Invicti Standard 08 Apr 2016



  • Added Missing X-XSS-Protection Header vulnerability check.
  • Added Video.js JavaScript library detection.
  • Added Critical Form Send to HTTP vulnerability check.
  • Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.


  • Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid  multiple scanning of the same or similar parameters.
  • Added license load option to Help menu.
  • Improved “Not Found Analyzer” to better handle binary responses and long strings.
  • Changed the default settings of JIRA Send to Action for better out of the box support.
  • Added a link to the proof URL for XSS vulnerabilities.
  • Added link generation to Text Parser for all select element options.
  • Improved the DOM parser to skip redirect responses.
  • Added an option to allow the user to move the Invicti data directory to a different location.
  • Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
  • Added support for modifying asynchronous JavaScript executions in order to increase DOM Parser coverage.
  • Improved relative link parsing on JavaScript files.
  • Improved the coverage of file upload security checks.
  • Improved the coverage of XSS security checks.


  • Fixed an issue where LFI attack patterns are reported as internal path disclosure.
  • Fixed the incorrect raw response representing SSL connections.
  • Fixed an issue where forms containing ignored parameters are not reported as CSRF vulnerability.
  • Fixed a case where dynamically generated HTML option elements’ change event were not being triggered.
  • Fixed cross-domain document access errors on DOM parser and XSS scanner.
  • Fixed an issue where a JSON request’s method was incorrectly recognized as POST rather than GET.
  • Fixed a retest issue where a vulnerability is reported as fixed incorrectly.
  • Fixed form values target setting to use Name as the default value when a Target is not selected.
  • Fixed an issue related with JavaScript “Load Preset Values” combo where selecting a preset value may revert the combo value to “(Custom)”.
  • Fixed a file extension parsing issue related with File Extension List knowledgebase item.
  • Fixed a hang issue occurs while performing JavaScript library checks.
  • Fixed a custom form authentication API issue where “ns” namespace was conflicting with a global variable on target web site (authentication API has been moved to “invicti” namespace preserving the “ns” backward compatibility)
  • Fixed a DOM Parser and XSS scanner bug that incorrectly follows redirects.
  • Fixed misplaced certainty label on vulnerability details for trial editions.
  • Fixed an ObjectDisposedException occurs on trial edition when you press escape key several times during application load.
  • Fixed a resource deployment issue occurs on Invicti installations with custom application data path.
  • Fixed a form values issue where empty form values should not set any default values for parameters.
  • Fixed an issue where trying to set Connection request header fails.