Invicti Product Release Notes
07 Apr 2021
6.0.2.30446
NEW FEATURES
- Added TLS 1.3 support
- Added the character limit setting for Blind SQL Injection proof generation and enabled proof generation by default
- Added the Common Vulnerability Scoring System field to the known vulnerabilities
- Added the Vulnerability Database version to the scan logs
IMPROVEMENTS
- Improved IPv6 support to cover all SSL checks
- Added an advanced setting option to turn on/off the "disable-web-security" command line option while launching chromium
- Added the redirect navigation support for DOM Parser
- Fixed Ghost Chromium problems and DOM simulation leaks
- Added multiple ISO Classification support
- Added alphabetical order to the Knowledge Base nodes
- Updated Invicti Shark (IAST) licensing
- Improved WAF Identification checks to prevent false positives
- Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled
- Improved Open Redirection checks
- Updated Capture Group for OpenResty Version Disclosure
- Updated DS_Store File Found Report Template
- Changed the Referrer-Policy Report Template names to be more accurate
- Refined Possible Stored XSS Vulnerability template
- Added missing external references to SSL Templates that are removed after the merge
- Added IAST suffix to titles of vulnerability detected by Invicti Shark
- Updated OpenSSL regex
- Updated OpenSSL version disclosure regex
- Updated SSTI patterns to use specific type to match code execution patterns
NEW SECURITY CHECKS
- Added Short XSS Attack to bypass character limit checks
- Added Revoked SSL Certificate check
- Added SSL Certificate's Name and Hostname Mismatch security check
- Added SSL Certificate is not signed by a trusted root certification authority security check
- Added Daiquiri Identified security check
- Added Expired SSL Certificate security check
- Added ZSH History File Detected
- Added DOM XSS pattern for the script SRC Injection
FIXES
- Fixed an issue with simultaneous access to the same object while updating the sitemap during scanning
- Fixed unexpected error when saving parse from URL in form values screen
- Fixed the Chrome address bar displaying in different resolutions on the verify login form
- Fixed the detected logout status when an unreachable link is given
- Fixed the customization menu at the form authentication's custom script dialog
- Fixed unsupported browser issue for Headless Chromium
- Fixed weak ciphers not reported for additional websites issue
- Fixed ignoring weak ciphers check because of the ROBOT attack
- Fixed logging HTTPS requests as HTTP when LogHttpRequests option is enabled
- Updated Invicti Updater icons
- Fixed an issue where the Postman Importer ignores the authorization header that is defined in a request item
- Updated requester not to send Accept-Language header if it is not enabled in a scan policy
- Fixed an issue that occurred when exporting custom reports generated from Compliance, Detailed Scan, and Executive Summary report
- Fixed a synchronization problem while creating puppeteer instances
- Fixed an issue where external schema was not added when importing WSDL
- Fixed the Write Lock Leak in LinkPool
- Disabled mouse wheel on the Include/Exclude URLs with Regex radio group
- Fixed the typo in the jQuery validation out-of-date vulnerability type
- Fixed the issue Untrusted Root certificate was not reported on the self-signed certificates
- Fixed the issue that the wrong version was reported in the web app fingerprinting
- Fixed False Positive weak credentials vulnerability
- Fixed the issue that logs were not correctly formatted in the Logs panel
- Fixed the issue that SSL vulnerabilities found in additional sites might be reported in the wrong URL
- Fixed the issue that authenticated link was not crawled
- Fixed the issue that the proof URL was not added to XSS
- Fixed word-wrapping in Tags label in the Azure DevOps Send to Action Configuration Wizard
- Removed the logging for the replacing control characters in headers
- Changed the log level of DOM simulation timeout from Error to Warning
- Fixed the issue that another hash was appended to URLs with a fragment on DOM XSS attacks
- Fixed the issue that SSL certificates were not analyzed for each website when there are additional websites
- Fixed the issue that URI fragment was parsed incorrectly
- Fixed OpenSSL version disclosure regex
- Fixed WS_FTP Log check
- Fixed F5 BIG-IP WAF detection
- Fixed the typo in the jQuery Validation Out-of-date Vulnerability type
- Fixed Extractor for Lodash in repository.json by adding a new function
- Fixed WildFly regex for the WildFly Application Server Identified
- Fixed Whoops Error Handling framework signature
- Fixed the signature for Liferay Portal Identified
- Fixed Version Disclosure for Artifactory by adding missing custom field tag
- Fixed regex of Grafana Version Disclosure
- Fixed OpenResty regex for Version Disclosure
- Fixed the regex of Liferay Portal Version Disclosure pattern