Invicti Standard 18 May 2015


  • Added RSA Private Key Detected vulnerability check


  • Improved Credit Card Disclosure detection
  • Reporting cookie name in “Cookie values used in Anti-CSRF token” issue
  • Improved “Delegated event” simulation in DOM Parser
  • Improved comment order in knowledgebase by displaying comments having sensitive keywords first
  • Improved the wording at “ViewState is not Encrypted” vulnerability report template
  • Improved DOM Parser and DOM XSS by providing the received response headers to JavaScript context
  • Improved Exclude/Include patterns to match parameter names and values in addition to the URL
  • Improved resource finder to accept HTTP 401 and 500 status codes when a hidden resource is discovered
  • Improved logging of regex timeout issues with additional parameter name and URL information
  • Improved reporting API documentation by including more types


  • Fixed “Options Method Enabled” vulnerability reporting by adding status code checks
  • Fixed a NullReferenceException issue that occurs when Invicti is started using command line
  • Fixed an encoding issue for parameter names in multipart/form-data requests
  • Fixed an issue related to form authentication verification in which the Continue button is missing on the verification dialog if there is no configured persona
  • Fixed click simulation in custom form authentication scripting by preventing the extra click on elements
  • Fixed an SSL connection issue where the target web server demands only TLS 1.1 or TLS 1.2 protocols
  • Fixed custom data reporting in vulnerability templates by removing the extra space added to the values
  • Fixed custom data reporting in vulnerability templates to get rid of the bullet point if there is only a single custom data
  • Fixed an issue with “Out of Scope” links reported under knowledgebase where the links discovered in DOM Parser are not reported
  • Fixed a report template customization issue where modifying a report template while Invicti is running was causing it to fail during report generation
  • Fixed a multipart/form-data request issue where “filename” attribute was not submitted for file upload parameters
  • Fixed a dashboard issue where the progress bar is stuck on Crawl Only scans even though crawling finishes
  • Fixed a custom URL rewrite bug where rules with multiple numeric parameters were not being matched
  • Fixed custom URL rewrite test interface where only visible rows were being tested before