Invicti Standard 16 Nov 2021 v6.2



  • Added signature matching to Web app fingerprint checker.
  • Added patterns for Base64 encoded DOM Cross-site Scripting.
  • Added phpMyAdmin Version Disclosure security check.
  • Added Atlassian Confluence Version disclosure and Out-of-date security checks.
  • Added exclusion feature to JavaScript Library detection.
  • Added PHP Version Detection via phpinfo() call.
  • Added the Shopify Identified security check.


  • Added the Bridge URL and Shark token support for Invicti Shark (IAST).
  • Added setting to configure Session Cookie Names.
  • Updated CWE classification category orders for Out-of-date templates.
  • Improved Cross-site Scripting attack pattern.
  • Added support for exploiting local storage and session storage in the DOM XSS security checks.
  • Added highlighting support for custom scripts.
  • Added Web Application Firewall to the site profile.
  • Changed the default ignored parameter comparison to case insensitive.
  • Added ‘Is Encoded’ option to OAuth2 parameters.
  • Added JWT Token pre-request script template.
  • Added the CSP Not Implemented that will be reported as confirmed.
  • Added the Subresource integrity not implemented that will be reported as confirmed.


  • Fixed the issue that Content-Type header missing was reported when there was no content in the response.
  • Fixed the issue FP JWT was reported in a not found response.
  • Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
  • Marked weak TLS ciphers.
  • Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
  • Fixed FP WAF Identified.
  • Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
  • Fixed the issue source code disclosure is reported in binary responses.
  • Fixed the issue fingerprint checker crashes when an applications file could not be found.
  • Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
  • Fixed the issue that some cipher suites are not reported as weak.
  • Fixed the issue classification links were not rendered correctly when there are multiple values.
  • Fixed the issue proof prefix was added when there were no more characters to be found.