Invicti Standard 06 Apr 2015


  1. Invicti 4 requires .NET 4.5.2 to run. You must have Windows Vista or Windows Server 2008 or above to install .NET 4.5.2 and use Invicti 4.
  2. Form authentication was redesigned and now it is much easier to configure and all automated. If you had login details configured using the previous wizard you need to reconfigure them.
  3. The file format of profiles has changed from binary to XML. If you have custom profiles you have to recreate them.
  4. The default profiles shipped with Invicti have been removed. Please use the default Scan Policies instead.
  5. URL Rewrite settings have been moved from Scan Policy to profile settings. Therefore if you have Scan Policies with URL Rewrite configuration create a new custom Profile and configure the URL Rewrite settings in your custom profile.

Should you have any queries or encounter any problems do not hesitate to contact our support at


  • Redesigned the “Start a New Scan” dialog window – now it is even easier than before to configure new scans
  • New macro-less form authentication configuration (DOM Based Form Authentication that replaces HTTP Based Form Authentication)
  • Ability to automatically crawl and scan web applications built with Google Web Toolkit (GWT)
  • Added “Incremental Scanning” feature – perform an incremental scan over an existing scan that only attacks to new pages introduced since last scan
  • Added “Retest All” functionality to perform one-click retest on all vulnerabilities found
  • Added support for Remote File Inclusion (RFI) Exploitation
  • Added support for Remote Code Execution via LFI (PHP) Exploitation
  • Added new Executive Summary Report template
  • Added support for importing HTTP Archive (HAR) files


Added new security checks in Invicti to identify the below vulnerabilities and security flaws:

  • Cross Frame Scripting vulnerability check
  • Missing Content-Type and X-Content-Type-Options header checks
  • Cross-Origin Resource Sharing check
  • Mixed Content check to detect if a mixed content is loaded over HTTP within an HTTPS page
  • XML External Entity (XXE) Engine
  • File Upload Engine
  • Detection of insecure JSONP endpoints susceptible to attacks like Rosetta Flash
  • Misconfigured Access-Control-Allow-Origin header
  • Credit Card Disclosure


  • Improved DOM XSS attack patterns
  • Increased coverage for Open Redirection vulnerabilities
  • Improved Internal Path Disclosure detection patterns for Windows and *nix
  • Improved Connection String detection to cover more cases and run faster
  • Imported links are now displayed in a list on Start a New Scan Dialog and selected links can be removed
  • Internal Path Disclosure (*nix) checks have been improved by excluding paths found in JavaScript and CSS files
  • Improved sensitive keyword list for Comments Knowledge base item
  • Reporting cookie attributes like Secure, HttpOnly, etc. in Cookies Knowledge base item
  • Current user-agent string set in scan policy settings is now being used during DOM simulation and DOM XSS attacks
  • Improved attacking for URLs with multiple parameters by also attacking with empty parameter values
  • Improved wording for Auto Complete Enabled vulnerability template
  • Improved Open Redirect detection to include redirects performed by JavaScript code
  • Added an option to perform DOM simulation when necessary in Open Redirect engine
  • Reduced the number of requests made to detect Not Found pages
  • Included Static Resource Finder requests in activity pane
  • Improved CVS file detection pattern
  • Improved the error message displayed on start up to provide more details
  • Improved Retest feature to perform retests for singular engine vulnerabilities like ASP Debug Enabled, OpenSSL Heartbleed Vulnerability, etc.
  • Improved URL encoding to use %20 while encoding space character (Use UsePlusForSpaceEncoding to force encode spaces as plus signs)
  • Separated HTML5 engine checks in scan policy to provide granular selection chance
  • Improved Insecure Transportation Security Protocol Supported (SSLv3) vulnerability template wording
  • Added CWE classification values for SSLv2 and SSLv3 vulnerabilities
  • Added retest support for RoR RCE vulnerabilities
  • Added scan policy settings to ignore certain Content Type values
  • Improved Vulnerability List (XML) report template to include OWASP 2013 classifications for vulnerabilities
  • Improved user interface to display Browser View tab and hide Vulnerability tab when selected Sitemap node is not a vulnerability
  • Exposed Signature property for Vulnerability instances in Reporting API
  • Added classification information for Possible Reflected File Download vulnerability
  • Added timeout support for regex pattern execution to prevent hangs on exceptional responses (timeout value can be modified using SignatureRegexTimeout Advanced Setting)
  • Changed request timeout setting’s unit from milliseconds to seconds in the policy setting UI
  • Improved SSN detection
  • Improved link parsing in Text Parser
  • Added HTTP method and attack parameter names to activity pane
  • Improved LFI confirmation using web.config file
  • Added extra GET requests for the ones having non-GET HTTP methods
  • Added referer checks for DOM XSS
  • Improved binary detection for font requests
  • Added Nginx configuration information for HSTS Not Enabled vulnerability template
  • Improved GIT detected vulnerability template
  • Auto save message is now displaying the time scan is saved
  • Revised Interesting Headers list to filter some well-known headers
  • Added form name and action as custom field in CSRF engine
  • Improved the error message text shown when a PDF report cannot be overwritten
  • Added Save button to save changes on current profile
  • Added attack pattern to find an SQL injection vulnerability in MySQL limit clause (version >= 5)
  • Added attack pattern to find an LFI vulnerability in Rails (CVE-2014-0130)
  • Improved how disk full cases are handled during a scan
  • Improved the order of how vulnerabilities are listed in reports
  • Improved phpMyAdmin detection
  • Improved Stack Trace Disclosure (Java) detection


  • Fixed Content-Type header parsing where any quotes should be removed from charset attribute
  • Fixed an encoding issue with an RFI attack pattern affecting Full Query String and Referer attacks
  • Fixed a hang occurs while performing SSL analyze on sites with some cipher suites
  • Fixed parameter encoding issue in Reverse Shell feature
  • Fixed a space character encoding issue in exploit generation
  • Fixed the generated code in exploits to include calls to alert function instead of invicti function
  • Fixed an encoding bug in RFI attacks to a URL with URL rewrite configuration
  • Fixed an issue that crashes Invicti if a Standard edition license contains an invalid URL
  • Fixed a crash in URL rewrite pattern which occurs when invalid regex patterns are entered
  • Fixed DOM parser simulation to select non-default values in select elements
  • Fixed retest to detect vulnerabilities requiring late confirmation (Blind Command Injection, Blind SQL Injection, etc.)
  • Fixed an issue where WebDav engine could not perform a retest correctly
  • Fixed a bug in email disclosure vulnerability where duplicate emails were being displayed
  • Fixed the tooltip on Add New client certificate button by correcting the supported file extension
  • Fixed the decoding issue with UTF-16 responses where text response is recognized as binary
  • Fixed duplicate confirmation issue during retest
  • Fixed the performance issue with Custom Cookies text box to handle large values
  • Fixed an issue with Tab key when the focus is on a list and does not move away to next control
  • Fixed a bug related with Excluded/Included Links where the values are getting back to default when all values are deleted
  • Fixed the Start Scan button text when Pause Scan After Crawling is checked
  • Fixed the configuration sample in Tomcat Directory Listing vulnerability template
  • Fixed an issue with importers where the HTTP methods like PUT, DELETE, etc. of requests are not preserved
  • Fixed an issue with cookie parsing where a Version = 1 cookie with an explicit domain which doesn’t start with a dot was being ignored
  • Fixed issues with Version = 1 cookies
  • Fixed an issue where confirmation is done with an incorrect signature in Expression Language Injection engine
  • Fixed a hang in Text Parser caused by a large base64 encoded image in page source code
  • Fixed a DOM XSS performance issue on pages using custom fonts
  • Fixed an issue of hanging requests in activity pane when a JSON/XML request fails for intrusive engines
  • Fixed trimmed activity duration in activity pane for large values
  • Fixed a StackOverflowException thrown by LFI exploitation
  • Fixed an issue with PDF report generation when the HTML report does not have a .htm file extension
  • Fixed a bug with Controlled Scan where the scan policy used during the scan should not prevent user to perform checks that are not in the policy
  • Fixed a bug in Detailed Scan Report where DOM XSS engine is not displayed as enabled
  • Fixed a bug occurs when Invicti tries to read the URL from clipboard and clipboard is open by another application
  • Fixed trimmed security test names in controlled scan
  • Fixed a bug where the max number of parameters to attack is not handled correctly
  • Fixed a bug in DOM simulation to provide correct target element when events are simulated
  • Fixed a bug in Scan Policy editor occurs by ignoring changes while clicking tabs on left
  • Fixed a cookie parsing bug occurs when port attribute value is not quoted
  • Fixed the refresh issue on Knowledgebase issues where the expand states are now preserved between refreshes
  • Fixed a cookie parsing bug where cookies were stopped being parsed in case of an empty Set-Cookie header
  • Fixed a scan file creation issue on systems where the Windows Documents folder is located on a network location
  • Fixed a log message issue reporting when Find Hidden Resources finishes
  • Fixed a high DPI text issue on Retest message dialog
  • Fixed a cookie parsing issue when Expires attribute contains a comma
  • Fixed a link parsing issue where parameters with empty names are added
  • Fixed a bug in Crawled URL List report where URLs discovered by Static Resource Finder are not listed
  • Fixed a bug in automated command line scans where interrupting and starting a new scan through UI asks for exit confirmation