8-Apr-2016

NEW FEATURES

• Added Proof of Concept generation for the CSRF vulnerability.
• Added Parameter-Based Navigation settings to better crawl and attack parameters that are used for website navigation.
• Added a new crawling option in the Scan Policy that allows users to add new extensions for the crawler to parse.

NEW SECURITY TESTS

• Added Missing X-XSS-Protection Header vulnerability check.
• Added Video.js JavaScript library detection.
• Added Critical Form Send to HTTP vulnerability check.
• Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

IMPROVEMENTS

• Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid multiple scanning of the same or similar parameters.
• Added license load option to Help menu.
• Improved "Not Found Analyzer" to better handle binary responses and long strings.
• Changed the default settings of JIRA Send to Action for better out of the box support.
• Added a link to the proof URL for XSS vulnerabilities.
• Added link generation to Text Parser for all select element options.
• Improved the DOM parser to skip redirect responses.
• Added an option to allow the user to move the Invicti data directory to a different location.
• Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
• Added support for modifying asynchronous JavaScript executions in order to increase DOM Parser coverage.
• Improved relative link parsing on JavaScript files.
• Improved the coverage of file upload security checks.
• Improved the coverage of XSS security checks.

FIXES

• Fixed an issue where LFI attack patterns are reported as internal path disclosure.
• Fixed the incorrect raw response representing SSL connections.
• Fixed an issue where forms containing ignored parameters are not reported as CSRF vulnerability.
• Fixed a case where dynamically generated HTML option elements' change event were not being triggered.
• Fixed cross-domain document access errors on DOM parser and XSS scanner.
• Fixed an issue where a JSON request's method was incorrectly recognized as POST rather than GET.
• Fixed a retest issue where a vulnerability is reported as fixed incorrectly.
• Fixed form values target setting to use Name as the default value when a Target is not selected.
• Fixed an issue related with JavaScript "Load Preset Values" combo where selecting a preset value may revert the combo value to "(Custom)".
• Fixed a file extension parsing issue related with File Extension List knowledgebase item.
• Fixed a hang issue occurs while performing JavaScript library checks.
• Fixed a custom form authentication API issue where "ns" namespace was conflicting with a global variable on target web site (authentication API has been moved to "invicti" namespace preserving the "ns" backward compatibility)
• Fixed a DOM Parser and XSS scanner bug that incorrectly follows redirects.
• Fixed misplaced certainty label on vulnerability details for trial editions.
• Fixed an ObjectDisposedException occurs on trial edition when you press escape key several times during application load.
• Fixed a resource deployment issue occurs on Invicti installations with custom application data path.
• Fixed a form values issue where empty form values should not set any default values for parameters.
• Fixed an issue where trying to set Connection request header fails.