes POST parameter to be removed on Request Builder.
  • Fixed the duplicate log printed for same WSDLs.
  • Fixed a NullReferenceException thrown when the Request Builder fails to make a request with the current SecurityProtocol setting.
  • Fixed the blurred message dialog icons on high DPI screens.
  • Fixed various navigation issues of Previous and Next buttons on HTTP Response viewer.
  • Fixed the missing GET parameter request builder issue occurs when a full querystring/URL attack request is sent.
  • Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
  • Fixed a DOM simulation issue occurs when there is a form element with name "action" on target web page.
  • Fixed the duplicate cookie issue occurs while using Manual Crawling (Proxy Mode) scanning feature.
  • Fixed duplicate "Email Address Disclosure" reporting issue.
  • Fixed a NullReferenceException on occurs during CORS security checks.
  • Fixed an issue where current OS UI language was not being selected automatically upon first start.
  • Fixed a CSRF exploit generation issue where the generated file is empty.
  • Fixed an issue where injection/identification responses are unable to display for file upload vulnerability.
  • Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
  • Fixed a text parsing issue where relative URLs were not supported as base href values.
  • Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
  • Fixed an XSS attacking issue where duplicate attacks are made for same payload.
  • Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
  • Fixed an issue where post exploitation does not work sometimes.
  • Fixed a form authentication issue where any slash character in credentials cannot be used.
Invicti Security Corp
1000 N Lamar Blvd Suite 300
Austin, TX 78703, US
© Invicti {year}
Resources
FeaturesIntegrationsPlansCase StudiesRelease NotesInvicti Learn
Use Cases
Penetration Testing SoftwareWebsite Security ScannerEthical Hacking SoftwareWeb Vulnerability ScannerComparisonsOnline Application Scanner
Web Security
The Problem with False PositivesWhy Pay for Web ScannersSQL Injection Cheat SheetGetting Started with Web SecurityVulnerability IndexUsing Content Security Policy to Secure Web Applications
Comparison
Acunetix vs. InvictiBurp Suite vs. InvictiCheckmarx vs. InvictiProbely vs. InvictiQualys vs. InvictiTenable Nessus vs. Invicti
Company
About UsContact UsSupportCareersResourcesPartners

Invicti Security is changing the way web applications are secured. Invicti’s dynamic and interactive application security products help organizations in every industry scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.

LegalPrivacy PolicyCalifornia Privacy RightsTerms of UseAccessibilitySitemap
Privacy Policy