Invicti Enterprise On-Premises 17 Oct 2016

New Features

New Web Security Checks


  • Improved the Cross-site Scripting (XSS) vulnerability security checks coverage.
  • Renamed “Permanent XSS” vulnerability to “Stored XSS”.
  • Added type ahead search functionality for Scan Policy > Security Checks.
  • Added HTTP methods to AJAX / XML HTTP Requests knowledge base section.
  • Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
  • Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
  • Improved DOM simulation by simulating “contextmenu” events.
  • Increased the default values for “Maximum Page Visit” and “Max. Number of Parameters to Attack on a Single Page” settings.
  • Improved XML parsing during crawling by parsing empty XML elements as parameters too.
  • Added the ability to attack parameter names.
  • Added a note to vulnerability detail for non-exploitable frame injection.
  • Added .jhtml and .jsp attacks to file upload engine.
  • Improved CORS security checks.
  • Improved Open Redirect engine to detect CNAME injection such as
  • Improved XSS confirmation for vulnerabilities found inside noscript tags.
  • Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.

Bug Fixes

  • Fixed a form authentication issue where the last form authentication sequence requests were prematurely cancelled.
  • Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
  • Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
  • Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
  • Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
  • Fixed a DOM simulation issue occurs when there is a form element with name “action” on target web page.
  • Fixed duplicate “Email Address Disclosure” reporting issue.
  • Fixed a NullReferenceException on occurs during CORS security checks.
  • Fixed a CSRF exploit generation issue where the generated file is empty.
  • Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
  • Fixed a text parsing issue where relative URLs were not supported as base href values.
  • Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
  • Fixed an XSS attacking issue where duplicate attacks are made for same payload.
  • Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
  • Fixed an issue where post exploitation does not work sometimes.
  • Fixed a form authentication issue where any slash character in credentials cannot be used.