Invicti Enterprise On-Premises 26 Jan 2017

New Features

  • Authentication & session verification for form based authentication.
  • Credentials test for Basic and NTLM/Kerberos authentication mechanisms.
  • Support for the Invicti Hawk infrastructure, used for detecting SSRF and out-of-band vulnerabilities.
  • Added HTTP request rate limiting options to Scan Policy.
  • Added “Ignored Email Addresses” section in Scan Policy.
  • Added accept and reject options for untrusted SSL certificates.
  • Added an option to disable automatic detection of 404 error pages.
  • Support for importation of Postman files.

New Security Checks


  • Improved the performance of several link importers.
  • Added “Bearer Token” support for form authentication.
  • Added confirmation for Frame Injection vulnerabilities.
  • Added http: and https: checks for CSP vulnerability detection.
  • Improved link importers – redundant CONNECT requests are now excluded.
  • Optimized attacker performance for links containing single parameter.
  • Optimized crawling parser by skipping DOM simulation on pages with static content.
  • Improved coverage of CORS security check with extra attacks.
  • Removed GWT attacks from file upload security checks.
  • Improved DOM simulation performance.
  • Improved CSS parsing which now follows CSS import directives.
  • Improved coverage of open redirect security checks by adding/updating attacks patterns.
  • Improved logout detection by skipping JavaScript responses.
  • Added support for “HTTP 410 Gone” and “HTTP 451 Unavailable For Legal Reasons” response status codes.
  • Added CVSS information to more vulnerabilities.
  • Updated vulnerability database.
  • Added URL Rewrite mode to Detailed Scan Report.
  • Added support for configuring websites on manage groups page.
  • Improved the UI & UX of several pages.

Bug Fixes

  • Fixed an issue where a “multiple cookies issue” should not be reported.
  • Fixed a JSON parsing issue with text parser.
  • Fixed an HTTP response issue where the response could not be read because only BOM bytes are sent on first read attempt.
  • Fixed an issue where a false positive file upload vulnerability might be reported.
  • Fixed several DOM simulation issues on pages that have many iframe elements.
  • Fixed a NullReferenceException while performing an internal MD5 encoding operation.
  • Fixed an encoding issue on a proof URL of an XSS vulnerability.
  • Fixed an issue where “Shell Script Identified” vulnerability is not found when retested.
  • Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
  • Fixed a text parsing issue where absolute URLs were converted to invalid relative URLs.
  • Fixed incorrect protocol detection for protocol-relative URLs.
  • Fixed an issue which occurs during importing websites with unix line endings.
  • Fixed a retest issue which occurs if vulnerable URL contains a dash character.
  • Fixed an issue where SSL details were not shown properly on knowledge base report.