Home
/
Documentation
/
6.0.2.30446
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
07 Apr 2021

6.0.2.30446

NEW FEATURES

  • Added TLS 1.3 support
  • Added the character limit setting for Blind SQL Injection proof generation and enabled proof generation by default
  • Added the Common Vulnerability Scoring System field to the known vulnerabilities
  • Added the Vulnerability Database version to the scan logs

IMPROVEMENTS

  • Improved IPv6 support to cover all SSL checks
  • Added an advanced setting option to turn on/off the "disable-web-security" command line option while launching chromium
  • Added the redirect navigation support for DOM Parser
  • Fixed Ghost Chromium problems and DOM simulation leaks
  • Added multiple ISO Classification support
  • Added alphabetical order to the Knowledge Base nodes
  • Updated Invicti Shark (IAST) licensing
  • Improved WAF Identification checks to prevent false positives
  • Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled
  • Improved Open Redirection checks
  • Updated Capture Group for OpenResty Version Disclosure
  • Updated DS_Store File Found Report Template
  • Changed the Referrer-Policy Report Template names to be more accurate
  • Refined Possible Stored XSS Vulnerability template
  • Added missing external references to SSL Templates that are removed after the merge
  • Added IAST suffix to titles of vulnerability detected by Invicti Shark
  • Updated OpenSSL regex
  • Updated OpenSSL version disclosure regex
  • Updated SSTI patterns to use specific type to match code execution patterns

NEW SECURITY CHECKS

  • Added Short XSS Attack to bypass character limit checks
  • Added Revoked SSL Certificate check
  • Added SSL Certificate's Name and Hostname Mismatch security check
  • Added SSL Certificate is not signed by a trusted root certification authority security check
  • Added Daiquiri Identified security check
  • Added Expired SSL Certificate security check
  • Added ZSH History File Detected
  • Added DOM XSS pattern for the script SRC Injection

FIXES

  • Fixed an issue with simultaneous access to the same object while updating the sitemap during scanning
  • Fixed unexpected error when saving parse from URL in form values screen
  • Fixed the Chrome address bar displaying in different resolutions on the verify login form
  • Fixed the detected logout status when an unreachable link is given
  • Fixed the customization menu at the form authentication's custom script dialog
  • Fixed unsupported browser issue for Headless Chromium
  • Fixed weak ciphers not reported for additional websites issue
  • Fixed ignoring weak ciphers check because of the ROBOT attack
  • Fixed logging HTTPS requests as HTTP when LogHttpRequests option is enabled
  • Updated Invicti Updater icons
  • Fixed an issue where the Postman Importer ignores the authorization header that is defined in a request item
  • Updated requester not to send Accept-Language header if it is not enabled in a scan policy
  • Fixed an issue that occurred when exporting custom reports generated from Compliance, Detailed Scan, and Executive Summary report
  • Fixed a synchronization problem while creating puppeteer instances
  • Fixed an issue where external schema was not added when importing WSDL
  • Fixed the Write Lock Leak in LinkPool
  • Disabled mouse wheel on the Include/Exclude URLs with Regex radio group
  • Fixed the typo in the jQuery validation out-of-date vulnerability type
  • Fixed the issue Untrusted Root certificate was not reported on the self-signed certificates
  • Fixed the issue that the wrong version was reported in the web app fingerprinting
  • Fixed False Positive weak credentials vulnerability
  • Fixed the issue that logs were not correctly formatted in the Logs panel
  • Fixed the issue that SSL vulnerabilities found in additional sites might be reported in the wrong URL
  • Fixed the issue that authenticated link was not crawled
  • Fixed the issue that the proof URL was not added to XSS
  • Fixed word-wrapping in Tags label in the Azure DevOps Send to Action Configuration Wizard
  • Removed the logging for the replacing control characters in headers
  • Changed the log level of DOM simulation timeout from Error to Warning
  • Fixed the issue that another hash was appended to URLs with a fragment on DOM XSS attacks
  • Fixed the issue that SSL certificates were not analyzed for each website when there are additional websites
  • Fixed the issue that URI fragment was parsed incorrectly
  • Fixed OpenSSL version disclosure regex
  • Fixed WS_FTP Log check
  • Fixed F5 BIG-IP WAF detection
  • Fixed the typo in the jQuery Validation Out-of-date Vulnerability type
  • Fixed Extractor for Lodash in repository.json by adding a new function
  • Fixed WildFly regex for the WildFly Application Server Identified
  • Fixed Whoops Error Handling framework signature
  • Fixed the signature for Liferay Portal Identified
  • Fixed Version Disclosure for Artifactory by adding missing custom field tag
  • Fixed regex of Grafana Version Disclosure
  • Fixed OpenResty regex for Version Disclosure
  • Fixed the regex of Liferay Portal Version Disclosure pattern