- Authentication & session verification for form based authentication.
- Credentials test for Basic and NTLM/Kerberos authentication mechanisms.
- Support for the Invicti Hawk infrastructure, used for detecting SSRF and out-of-band vulnerabilities.
- Added HTTP request rate limiting options to Scan Policy.
- Added “Ignored Email Addresses” section in Scan Policy.
- Added accept and reject options for untrusted SSL certificates.
- Added an option to disable automatic detection of 404 error pages.
- Support for importation of Postman files.
New Security Checks
- Improved the performance of several link importers.
- Added “Bearer Token” support for form authentication.
- Added confirmation for Frame Injection vulnerabilities.
- Added http: and https: checks for CSP vulnerability detection.
- Improved link importers – redundant CONNECT requests are now excluded.
- Optimized attacker performance for links containing single parameter.
- Optimized crawling parser by skipping DOM simulation on pages with static content.
- Improved coverage of CORS security check with extra attacks.
- Removed GWT attacks from file upload security checks.
- Improved DOM simulation performance.
- Improved CSS parsing which now follows CSS import directives.
- Improved coverage of open redirect security checks by adding/updating attacks patterns.
- Added support for “HTTP 410 Gone” and “HTTP 451 Unavailable For Legal Reasons” response status codes.
- Added CVSS information to more vulnerabilities.
- Updated vulnerability database.
- Added URL Rewrite mode to Detailed Scan Report.
- Added support for configuring websites on manage groups page.
- Improved the UI & UX of several pages.
- Fixed an issue where a “multiple cookies issue” should not be reported.
- Fixed a JSON parsing issue with text parser.
- Fixed an HTTP response issue where the response could not be read because only BOM bytes are sent on first read attempt.
- Fixed an issue where a false positive file upload vulnerability might be reported.
- Fixed several DOM simulation issues on pages that have many iframe elements.
- Fixed a NullReferenceException while performing an internal MD5 encoding operation.
- Fixed an encoding issue on a proof URL of an XSS vulnerability.
- Fixed an issue where “Shell Script Identified” vulnerability is not found when retested.
- Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
- Fixed a text parsing issue where absolute URLs were converted to invalid relative URLs.
- Fixed incorrect protocol detection for protocol-relative URLs.
- Fixed an issue which occurs during importing websites with unix line endings.
- Fixed a retest issue which occurs if vulnerable URL contains a dash character.
- Fixed an issue where SSL details were not shown properly on knowledge base report.