Invicti Standard 14 May 2020


  • Added Pivotal Tracker Send To integration
  • Added test website (Target URL) configuration to enable the scanning of REST websites with selected XML and JSON mime type(s)
  • Added ability to add, remove or edit request parameters, headers and edit the request body in pre-request scripts
  • Added a Fragment Parsing checkbox to the Crawling tab of the Scan Policy Editor dialog


  • Added a new vulnerability for Same Site Cookies that are set to None and not marked as secure


  • Improved the Webhook Send To Action to enable it to send data from the query string when the POST or PUT method is selected
  • Improved the Jira Send To Action to include Epic Key and Epic Name fields
  • Updated the default value for Allow Out-of-scope XHR requests from False to True, to improve the simulation process
  • Improved Form Authentication to capture All Authorization Headers instead of just Bearer Authentication Tokens
  • Improved the scan performance with memoization of Passive Security Checks
  • Optimized Stored XSS checks to eliminate unnecessary DOM simulations in PermanentXssSignature
  • Optimized signature detection to avoid executing unnecessary Regex checks
  • Improved the attack payload of the Open – Integer (MySQL) pattern


  • Fixed the problem where the authentication header was parsing if an empty OAuth2 token type was provided
  • Fixed a typo in the XSS vulnerability template
  • Fixed a typo in Expect-CT engine error message
  • The WAF Identified dialog is no longer displayed when Invicti is started from the command line in Silent Mode
  • Fixed an issue that meant the Target URL was not crawled when the Override Target URL with authenticated page checkbox was enabled in the Form Authentication tab of the Start a New Website or Web Service Scan dialog
  • Fixed the visibility of the scan search bar
  • Fixed the Regex Pattern of the BREACH Engine’s sensitive keywords
  • Fixed an issue where the Possible OOB Command Injection Vulnerability was reported as confirmed
  • Fixed the exception that was thrown if the script file name was empty when the Execute button was clicked in the Custom Scripts panel
  • Fixed the problem where the XXE engine was reporting a false positive on possible XXEs
  • Data Type Mismatch errors are now ignored while importing OpenAPI (Swagger) documents
  • Fixed an issue where Authentication Verification was failing to complete in Silent Mode when the Target URL was unreachable
  • Fixed an issue that caused the crawler to be exited abnormally and stopping the scan when Invicti Assistant changed the Scan Settings
  • Fixed a NullReferenceException in the Custom Scripts panel
  • Fixed an issue that caused the link to get stuck in Crawling causing the scan to take too long
  • Fixed a NRE that occurred when a Retest was performed on an imported scan
  • Fixed an issue that occasionally caused scans to hang when the Target URL timed out on requests
  • Removed an extra semicolon from the Actions to Take section of the Insecure Transportation Security Protocol Supported vulnerability templates