Invicti Standard 16 Jun 2016

NEW FEATURES

• Scanning of RESTful web services.
• Report Policies to customize the scan results and reports
• “Heuristic Rule Detection” support while using custom URL rewrite rules.
• Added an option to disable logout detection for form authentication.
• Added ASP.NET Web Application project import support.

NEW SECURITY CHECKS

• Added Samesite cookie attribute check.
• Added Reverse Tabnabbing check.
• Added Subresource Integrity (SRI) Not Implemented check.
• Added Subresource Integrity (SRI) Hash Invalid check.

IMPROVEMENTS

• Various memory usage improvements to handle large web sites.
• Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
• Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
• Improved coverage of LFI engine.
• Added name completion for profile save as dialog.
• Updated missing localized text for Korean translation.

FIXES

• Fixed the issue of form authentication remembers the cookies from the previous scan while using the same Invicti instance for a new scan.
• Fixed the incorrect progress bar while performing a controlled scan.
• Fixed the issue of DOM Based XSS security checks enabled status were not being logged.
• Fixed the “Cross-site Scripting via Remote File Inclusion” vulnerability was not being confirmed issue.
• Fixed JIRA Send To action issue where the port number of the JIRA service were being ignored.
• Fixed the synchronization issue on JavaScript Scan Policy section where UI elements are left enabled even though “Analyze JavaScript / AJAX” option is not checked.
• Fixed the NullReferenceException thrown when scan is paused and resumed during performing form authentication.
• Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
• Fixed the broken layout of input controls on basic authentication dialog shown during form authentication.
• Fixed the error reporting issue occurs when log file collection and/or compression fails.
• Fixed the HTTP Archive Importer issue where POST method was parsed as GET when postData is empty.
• Fixed the ObjectDisposedException thrown on form authentication verification dialog.
• Fixed a bug where GWT parameter cannot be detected which contains a Base64 encoded value.
• Fixed a time span parsing bug in Knowledge base report templates.
• Fixed an issue where some vulnerabilities are treated as fixed while retesting.
• Fixed an issue where XSS proof URL was missing alert function call.
• Fixed a typo on “Base Tag Hijacking” vulnerability template.
• Fixed the broken “Generate Debug Info” function of JavaScript simulation feature.