17 Jan 2019
NEW FEATURES Added issue synchronization support for Jira and Manuscript issue trackers Added notification support for Fixed, Revived, False Positive and Accepted Risk Issues to Slack integration Upgraded the Invicti scanning engine to v5.2-hf2 (5.2.0.22027) Added a new Vulnerability Families feature, where similar types of vulnerabilities are no longer reported separately Added out of the …
NEW FEATURES
- Added issue synchronization support for Jira and Manuscript issue trackers
- Added notification support for Fixed, Revived, False Positive and Accepted Risk Issues to Slack integration
- Upgraded the Invicti scanning engine to v5.2-hf2 (5.2.0.22027)
- Added a new Vulnerability Families feature, where similar types of vulnerabilities are no longer reported separately
- Added out of the box Issue tracking integration for GitLab, Bitbucket, Unfuddle, Zapier, and Azure DevOps
- Added support for Swagger 3/OpenAPI link import
- Added support for importing links in the IOdocs file format
- Added Retest support for several Cookie vulnerabilities
- Added a new Knowledge Base item for Not Found pages
- Added ISO 27001 vulnerability classifications and report template
- Added custom field support for Issue tracking integrations
- Added Azure DevOps Continuous Integration system integration
- Added PowerShell support to the Gitlab Continuous Integration system integration. The Gitlab page now has Integration Script Generator information for Gitlab PowerShell scripts.
- Added Pipeline Script Generation support to Jenkins Continuous Integration system informtion. The Jenkins page now has Integration Script Generation information for Jenkins Pipeline scripts.
NEW SECURITY CHECKS
- Added a new pattern for CherryPy Version Disclosure
- Added an LFI attack pattern for WEB-INF/web.xml
- Added Ruby Error Disclosure detection
- Added WP Engine Configuration File detection
- Added CherryPy Stack Trace Disclosure detection
- Added Intro.js Out-of-date Version detection
- Added Axios Out-of-date Version detection
- Added Fingerprintjs2 Out-of-date Version detection
- Added XRegExp Out-of-date Version detection
- Added DataTables Out-of-date Version detection
- Added Lazy.js Out-of-date Version detection
- Added FancyBox Out-of-date Version detection
- Added Underscore.js Out-of-date Version detection
- Added Lightbox Out-of-date Version detection
- Added JBoss application server Out-of-date Version detection
- Added SweetAlert2 Out-of-date Version detection
- Added Lodash Out-of-date Version detection
- Added Bluebird Out-of-date Version detection
- Added Polymer Out-of-date Version detection
IMPROVEMENTS
- Added Content Security Policy (CSP) to the Invicti Enterprise web application
- Changed enum values to display in alphabetical order in the Value column in the Filter popup
- Added an Audit Log for Rate Limited requests
- Highlighted selected option for JavaScript section on the New Scan Policy page
- Highlighted relevant tabs for validation errors on the New Scan Policy page
- Improved the Report Policy page to make it more responsive and added a scroll bar
- Improved help text for Application and Service Discovery pages
- Added a Check/Uncheck by Severity filtering option on the Report Policy page
- Added PHP extension attack for Nginx vulnerability to the File Upload engine
- Added File Upload patterns for the Nginx Parsing vulnerability
- Added settings to the File Upload engine for configuring upload folders
- Added errorlog.axd detection support
- Improved elmah.axd detection
- The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
- Improved SSTI PHP Smarty attack detection
- Improved the Swagger link importer to handle additional properties with integer and string value types
- Improved the Expect-CT engine by only reporting a vulnerability once for each host
- Improved RSA key confirmation by handling OpenPGP format
- Increased the HSTS Not Enabled vulnerability severity from Information to Low
- Improved HTTP 407 Proxy Authentication error handling
- Added classifications to the HSTS Not Enabled vulnerability
- Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
- Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
- Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
- Improved JSON format detection
- Replaced Unicode replacement characters with question marks in responses
- Added a Scan Policy option to attack cookies
- Improved element click DOM simulation for various element types
- SRI Not Implemented will no longer be reported for localhost URLs
- Improved ASP.NET error message detection
- Added descriptions to PCI categories in the PCI Compliance Report
- Improved Boolean SQL Injection detection
- Improved the Blind Command Injection attack patterns
- Improved the representation of Report Template compilation errors
- Misconfigured X-Frame-Options Header is now reported separately
- Improved Source Code Disclosure checks to prevent the reporting of JavaScript template pages
- Status Code, Status Description and Content Length information have been added to the Slowest Pages node in the Knowledge Base
- Improved WADL document parsing by ignoring DTDs
- Improved Open Redirect DOM based confirmation performance
- Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
- Cookie vulnerabilities report where the cookie is set from
- Improved Swagger Document Format detection
- The file upload engine now detects new links in the response after the file is uploaded
BUG FIXES
- Fixed the issue where Authentication did not work when retesting
- Fixed the issue where the Swagger importer generated an invalid JSON request body
- Fixed the ArgumentException thrown while performing Heartbleed security checks
- Fixed the issue where the wrong version was identified for Drupal
- Fixed a disallowed HTTP method issue where some methods were still being allowed
- Fixed a typo in the CSP Not Implemented vulnerability details
- Fixed a Form Authentication issue that occured on some React-based websites
- Fixed signature detection for links found via the crawler
- Fixed an issue in the CSP engine where it reported an incorrect vulnerability
- Fixed a URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
- Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
- Fixed duplicate parsing source field values reported for IFrame vulnerabilities
- Fixed an issue where Apache MultiViews could not be detected in the target server
- Fixed the incorrect Cookie Expire Date set during Form Authentication
- Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
- Fixed a Content-Type parsing issue in Form Authentication
- Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
- Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
- Fixed a bug in cookie handling code during Form Authentication
- Fixed the incorrect severity reported for the Cookie not Marked as Secure vulnerability on some scans
- Fixed an ArgumentOutOfRangeException thrown on some long scans
26 Nov 2018
NEW FEATURES Added Application/Service Discovery feature Added out of the box integration for GitLab CI Added custom recurrence options to Scheduled Scans to support advanced scheduling scenarios Added support for downloading internal scanner agents on Manage Agents page (On-Demand only) Added raw text option to Import Websites page IMPROVEMENTS Improved colors for the app menu …
NEW FEATURES
- Added Application/Service Discovery feature
- Added out of the box integration for GitLab CI
- Added custom recurrence options to Scheduled Scans to support advanced scheduling scenarios
- Added support for downloading internal scanner agents on Manage Agents page (On-Demand only)
- Added raw text option to Import Websites page
IMPROVEMENTS
- Improved colors for the app menu to follow WCAG guidelines
- New scheduled scans are not added to the queue if a delayed one already exists
- Improved validatation for SSO configuration pages
- Updated EULA and TOS pages
- Added support for deleting agents on the Manage Agents page
- Readjusted API rate limits
- Added a Data Protection Policy page
- Account admins can now disable other team members’ 2FA settings
- Improved the wording on several pages
- Improved JIRA integration to prevent reopening the same issue twice in JIRA
- Added support for running concurrent scans on a single Enterprise computing instance (ondemand only)
- Attack Pattern’ renamed as ‘Payload’ in the Send To integration templates
- Added tooltip for Scan and Report Policies options on the New Scan page
BUG FIXES
- Fixed the problem where Severity Trends displayed global severity numbers even if a Scan Group was selected on the Website Dashboard page
- Fixed an issue where the Manage Websites page, where the Last Scanned column was displaying the last scan’s initiation time
- Fixed a bug where the severity order was wrong for the Retest Summary section on the Scan Report page
19 Sep 2018
NEW FEATURES Added support to save and re-use filters on the list pages (Recents Scans, Websites, Issues etc) Added out of the box integration for Slack and ServiceNow Introduced Report Policy Editor which allows to customize Scan Report results Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities NEW SECURITY CHECKS Added Out of …
NEW FEATURES
- Added support to save and re-use filters on the list pages (Recents Scans, Websites, Issues etc)
- Added out of the box integration for Slack and ServiceNow
- Introduced Report Policy Editor which allows to customize Scan Report results
- Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities
NEW SECURITY CHECKS
- Added Out of Band Server Side Template Injection security checks
- Added signature detection check for Caddy web server
- Added signature detection check for aah Go server
- Added signature detection check for JBoss application server
- Added CakePHP framework detection
- Added CakePHP version disclosure detection
- Added CakePHP out-of-date version detection
- Added CakePHP Stack Trace Disclosure
- Added CakePHP default page detection
- Added Out of Date checks for CKEditor 5
IMPROVEMENTS
- Configured scanner agent’s service options to recover automatically if it stops
- Improved display order of vulnerabilities in several reports
- Improved the wording in OWASP and Trend Matrix reports
- Updated the licensing model
- Allowed team members to manage their IP restrictions (previously only account administrators were allowed)
- Scheduled Scans will not be queued if a delayed one already exists in scan queue
- Improved Agent List page to display unavailable agents
- Improved the wording in Website and Global Dashboard pages
- Improved ‘/websites/get’ API endpoint to allow filtering by URL
- Improved validation messages for SSO settings
- Improved styling of Permission Matrix on New Team Member page
- Fixed error where Scheduled Scans were disabled by the system on license expiry (they’re now available again on license renewal)
- Updated .NET Framework version requirement to 4.7.2
- All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into a single vulnerability
- Added Label field for JIRA Send To actions
- Added Tags field for Manuscript (FogBugz) Send To actions
- Improved SQL Injection proof data by stripping HTML tags
- Improved CSRF token detection in cookie values
BUG FIXES
- Fixed wrong PDF scaling issue which causes fonts to be rendered very small for Report templates
- Fixed pagination problem on Scheduled Scans and Website Group pages
- Fixed a bug where screenshots are displayed for Scans run by Internal Agents
- Fixed the incorrect Content-Type header sent during Form Authentication requests
- Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were blocking the other HTTP methods too
- Fixed the URL encoding issue for vulnerabilities that are send to Manuscript (formerly FogBugz)
- Fixed the error where the ExpectCT header was reported as an interesting header
- Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
- Fixed the incorrect response displayed for Server Side Request Forgery (SSRF) vulnerabilities when the request was redirected to another page
- Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
- Fixed an incorrect possible LFI vulnerability when the response was redirected
- Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
- Fixed broken case sensitivity check for crawled links
- Fixed FormatException that occurred while parsing cookies
- Fixed a JsonReaderException that occured while trying to parse a Swagger document
- Fixed parsing URLs with encoded chars
- Fixed hanging Open Redirect checks caused by binary responses
- Fixed the issue where a Swagger YAML file cannot be imported
- Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie’s HttpOnly flag
- Fixed the Weak Signature Algorithm that is not reported for a self-signed root certificate
25 Jul 2018
IMPROVEMENT Updated terms of services document BUG FIXES Fixed a bug where XML reports can not be exported Fixed a bug where Jenkins integration was not working as expected Fixed an issue where “Check for Updates” was not displaying correct result for team member users Fixed a bug where sorting was not working on Scheduled …
IMPROVEMENT
- Updated terms of services document
BUG FIXES
- Fixed a bug where XML reports can not be exported
- Fixed a bug where Jenkins integration was not working as expected
- Fixed an issue where “Check for Updates” was not displaying correct result for team member users
- Fixed a bug where sorting was not working on Scheduled Scans page
23 Jul 2018
NEW FEATURE Added SSO (Single Sign-On) support for Netparker Enterprise On-Demand IMPROVEMENTS Improved text shown after deleting a website Improved text shown on Authentication Verifier Settings page Improved help text for Recaptcha setting shown on Service Settings page Removed 2FA disable button for users who do not have required access permission (previously displayed as disabled) …
NEW FEATURE
- Added SSO (Single Sign-On) support for Netparker Enterprise On-Demand
IMPROVEMENTS
- Improved text shown after deleting a website
- Improved text shown on Authentication Verifier Settings page
- Improved help text for Recaptcha setting shown on Service Settings page
- Removed 2FA disable button for users who do not have required access permission (previously displayed as disabled)
- Improved timer behaviour of validation code shown on SMS Settings page
- Improved order of vulnerabilities in several reports
- Response content will not be rendered if it’s higher than 10MB, instead response data can be downloaded from scan results page
- Refactored and improved performance of reports which can be exported from Scan Results page
- Added market place links for Jenkins, TeamCity and Bamboo plugins shown on Integrations page
- Improved validation messages for JIRA integration
- Improved samples for new website API documentation
- Changed wording on General Settings page
- Simplified endpoint format for Authentication Verifier settings
BUG FIXES
- Fixed a bug where if previous scan failed with domain resolution error, subsequent scans failed unexpectedly with the same error
- Fixed a bug where imported Swagger file was not parsed during scanning
- Fixed a bug where multiple SAML configurations might be configured with same configuration identifier
- Fixed an issue where Agent could not be disabled on Manage Agents page
- Fixed an issue where Jenkins icon was not displaying properly on IE
- Fixed a bug where sorting was not working for Next Execution Time on Scheduled Scans page
- Fixed a bug where product update links were not displaying correctly
- Fixed a bug where configured Scan Policies’ user agent was not used in Authentication Verifier
- Fixed documentation links for SSO providers
- Fixed API authorization error thrown on notification endpoints for Team Members
- Fixed an issue where custom reports were not displayed on Scan Results page
- Fixed an issue where Knowledge Base data was not saved properly
02 Jul 2018
BUG FIXES Fixed a database connectivity issue which was occurring when pool size was not sufficient (onpremises only) Fixed an issue where installation wizard was shown when database connectivity was lost (onpremises only) Fixed an issue in agent endpoint where scan file names were not set as expected (onpremises only)
BUG FIXES
- Fixed a database connectivity issue which was occurring when pool size was not sufficient (onpremises only)
- Fixed an issue where installation wizard was shown when database connectivity was lost (onpremises only)
- Fixed an issue in agent endpoint where scan file names were not set as expected (onpremises only)
07 Jun 2018
IMPROVEMENTS Improved audit logs’ contents. BUG FIXES Fixed an issue in “/scans/new” API endpoint. Fixed an issue where SMTP settings was not persisted as expected. Fixed an issue in IP restriction settings. Fixed an issue where vulnerabilities’ request/response details were not displayed properly.
IMPROVEMENTS
- Improved audit logs’ contents.
BUG FIXES
- Fixed an issue in “/scans/new” API endpoint.
- Fixed an issue where SMTP settings was not persisted as expected.
- Fixed an issue in IP restriction settings.
- Fixed an issue where vulnerabilities’ request/response details were not displayed properly.
29 May 2018
NEW FEATURES Added SSO (Single Sign-On) support (onpremises only) Added an option to “Scan Policy > HTTP Request” settings to capture HTTP Requests Added installation wizard for onpremises installation (onpremises only) New plugin for integration with Bamboo Added code highlighting support for vulnerability request and response Added “Scans per Website Group” report type to Reporting …
NEW FEATURES
- Added SSO (Single Sign-On) support (onpremises only)
- Added an option to “Scan Policy > HTTP Request” settings to capture HTTP Requests
- Added installation wizard for onpremises installation (onpremises only)
- New plugin for integration with Bamboo
- Added code highlighting support for vulnerability request and response
- Added “Scans per Website Group” report type to Reporting page
- Added an option to general settings to configure retention period for raw scan files (onpremises only)
- Invicti Desktop integration: ability to import and export scans between the scanners.
- Added Server-Side Template Injection (SSTI) vulnerability checks.
- Added the OWASP 2017 Top Ten classifications report template.
NEW SECURITY CHECKS
- Expect-CT security checks.
- Added various new web applications in the application version database.
- Added out of date checks for Hammer.JS., Phaser., Chart.js., Ramda., reveal.js., Fabric.js., Semantic UI., Leaflet., Foundation., three.js., PDF.js., Polymer.
IMPROVEMENTS
- Added elapsed time information for ongoing scans
- Added an option to scan reports page for hiding addressed issues
- Improved Agents page to display configured agents’ versions (onpremises only)
- Added CVSS score to JSON vulnerabilities report
- Improved user profile to display trial expiration date
- Improved response status messages on the API documentation
- Added Invicti Enterprise issue link to created tickets for supported issue tracking systems (JIRA, TFS, GitHub and FogBugz)
- Improved help text for schedule scan’s license errors
- Allowed team members to manage their own notification settings
- Added “Copy to Clipboard” functionality for API settings
- Improved Incremental Scan page to configure maximum scan duration
- Added an icon for scans launched by continuous integration systems
- Added “LookupId” unique identifier for vulnerabilities to “/scans/report” API endpoint
- Added “FirstSeenDate” and “LastSeenDate” fields for vulnerabilities to “/scans/report” API endpoint
- Added “CreatedAt” and “UpdatedAt” fields for “/websites/list” API endpoint
- Added “/vulnerability/list” API endpoint to list vulnerability templates
- Improved logs for client certificate validation errors
- Crawler can now parse multiple sitemaps in a robots.txt file.
- Added support for parsing swagger documents in yaml format.
- Added support for parsing relative meta refresh URLs.
- Improved parsing of websites using React framework.
- Content-Security-Policy-Report-Only header is not reported as an interesting header.
- Variations are retested before starting an incremental scan.
- Improved JavaScript content check performance while detecting out of date versions.
- Renamed FogBugz send to action to its new name Manuscript.
- GitHub Send to action now works with organization accounts and private repositories.
- Added support for handling HTTP 307 redirects.
- DS_STORE files are discovered and parsed.
- Added WAF (Mod Security) rule generation support for out of band vulnerabilities.
- Improved MySQL double encoded string attacks.
- New Extensions scan policy settings to specify which extensions should be crawled and attacked.
- Added “Disallowed HTTP Methods” settings to scope options on the new scan page.
BUG FIXES
- Fixed an issue where empty value was not accepted for Excluded URLs
- Fixed an issue where invitation was not deleted after an account deleted
- Fixed font size for highlighted fields on vulnerability details
- Fixed an issue where validation was not working as expected for Invicti Hawk settings
- Fixed an issue where VDB update date was not persisted as expected
- Fixed some possible vulnerabilities missing [Possible] indicator in title.
- Fixed highlighting problem for “Password Transmitted over HTTP” vulnerability.
- Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
- Fixed incorrect “[Possible] WS_FTP Log File Detected” vulnerability.
- Fixed Hawk validation error by not following redirects.
- Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
- Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
- Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
- Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
- Fixed the SSL check hang on HTTP only hosts.
- Fixed LFI engine by not analyzing source code disclosure on binary responses.
- Fixed a validation issue for some Swagger documents.
- Fixed the issue where CSP keywords are not reported when used without single quotes.
- Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
- Fixed incorrect source code disclosures reported in binary responses.
- Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
- Fixed out of date version reporting behavior when no ordinal is found in version database.
- Fixed Lighttpd version disclosure detection signatures.
- Fixed a Swagger parsing issue.
18 Apr 2018
BUG FIXES Fixed a bug where crawling is not working as expected. Fixed a security vulnerability in form authentication verification.
BUG FIXES
- Fixed a bug where crawling is not working as expected.
- Fixed a security vulnerability in form authentication verification.
06 Mar 2018
NEW FEATURES New plugin for integration with TeamCity New plugin for integration with Jenkins Added IP Address Restrictions IMPROVEMENTS Improved XML and date samples displayed in API documentation. Improved input validation in the reporting page. Improved on-premises installation document for customers using load balancer. Renamed FogBugz integration to Manuscript. Improved validation of custom cookies. New …
NEW FEATURES
- New plugin for integration with TeamCity
- New plugin for integration with Jenkins
- Added IP Address Restrictions
IMPROVEMENTS
- Improved XML and date samples displayed in API documentation.
- Improved input validation in the reporting page.
- Improved on-premises installation document for customers using load balancer.
- Renamed FogBugz integration to Manuscript.
- Improved validation of custom cookies.
- New scans launched outside scan window will be automatically queued
- Increased character limit for website name.
- Added more details to scanner agent’s startup log.
- Improved installation error message of internal scanner agent.
- Improved vulnerability request/response data page performance.
- Improved the navigation of issues and scans.
- Improved validation of custom 404 settings in the Scan Policy.
- Added a “Copy to Clipboard” button for cURL samples in API documentation.
- Improved API documentation to show request details.
- Changed date/time format from 24-hour clock to 12-hour clock.
BUG FIXES
- Fixed HTTP response data that was not displayed correctly for stored XSS vulnerability.
- Fixed the Github integration which ws not working due to TLS 1.2 connectivity problem.
- Fixed an issue where loading icon does not rendering correctly in IE11.
- Fixed a font size problem in the PCI DSS reports.
- Fixed the info messages that were not fitting in the screen on small resolutions.
- Fixed an issue in which scan profiles could be created with same name.
- Fixed a bug with website verification emails which were not being sent.
- Fixed a bug with vulnerability counts in HIPAA and PCI DSS compliance reports.
31 Jan 2018
NEW FEATURES Added agent grouping support which allows to launch scans in specified agent group. This feature is only available for on-premises standard agents. New API endpoints for getting website and website group details. IMPROVEMENTS Changed Netpsparker Enterprise application’s loading icon. Added an icon to indicate external links. BUG FIXES Fixed an issue where scans are …
NEW FEATURES
- Added agent grouping support which allows to launch scans in specified agent group. This feature is only available for on-premises standard agents.
- New API endpoints for getting website and website group details.
IMPROVEMENTS
- Changed Netpsparker Enterprise application’s loading icon.
- Added an icon to indicate external links.
BUG FIXES
- Fixed an issue where scans are not launched on on-premises AWS scanner agents.
- Fixed an issue where realtime scan results are not displayed correctly in IE11.
- Fixed an issue where proofs are not displayed correctly on vulnerability details section.
14 Dec 2017
NEW FEATURES Realtime scan results Added out of the box integration support for: FogBugz, Github and TFS issue tracking systems. Grouping of notifications so a single email or SMS alert is sent with a list of all alerts rather than multiple individual alerts. New API endpoint for launching group scans. Scheduling for incremental scans both …
NEW FEATURES
- Realtime scan results
- Added out of the box integration support for: FogBugz, Github and TFS issue tracking systems.
- Grouping of notifications so a single email or SMS alert is sent with a list of all alerts rather than multiple individual alerts.
- New API endpoint for launching group scans.
- Scheduling for incremental scans both from the web UI and API.
- New API endpoint for generating custom scan reports.
- New scan policy setting to define Web (Session and Local) Storage.
- New Header Authentication settings to manually add request headers with authentication information.
- Added support to import links from CSV files.
- Added support for parsing of gzipped sitemaps.
NEW SECURITY CHECKS
- Check for reflected Code Evaluation in Apache Struts 2 (CVE-2017-12611).
- Check for Remote Code Execution in Apache Struts (CVE-2017-5638).
IMPROVEMENTS
- Scan Time Window setting is now available to new group scans page.
- Improved scan stability and performance.
- Improved default Form Values settings.
- Updated external references for several vulnerabilities.
- Updated default User-Agent HTTP request header string.
- Changed API endpoints to return 201-Created response status code for new resources.
- Added several UI improvements for WCAG guidelines compliance.
- Improved the email template that reports issues.
- Added “Attack Parameters” information to Scanned URLs report.
- Renamed the “Important” vulnerability severity to “High”.
- Added Form Authentication performance data to Scan Performance knowledge base node.
- Improved Active Mixed Content vulnerability description.
- Improved DOM simulation for events attached to document object.
- Added parsing of “Alternates”, “Content-Location” and “Refresh” response headers.
- Improved CSP engine performance by checking CSP Nonce value per directory.
- Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
- Added –batch argument to sqlmap payloads.
- Removed Markdown Injection XSS attack payloads.
- Added ALL parameter type option to the Ignored Parameters settings.
- Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
- Updated the Accept HTTP header value for default scan policy.
- Added CSS exclusion selector supports frames and iframes.
- Added embedded space parsing for JavaScript code in HTML attribute values.
- Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
- Email disclosure will not be reported for email addresses used in form authentication credentials.
- Added focus and blur event simulation for form authentication set value API calls.
- Added more information about HTML forms and input for vulnerabilities found in HTML forms.
- Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
- Added Parameter Value column to the Vulnerabilities List report in CSV format.
- Added match by HTML element id for form values.
- Added “Ignore document events” to JavaScript settings to ignore triggering events attached to document object.
- Improved Windows Short Filename vulnerability details Remedy section.
- URL Rewrite parameters are now represented as asterisks in sqlmap payloads.
BUG FIXES
- Fixed an issue where AutoSave filename is missing during resuming a scan.
- Fixed an issue where “Test” button of authentication settings does not work as expected.
- Fixed an issue where model binding does not work as expected for scan profile API endpoints.
- Fixed CSRF vulnerability reporting on change password forms.
- Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
- Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
- Fixed various source code disclosure issues.
- Fixed an escaping issue with CSS exclusion selectors.
- Fixed the issue where the basic authentication credentials were not being sent on logout detection phase.
- Fixed a random DOM simulation exception occurs when site creates popup windows.
- Fixed a RemotingException occurs on Form Authentication Verifier.
- Fixed a possible NullReferenceException on Form Authentication.
- Fixed the broken form authentication custom script when the last line of the script is a single line comment.
- Fixed huge parameter value deserialization memory usage.
- Fixed the wrong URLs added with only extension values.
- Fixed a NullReferenceException which may be thrown while importing a swagger file.
- Fixed form authentication not triggered on retest.
- Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
- Fixed a swagger file parsing issue where target URL should be used when host field is missing.
- Fixed swagger importer by ignoring any metadata properties.
- Fixed a NullReferenceException occurs during DOM simulation.
- Fixed the incorrect URLs parsed on attack responses.
- Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
- Fixed ignore parameter issue for parameters containing special characters.
- Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
- Fixed missing vulnerabilities requiring late confirmation for incremental scans.
- Fixed a NullReferenceException may occur on iframe security checks.