Invicti Enterprise On-Premises 15 Mar 2016

New Features

  • Scan profiles can now be shared with all team members
  • Scan profiles can be assigned as a primary scan profile for a website so whenever a new scan is being configured for a website, the default scan profile will be the primary one

New Web Security Checks

  • Added security check for the new DROWN SSL/TLS vulnerability
  • Added “HSTS (HTTP Strict Transport Security) Not Enabled” security checks
  • Added various checks being reported with “HTTP Strict Transport Security (HSTS) Errors and Warnings”
  • Added version checks for OpenCart web application


  • Improved JavaScript/DOM simulation for better DOM XSS security checks
  • Added “Form Values” support for JavaScript/DOM simulation and DOM XSS attacks
  • Authentication settings moved from website to scan launch screen to be included in scan profile
  • Scan scheduling operations seperated from scan launch screen
  • Changed the “Configure a new scan” page to a more ergonomic interface
  • Users with admin permission can no longer see team member’s API token
  • Added endpoint type field to activity logs. (API or Web UI)
  • Added a new scan policy setting section for JavaScript related settings
  • Rewritten HSTS security checks
  • Added evidence information to vulnerabilities list XML report
  • Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
  • Added the file name information for the local file inclusion evidence
  • Added source code to vulnerability details for “Source Code Disclosure” vulnerabilities
  • Improved Heuristic URL Rewrite implementation to detect more patterns and increase crawling efficiency
  • Improved the performance of DOM simulation by aggressively caching external requests
  • Improved the performance of DOM simulation by caching web page responses
  • Improved the performance of DOM simulation by blocking requests to known ad networks
  • Improved minlength and maxlength support for form inputs that sets a value with an appropriate length
  • Added support for matching inputs by label and placeholder texts on form values
  • Improved the vulnerability description on out-of-date cases where identified version is the latest version
  • Added database version, name and user proof for SQL injection vulnerabilities
  • Optimized the attacks with multiple parameters to reduce the number of attacks
  • Added “Identified Source Code” section for “Source Code Disclosure” vulnerabilities

Bug Fixes

  • Fixed an issue which fails reading cookies on form authentication verification for cases where Set-Cookie response header is empty
  • Fixed an issue with client certificate authentication where the client certificate may be sent to external hosts while making HTTP requests
  • Fixed cases where Invicti was making requests to addresses that are generated by its own attacks
  • Fixed elapsed time stops when the current scan is exported
  • Fixed an issue with JavaScript library version detection where wrong version is reported if the path to JavaScript file contains digits
  • Fixed missing AJAX requests on knowledge base while doing manual crawling
  • Fixed HSTS engine where an http:// request may cause to loose current session cookie
  • Fixed an issue where extracted links by TextParser in a JavaScript file should be relative to the main document
  • Fixed the issues of delegated events not simulated if added to the DOM after load time
  • Fixed the issue where hidden resource requests made by Invicti are displayed on out of scope knowledgebase
  • Fixed the issue with automatic SSL protocol fallback which attempts the fallback even if the current security protocol is same with the fallback value
  • Fixed the issue of “Strict-Transport-Security” is being reported as “Interesting Header”
  • Fixed the broken HIPAA classification link