Invicti Enterprise On-Premises 04 Jul 2016



  • Added Samesite cookie attribute check.
  • Added Reverse Tabnabbing check.
  • Added Subresource Integrity (SRI) Not Implemented check.
  • Added Subresource Integrity (SRI) Hash Invalid check.


  • Various memory usage improvements to better handle large websites.
  • Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
  • Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
  • Improved coverage of Local File Inclusion security check engine.
  • Improved the automatic form authentication script to click the “button” HTML elements if no suitable button is found.
  • Improved the “HTML Base Tag Hijacking” vulnerability template.
  • Improved the long-term memory usage of the DOM simulation and cross-site scripting (XSS) scanning.
  • DOM simulation smart filtering now prunes unnecessary DOM branches.
  • Improved the detection of “Redirect Body Too Large” vulnerability.


  • Fixed the “Cross-site Scripting via Remote File Inclusion” vulnerability, which was not being confirmed automatically.
  • Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
  • Fixed an HTTP Archive Importer issue during which the POST method was parsed as GET when postData is empty.
  • Fixed a bug in which a GWT parameter that contained a Base64 encoded value was not detected.
  • Fixed a time span parsing bug in Knowledge base report templates.
  • Fixed an issue in which some vulnerabilities are treated as fixed while retesting.
  • Fixed an issue in which XSS proof URL was missing alert function call.
  • Fixed the broken “Generate Debug Info” function of JavaScript simulation feature.
  • Fixed a NullReferenceException that can be thrown by the Subresource integrity security checks.
  • Fixed cURL login sample in API documentation.