19 Sep 2017
NEW FEATURES Added scan policy settings for CSRF security checks. Added ability to use custom HTTP headers during scan. Added attacking optimization option for recurring parameters on different pages. Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries …
NEW FEATURES
- Added scan policy settings for CSRF security checks.
- Added ability to use custom HTTP headers during scan.
- Added attacking optimization option for recurring parameters on different pages.
- Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.
- Redesigned the Basic, NTLM, Digest and Kerberos authentication settings which now supports multiple credentials for different URL paths.
NEW SECURITY CHECKS
- Added Referrer Policy security checks.
- Added markdown injection XSS patterns.
- Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
- Added Database Name Disclosure security checks for MS SQL and MySQL.
- Added Out of Date security checks for several JavaScript libraries.
- Added Remote Code Evaluation (Node.js) security checks.
- Added SSRF detection with server-status.
- Added user controllable cookie detection.
- Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.
- Added Default Page checks for IIS 7.0, 7.5, 8.5 and 10.0.
- Added IIS 10.0 Version Disclosure checks.
- Added WordPress Setup Configuration File checks.
IMPROVEMENTS
- Improved design of the group scan email template.
- Improved accessibility of several pages to follow WCAG guidelines.
- Optimized compression time while archiving the raw scan files.
- Added support for allowing users to launch scheduled scans manually.
- Disabled scheduled scans if the license is expired.
- Updated the links to several external references.
- Improved JavaScript and CSS resource parsing.
- Added DOM simulation options to scan policy optimizer wizard.
- Improved Mixed Content vulnerability reporting by separating them according to resource types.
- Improved boolean SQL injection detection for redirect responses.
- Improved WSDL parsing for files that contain optional extensions.
- Improved .sql file detection signature.
- Added extra confirmation for weak credentials detection.
- Added scan policy option to allow XHR requests during DOM simulation.
- Added form value for password input types to default scan policy.
- Increased the maximum response size limit for JavaScript resources.
- Improved the send to JIRA error message.
- Added maximum number of option elements per select element to simulate scan policy setting.
- Added filter ‘colon’ events scan policy option to filter events that contain colon character in its name during DOM simulation.
- Improved error based SQLi exploitation by generating prefix/suffix dynamically.
- Improved command injection vulnerability detection by prepending original parameter value to attack payload.
- Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.
- Improved LFI attack patterns.
- Improved DOM XSS attack patterns.
- Improved DOM/JavaScript simulation.
- Improved the performance of email address disclosure detection.
- Improved the performance of database connection string disclosure detection.
- Improved the performance of JavaScript library detection.
- Improved the performance of RoR database configuration detection.
- Improved Blind Command Injection detection on Linux systems.
- Improved resource finder to find more hidden resources.
- Improved support for simulating customized select elements.
- Improved NTLM, Digest and Kerberos authentication support.
- Improved DOM simulation stability and performance.
- Improved the default parameter name list for Parameter Based Navigation.
- Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
- Improved boolean and blind SQL injection checks for MySQL databases.
- Improved blind SQL injection checks for PostgreSQL databases.
- Improved reflected and stored XSS detection.
- HSTS checks now reports missing preload directives.
- Updated Korean translation.
- Improved JSON response parsing.
- Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
- Improved email disclosure checks by checking host names against to public suffix list.
BUG FIXES
- Fixed a NullReferenceException which may have been thrown while editing settings of an user.
- Fixed an issue where email notifications are not sent for unconfirmed phone numbers.
- Fixed an issue which may have been thrown while deleting an account.
- Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
- Fixed the duplicate import link issue.
- Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
- Fixed crawling of URLs on pages where base element points to some other URL.
- Fixes an issue where blacklisted Invicti attacks prevent further source code disclosures in HTML response.
- Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
- Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
- Fixed an issue where signature fails to match MS SQL username in error messages.
- Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.
- Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
- Fixed an incorrect “Password Transmitted over HTTP” issue for relative URLs on pages redirected to HTTPS addresses.
- Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
- Fixed incorrect “Interesting Header” report for Content-Security-Policy header.
- Fixed directory listing is not reported issues on some IIS versions.
- Fixed the issue where comments in CSS files are not parsed.
- Fixed the incorrect URL found in CSS comments.
- Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
- Fixed an IndexOutOfRangeException caused by CSP checks.
- Fixed the signature pattern which fails to match “Programming Error Message (PHP)” in multiple lines.
- Fixed markdown XSS attack patterns causing incorrect findings.
- Fixed incorrect “Interesting Header” reports for some headers.
- Fixed the incorrect http protocol displayed for SSL vulnerabilities.
- Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
- Fixed the maximum crawled URL limit exceeded issue.
- Fixed duplicate resource finder requests.
- Fixed the WADL import issue where the operation fails for responses with no status codes.
- Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
- Fixed the incorrect missing object-src report on CSP checks.
- Fixed an issue where default crawled value is double-encoded instead of single.
- Fixed the missing content for Site Profile section of Knowledge Base report.
21 Jul 2017
NEW FEATURES Added support for integrating Invicti Enterprise with JIRA issue tracking system. (BETA) Added support for scanning internal websites in Invicti Enterprise Added proxy support for on-premises scanner agents. IMPROVEMENTS Decreased scan results’ registration time by optimazing database queries. Added several improvements for running Invicti Enterprise on-premises on AWS. Added more information (such as Total …
NEW FEATURES
- Added support for integrating Invicti Enterprise with JIRA issue tracking system.
- (BETA) Added support for scanning internal websites in Invicti Enterprise
- Added proxy support for on-premises scanner agents.
IMPROVEMENTS
- Decreased scan results’ registration time by optimazing database queries.
- Added several improvements for running Invicti Enterprise on-premises on AWS.
- Added more information (such as Total Requests and Average Speed) to the detailed scan report.
- Improved code samples used in API documentation.
- Improved help text and messages.
- Added delete button to website edit page.
- Improved scanner agent’s startup script to ensure agent is started properly.
- Improved sign-in/logout flow to make user sessions more secure.
- Reviewed and fixed duplicate IDs in HTML elements.
- Improved design of the email templates.
- Updated AWS SDK to the latest version.
- Added Korean support to scan report API endpoint.
- Added support for setting preferred agent name via API.
- Added status information to preferred agent section on the new scan page.
FIXES
- Fixed an issue with the archiving of raw scan files.
- Fixed the total website count which was incorrect on manage website groups page.
- Fixed the user’s date format that was not used while selecting dates on account settings page.
- Fixed the account settings page which was not displayed properly in high-DPI screens.
- Fixed a bug where issue counts were not displayed correctly on website dashboard page.
- “JavaScript – Elements To Skip” setting was is now set properly in new scan policy page.
- Expired license error is now returned properly in API endpoints.
- Fixed issues with the order of the websites in the “Websites That Have Shortest Fix Time” widget.
- Fixed an error which was being thrown when adding a website via API in Invicti Enterprise on-premises.
- Fixed CVE links in scan report page.
- Fixed a bug in website verification API endpoint.
- Fixed a NRE which was being thrown during exporting CSV reports.
- Fixed a bug where CSV comma separator is not remembered on Export to CSV pages.
- Fixed an error which was being thrown during deleting a scan profile.
- Fixed a bug in website verification API endpoint.
07 Apr 2017
New Features A wizard to assist first time users add a new website and setup a web security scan Late confirmation of vulnerabilities (vulnerabilities can be confirmed after the scan has finished with Invicti Hawk) New Security Checks New security check that detects insecure targets in Content Security Policy. Added checks for exposure of trace.axd in …
New Features
- A wizard to assist
first time users add a new website andsetup a web security scan - Late confirmation of vulnerabilities (vulnerabilities can be confirmed after the scan has finished with Invicti Hawk)
New Security Checks
- New security check that detects insecure targets in Content Security Policy.
- Added checks for exposure of trace.axd in ASP.NET applications.
- New security check for Time Based Server-Side Request Forgery.
- Added Markdown Injection attack pattern to XSS engine.
- Added a Code Evaluation check for Apache Struts framework.
Improvements
- Improved Boolean SQL Injection detection.
- Updated the Local File Inclusion vulnerability classifications.
- Improved Trace/Track security checks.
- Improved coverage of XSS engine in redirects.
- Added policy optimization support for SSRF security checks.
- Added exploit generation support for “Cross-site Scripting via Remote File Inclusion” vulnerability.
- Added a specialized parser to parse JavaScript responses better to reduce discovering incorrect links.
- Improved form authentication logout detection by ignoring the responses of some attacks to prevent incorrect logout detections.
- Added VDB support to Blind & Boolean
SQLi post exploitation. - Added support for checking Open Redirection vulnerability on Refresh response header.
- Added the XPath information of the element that causes the DOM XSS vulnerability.
- Added “Sub Path Max Dynamic Signatures” setting for Heuristic URL Rewrite detection.
- Added a JavaScript scan policy option to reduce triggered event count during the simulation.
- Added a JavaScript scan policy option to exclude HTML elements such as logout buttons from event simulation by CSS selectors.
- Added checks for vulnerabilities which sink into
window .name capability for DOM XSS security checks. - Improved the coverage of the Local File Inclusion engine so the vulnerability can be found in a full
url attack. - Changed severity numbers’ style on scan result pages.
- Added support for editing scan time window settings for running scans.
- Highlighted special fields of vulnerability notes on the scan report page.
- Settings of completed scans are automatically applied to new scans when a user launches a new scan from the recent scans page or scan report page.
- Improved notifications email templates.
- Improved help text by adding netsparker.com article links to relevant sections.
- Improved input validation for request rate limit settings on the scan policy page.
- Added support for remembering previously entered filters on list pages.
- Allowing users to select CSV separator while export scan reports.
- Added support to allow users to re-verify logout settings on the form authentication verification dialog.
Bug Fixes
- Fixed several issues related to DOM parsing and simulation.
- Fixed a NullReferenceException thrown by HTTP Methods checks.
- Fixed a StackOverflowException caused by JSON responses with too many nested elements.
- Fixed Proof of Concept generation during post exploitation for
time based SQLi checks. - Fixed a NullReferenceException while confirming a Boolean
SQLi vulnerability. - Fixed an issue where
scan is paused when an additional host is unreachable. - Fixed typos in CSP vulnerability templates.
- Fixed an issue where ignored emails are still reported as knowledge base issue.
- Fixed an issue where source code disclosure is reported in JS and CSS files.
- Fixed an SQL exploitation issue where executing a SQL query which expected an integer result is no longer giving failure for PostgreSQL database.
- Fixed a Text Parser issue where single quote characters were being captured as part of links.
- Fixed the incorrect path disclosure caused by the Shellshock attack.
- Fixed missing SSRF proofs under Proofs knowledge base.
- Fixed incorrect encoded parameter names for multipart/form-data forms.
- Fixed the performance recrawling for DOM XSS checks on websites with lots of links.
- Fixed the incorrect CR LF encoding issues on proof URLs.
- Fixed DOM Parser clearInterval JavaScript function simulation.
- Fixed an issue where stored XSS vulnerability is reported in an XHR response rather than in the page itself which makes XHR request.
- Fixed an issue where Boolean SQL Injection vulnerability is missed due to
crawled parameter value. - Fixed an issue where reflected XSS vulnerability is missed because the reflected payload is HTML encoded in an attribute.
- Fixed an issue where Text Parser does not handle the same referenced JavaScript in different files.
- Fixed an issue where timezone is not being set correctly when a validation error occurs on the signup page.
- Fixed a filtering issue on the Manage Team page.
26 Jan 2017
New Features Authentication & session verification for form based authentication. Credentials test for Basic and NTLM/Kerberos authentication mechanisms. Support for the Invicti Hawk infrastructure, used for detecting SSRF and out-of-band vulnerabilities. Added HTTP request rate limiting options to Scan Policy. Added “Ignored Email Addresses” section in Scan Policy. Added accept and reject options for untrusted …
New Features
- Authentication & session verification for form based authentication.
- Credentials test for Basic and NTLM/Kerberos authentication mechanisms.
- Support for the Invicti Hawk infrastructure, used for detecting SSRF and out-of-band vulnerabilities.
- Added HTTP request rate limiting options to Scan Policy.
- Added “Ignored Email Addresses” section in Scan Policy.
- Added accept and reject options for untrusted SSL certificates.
- Added an option to disable automatic detection of 404 error pages.
- Support for importation of Postman files.
New Security Checks
- New security checks for Server Side Request Forgery (SSRF) vulnerability
- New security checks for out-of-band vulnerabilities such as OOB SQL Injection, OOB XXE, Blind XSS, OOB RCE, OOB RFI etc.
- New security check for Stored DOM based XSS
- Added “Missing object-src in CSP Declaration” vulnerability detection.
- Added “Apache Multiple Choices” vulnerability detection.
Improvements
- Improved the performance of several link importers.
- Added “Bearer Token” support for form authentication.
- Added confirmation for Frame Injection vulnerabilities.
- Added http: and https: checks for CSP vulnerability detection.
- Improved link importers – redundant CONNECT requests are now excluded.
- Optimized attacker performance for links containing single parameter.
- Optimized crawling parser by skipping DOM simulation on pages with static content.
- Improved coverage of CORS security check with extra attacks.
- Removed GWT attacks from file upload security checks.
- Improved DOM simulation performance.
- Improved CSS parsing which now follows CSS import directives.
- Improved coverage of open redirect security checks by adding/updating attacks patterns.
- Improved logout detection by skipping JavaScript responses.
- Added support for “HTTP 410 Gone” and “HTTP 451 Unavailable For Legal Reasons” response status codes.
- Added CVSS information to more vulnerabilities.
- Updated vulnerability database.
- Added URL Rewrite mode to Detailed Scan Report.
- Added support for configuring websites on manage groups page.
- Improved the UI & UX of several pages.
Bug Fixes
- Fixed an issue where a “multiple cookies issue” should not be reported.
- Fixed a JSON parsing issue with text parser.
- Fixed an HTTP response issue where the response could not be read because only BOM bytes are sent on first read attempt.
- Fixed an issue where a false positive file upload vulnerability might be reported.
- Fixed several DOM simulation issues on pages that have many iframe elements.
- Fixed a NullReferenceException while performing an internal MD5 encoding operation.
- Fixed an encoding issue on a proof URL of an XSS vulnerability.
- Fixed an issue where “Shell Script Identified” vulnerability is not found when retested.
- Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
- Fixed a text parsing issue where absolute URLs were converted to invalid relative URLs.
- Fixed incorrect protocol detection for protocol-relative URLs.
- Fixed an issue which occurs during importing websites with unix line endings.
- Fixed a retest issue which occurs if vulnerable URL contains a dash character.
- Fixed an issue where SSL details were not shown properly on knowledge base report.
29 Nov 2016
New Feature Email and SMS notifications allowing you to be instantly alerted about scan progress, results and identified vulnerabilities. Improvements Description in Scan Status have been improved to give a better overview. Added a new crawling option Find and Follow New Links. Previously it was hidden and always enabled. Improved the names of the exported reports …
New Feature
- Email and SMS notifications allowing you to be instantly alerted about scan progress, results and identified vulnerabilities.
Improvements
- Description in Scan Status have been improved to give a better overview.
- Added a new crawling option Find and Follow New Links. Previously it was hidden and always enabled.
- Improved the names of the exported reports by adding the report type as prefix in filename.
Bug Fixes
- Fixed an issue where the target website screenshot was not being captured.
- Fixed the CSS styles in some knowledge base items in the scan report page.
- Fixed an issue where the Upload client certificate button was not working.
17 Nov 2016
Fixes Fixed a licensing bug in a third-party library.
Fixes
- Fixed a licensing bug in a third-party library.
03 Nov 2016
New Technical Check Added “Cookie Header Contains Multiple Cookies” check Improvements Improved the Content Security Policy (CSP) and “Misconfigured Access-Control-Allow-Origin Header” vulnerability templates. Improved CSP vulnerability detection by only reporting vulnerabilities on HTML resources. Improved the coverage of the boolean SQL injection vulnerability engine. Fixes Fixed an issue which was preventing the deletion of multiple websites. Fixed …
New Technical Check
- Added “Cookie Header Contains Multiple Cookies” check
Improvements
- Improved the Content Security Policy (CSP) and “Misconfigured Access-Control-Allow-Origin Header” vulnerability templates.
- Improved CSP vulnerability detection by only reporting vulnerabilities on HTML resources.
- Improved the coverage of the boolean SQL injection vulnerability engine.
Fixes
- Fixed an issue which was preventing the deletion of multiple websites.
- Fixed the External CSS, Script and Frame Knowledge Base items which were not considering the port during checks.
- Fixed an issue in the Open Redirect detection where incorrect URLs may also be reported.
- Fixed an issue related to the form authentication which prevents logout detection during attacking phase.
- Fixed an Local File Inclusion (LFI) vulnerability detection issue when attacked with a FullUrl payload.
- Fixed an incorrect retest result which occurs when the target website is not reachable.
- Fixed a CSP vulnerability issue for deprecated CSP header name on meta tags.
17 Oct 2016
New Features Added the ability to configure the scanner to scan websites which are linked from the target website. Added the Common Vulnerability Scoring System (CVSS) in vulnerability reports. Added the OWASP Proactive Guide to classification list. New Web Security Checks Added security checks for Content Security Policy (CSP) web security standard. Added DOM based …
New Features
- Added the ability to configure the scanner to scan websites which are linked from the target website.
- Added the Common Vulnerability Scoring System (CVSS) in vulnerability reports.
- Added the OWASP Proactive Guide to classification list.
New Web Security Checks
- Added security checks for Content Security Policy (CSP) web security standard.
- Added DOM based open redirection security check.
Improvements
- Improved the Cross-site Scripting (XSS) vulnerability security checks coverage.
- Renamed “Permanent XSS” vulnerability to “Stored XSS”.
- Added type ahead search functionality for Scan Policy > Security Checks.
- Added HTTP methods to AJAX / XML HTTP Requests knowledge base section.
- Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
- Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
- Improved DOM simulation by simulating “contextmenu” events.
- Increased the default values for “Maximum Page Visit” and “Max. Number of Parameters to Attack on a Single Page” settings.
- Improved XML parsing during crawling by parsing empty XML elements as parameters too.
- Added the ability to attack parameter names.
- Added a note to vulnerability detail for non-exploitable frame injection.
- Added .jhtml and .jsp attacks to file upload engine.
- Improved CORS security checks.
- Improved Open Redirect engine to detect CNAME injection such as example.com.r87.com.
- Improved XSS confirmation for vulnerabilities found inside noscript tags.
- Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.
Bug Fixes
- Fixed a form authentication issue where the last form authentication sequence requests were prematurely cancelled.
- Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
- Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
- Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
- Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
- Fixed a DOM simulation issue occurs when there is a form element with name “action” on target web page.
- Fixed duplicate “Email Address Disclosure” reporting issue.
- Fixed a NullReferenceException on occurs during CORS security checks.
- Fixed a CSRF exploit generation issue where the generated file is empty.
- Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
- Fixed a text parsing issue where relative URLs were not supported as base href values.
- Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
- Fixed an XSS attacking issue where duplicate attacks are made for same payload.
- Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
- Fixed an issue where post exploitation does not work sometimes.
- Fixed a form authentication issue where any slash character in credentials cannot be used.
22 Sep 2016
New Features Completely revamped the Invicti Enterprise vulnerability tracking system. Improvements Improved the users’ permissions as explained in Understanding and configuring Invicti Enterprise users permissions. Added several tooltips in the UI. Bug Fixes Fixed wrong websites threat levels (they were just representing the last scan’s threat level). Fixed the security overview chart which was showing …
New Features
- Completely revamped the Invicti Enterprise vulnerability tracking system.
Improvements
- Improved the users’ permissions as explained in Understanding and configuring Invicti Enterprise users permissions.
- Added several tooltips in the UI.
Bug Fixes
- Fixed wrong websites threat levels (they were just representing the last scan’s threat level).
- Fixed the security overview chart which was showing only the last scan’s threat level for each website.
04 Jul 2016
NEW FEATURES Support and Scanning of RESTful web services. Auto Heuristic URL Rewrite Rules can be used with Custom URL Rewrite rules during a website security scan. New Reporting utility. Added the new option “Crawl & Attack at the Same Time” setting to new scan page. NEW SECURITY CHECKS Added Samesite cookie attribute check. Added …
NEW FEATURES
- Support and Scanning of RESTful web services.
- Auto Heuristic URL Rewrite Rules can be used with Custom URL Rewrite rules during a website security scan.
- New Reporting utility.
- Added the new option “Crawl & Attack at the Same Time” setting to new scan page.
NEW SECURITY CHECKS
- Added Samesite cookie attribute check.
- Added Reverse Tabnabbing check.
- Added Subresource Integrity (SRI) Not Implemented check.
- Added Subresource Integrity (SRI) Hash Invalid check.
IMPROVEMENTS
- Various memory usage improvements to better handle large websites.
- Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
- Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
- Improved coverage of Local File Inclusion security check engine.
- Improved the automatic form authentication script to click the “button” HTML elements if no suitable button is found.
- Improved the “HTML Base Tag Hijacking” vulnerability template.
- Improved the long-term memory usage of the DOM simulation and cross-site scripting (XSS) scanning.
- DOM simulation smart filtering now prunes unnecessary DOM branches.
- Improved the detection of “Redirect Body Too Large” vulnerability.
BUG FIXES
- Fixed the “Cross-site Scripting via Remote File Inclusion” vulnerability, which was not being confirmed automatically.
- Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
- Fixed an HTTP Archive Importer issue during which the POST method was parsed as GET when postData is empty.
- Fixed a bug in which a GWT parameter that contained a Base64 encoded value was not detected.
- Fixed a time span parsing bug in Knowledge base report templates.
- Fixed an issue in which some vulnerabilities are treated as fixed while retesting.
- Fixed an issue in which XSS proof URL was missing alert function call.
- Fixed the broken “Generate Debug Info” function of JavaScript simulation feature.
- Fixed a NullReferenceException that can be thrown by the Subresource integrity security checks.
- Fixed cURL login sample in API documentation.
05 May 2016
NEW SECURITY CHECKS Detection of a Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)
NEW SECURITY CHECKS
- Detection of a Remote Code Execution via File Upload in ImageMagick (aka ImageTragick)
04 May 2016
New Features Ability to export the scanners’ findings as ModSecurity web application firewall rules. Scan Time Window that allows you to specify when the scanner can scan your website or not. NEW SECURITY CHECKS Detection of SQLite Database files. Detection of Microsoft Outlook Personal Folders File (.pst) files. Detection of DS_Store files. Detection of SVN …
New Features
- Ability to export the scanners’ findings as ModSecurity web application firewall rules.
- Scan Time Window that allows you to specify when the scanner can scan your website or not.
NEW SECURITY CHECKS
- Detection of SQLite Database files.
- Detection of Microsoft Outlook Personal Folders File (.pst) files.
- Detection of DS_Store files.
- Detection of SVN files, supporting the latest version of SVN.
IMPROVEMENTS
- Improved LFI “Long attack – boot.ini” attack.
- Added Internet Explorer 10, 11 and Microsoft Edge browser user agent values.
- Improved the performance of the scan session auto saves.
- Improved link importing to better handle relative URLs.
- Improved the “MIME Types” knowledge base list by ordering items alphabetically.
- Added “Extract static resources” option to JavaScript scan policy settings.
- Improved coverage of XML External Entity engine.
FIXES
- Fixed an attacking issue that occurs when retesting a vulnerability in an incremental scan.
- Fixed a link parsing issue in the text parser where links were incorrectly split.
- Fixed a form authentication “Override Target URL with authenticated page” issue which caused a wrong URL to be identified as the “Target URL”.
- Fixed a highlighting issue where the URL for “Insecure Frame (External)” vulnerability is partially highlighted.
- Fixed an incorrect “Source Code Disclosure” vulnerability report when the response contained an ASP.NET event validation code sample.
- Fixed a broken link in XSS vulnerability templates.