Invicti Enterprise On-Premises 11 Apr 2016

New Features

New Security Checks

  • Added Missing X-XSS-Protection Header vulnerability check.
  • Added Video.js JavaScript library detection.
  • Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.


  • Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid  multiple scanning of the same or similar parameters.
  • Improved “Not Found Analyzer” to better handle binary responses and long strings.
  • Added a link to the proof URL for XSS vulnerabilities.
  • Added link generation to Text Parser for all select element options.
  • Improved DOM parser to skip redirect responses.
  • Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
  • Added support for modifying asynchronous javascript executions in order to increase DOM Parser coverage.
  • Improved relative link parsing on JavaScript files.
  • Improved the coverage of file upload security checks.
  • Improved the coverage of XSS security checks.
  • Improved UI of the scan policy optimized wizard.
  • API authentication method updated for backward compatibility.

Bug Fixes

  • Fixed an issue where LFI attack patterns were being reported as internal path disclosure.
  • Fixed the incorrect raw response representing SSL connections.
  • Fixed an issue where forms containing ignored parameters were not reported as a CSRF vulnerability.
  • Fixed a case where dynamically generated HTML option elements’ change event were not being triggered.
  • Fixed cross-domain document access errors on DOM parser and XSS scanner.
  • Fixed an issue where a JSON request’s method was incorrectly recognized as POST rather than GET.
  • Fixed a retest issue where a vulnerability fix is reported by mistake.
  • Fixed form values target setting to use Name as the default value when a Target is not selected.
  • Fixed a file extension parsing issue related with File Extension List knowledgebase item.
  • Fixed a hang issue that occurs while performing JavaScript library security checks.
  • Fixed a custom form authentication API issue where “ns” namespace was conflicting with a global variable on target website – auth API has been moved to “netsparker” namespace preserving the “ns” backward compatibility.
  • Fixed a DOM Parser and XSS scanner bug that incorrectly followed redirects.
  • Fixed a form values issue – empty form values should not set any default values for parameters.
  • Fixed an issue during which the setting of the Connection request header failed.