🚀 Invicti Acquires Kondukto to Deliver Proof-Based Application Security Posture Management
100% Signal 0% Noise
Platform
Platform Overview
ASPM
API Security
DAST
SAST
SCA
Container Security
AI-Powered AppSec
Features
Pricing
Why Invicti
About Us
Case Studies
Contact Us
Resources
Resource Library
Blog
Webinars
White Papers
Podcasts
Case Studies
Invicti Learn
Live Training
Partners
Support
Get a demo
Home
/
Documentation
/
7-Apr-2017
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
07 Apr 2017

7-Apr-2017

New Features

  • A wizard to assist first time users add a new website and setup a web security scan
  • Late confirmation of vulnerabilities (vulnerabilities can be confirmed after the scan has finished with Invicti Hawk)

New Security Checks

  • New security check that detects insecure targets in Content Security Policy.
  • Added checks for exposure of trace.axd in ASP.NET applications.
  • New security check for Time Based Server-Side Request Forgery.
  • Added Markdown Injection attack pattern to XSS engine.
  • Added a Code Evaluation check for Apache Struts framework.

Improvements

  • Improved Boolean SQL Injection detection.
  • Updated the Local File Inclusion vulnerability classifications.
  • Improved Trace/Track security checks.
  • Improved coverage of XSS engine in redirects.
  • Added policy optimization support for SSRF security checks.
  • Added exploit generation support for "Cross-site Scripting via Remote File Inclusion" vulnerability.
  • Added a specialized parser to parse JavaScript responses better to reduce discovering incorrect links.
  • Improved form authentication logout detection by ignoring the responses of some attacks to prevent incorrect logout detections.
  • Added VDB support to Blind & Boolean SQLi post exploitation.
  • Added support for checking Open Redirection vulnerability on Refresh response header.
  • Added the XPath information of the element that causes the DOM XSS vulnerability.
  • Added "Sub Path Max Dynamic Signatures" setting for Heuristic URL Rewrite detection.
  • Added a JavaScript scan policy option to reduce triggered event count during the simulation.
  • Added a JavaScript scan policy option to exclude HTML elements such as logout buttons from event simulation by CSS selectors.
  • Added checks for vulnerabilities which sink into window.name capability for DOM XSS security checks.
  • Improved the coverage of the Local File Inclusion engine so the vulnerability can be found in a full url attack.
  • Changed severity numbers' style on scan result pages.
  • Added support for editing scan time window settings for running scans.
  • Highlighted special fields of vulnerability notes on the scan report page.
  • Settings of completed scans are automatically applied to new scans when a user launches a new scan from the recent scans page or scan report page.
  • Improved notifications email templates.
  • Improved help text by adding netsparker.com article links to relevant sections.
  • Improved input validation for request rate limit settings on the scan policy page.
  • Added support for remembering previously entered filters on list pages.
  • Allowing users to select CSV separator while export scan reports.
  • Added support to allow users to re-verify logout settings on the form authentication verification dialog.

Bug Fixes

  • Fixed several issues related to DOM parsing and simulation.
  • Fixed a NullReferenceException thrown by HTTP Methods checks.
  • Fixed a StackOverflowException caused by JSON responses with too many nested elements.
  • Fixed Proof of Concept generation during post exploitation for time based SQLi checks.
  • Fixed a NullReferenceException while confirming a Boolean SQLi vulnerability.
  • Fixed an issue where scan is paused when an additional host is unreachable.
  • Fixed typos in CSP vulnerability templates.
  • Fixed an issue where ignored emails are still reported as knowledge base issue.
  • Fixed an issue where source code disclosure is reported in JS and CSS files.
  • Fixed an SQL exploitation issue where executing a SQL query which expected an integer result is no longer giving failure for PostgreSQL database.
  • Fixed a Text Parser issue where single quote characters were being captured as part of links.
  • Fixed the incorrect path disclosure caused by the Shellshock attack.
  • Fixed missing SSRF proofs under Proofs knowledge base.
  • Fixed incorrect encoded parameter names for multipart/form-data forms.
  • Fixed the performance recrawling for DOM XSS checks on websites with lots of links.
  • Fixed the incorrect CR LF encoding issues on proof URLs.
  • Fixed DOM Parser clearInterval JavaScript function simulation.
  • Fixed an issue where stored XSS vulnerability is reported in an XHR response rather than in the page itself which makes XHR request.
  • Fixed an issue where Boolean SQL Injection vulnerability is missed due to crawled parameter value.
  • Fixed an issue where reflected XSS vulnerability is missed because the reflected payload is HTML encoded in an attribute.
  • Fixed an issue where Text Parser does not handle the same referenced JavaScript in different files.
  • Fixed an issue where timezone is not being set correctly when a validation error occurs on the signup page.
  • Fixed a filtering issue on the Manage Team page.
Invicti Security Corp
1000 N Lamar Blvd Suite 300
Austin, TX 78703, US
© Invicti {year}
Resources
FeaturesIntegrationsPlansCase StudiesRelease NotesInvicti Learn
Use Cases
Penetration Testing SoftwareWebsite Security ScannerEthical Hacking SoftwareWeb Vulnerability ScannerComparisonsOnline Application Scanner
Web Security
The Problem with False PositivesWhy Pay for Web ScannersSQL Injection Cheat SheetGetting Started with Web SecurityVulnerability IndexUsing Content Security Policy to Secure Web Applications
Comparison
Acunetix vs. InvictiBurp Suite vs. InvictiCheckmarx vs. InvictiProbely vs. InvictiQualys vs. InvictiTenable Nessus vs. Invicti
Company
About UsContact UsSupportCareersResourcesPartners

Invicti Security is changing the way web applications are secured. Invicti’s dynamic and interactive application security products help organizations in every industry scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.

LegalPrivacy PolicyCalifornia Privacy RightsTerms of UseAccessibilitySitemap
Privacy Policy