Invicti Standard 18 Mar 2015

Read the blog post for more details about this version


  • Ruby on Rails Remote Code Execution vulnerability

  • Off the shelf Web Application Fingerprinting and detection of known security issues (Such as WordPress, Joomla and Drupal)

  • Version disclosure checks for Apache module mod_ssl, Ruby and WEBrick HTTP web server

  • Identification of phpMyAdmin and Webalizer

  • Detection of SHTML error messages that could disclose sensitive information

  • New WebDAV engine that detects WebDAV implementation security issues and vulnerabilities

  • Server-Side Includes (SSI) Injection checks.


  • Scan Policy Editor that allows you to build own scan policies for more efficient web application security scans.

  • Oracle CHR encoding and decoding facility in the Encoder pane

  • Support for multiple exclude and include URL patterns which can also be specified in REGEX

  • Knowledge base node where additional information about the scanned website is reported to the user

  • New PCI Compliance Report template.


  • Default include and exclude URL pattern has been improved

  • DOM Parser now supports proxies and client certification support

  • The performance of the Controlled Scan user interface has been improved

  • HTTP Response text editor automatically scrolls to the first highlighted text when viewed

  • Improved vulnerability classifications

  • Vulnerability templates text has been improved

  • Updated the look and feel of the vulnerability templates

  • Version vulnerability database updated with new web applications version for better finger printing

  • Cross-site scripting exploit generation improved

  • Improved confirmed vulnerability representation on Detailed Scan Report

  • Internal Path Disclosure for Windows and Unix security tests have been improved

  • Improved version disclosure security tests for Perl and ASP.NET MVC

  • Start a Scan user interface by moving rarely used settings to Invicti general settings

  • Improved the performance of security scans which are started using the same Invicti process

  • Scope documentation text has been updated

  • Updated WASC links to point to the exact threat classification page

  • Improved custom 404 detection on sites where the start URL is redirected.


  • Fixed a bug in XSS report templates where plus char encoding was wrong

  • Fixed a bug which causes multibyte unicode characters to be corrupted upon retrieval

  • Fixed a bug where “Auto Complete Enabled” isn’t reported

  • Fixed a bug where Community Edition was asking for exporting sessions

  • Fixed a bug causes redundant responses to be stored on redirects

  • Fixed a bug causing a NullReferenceException during reporting

  • Fixed a bug where custom cookies are not preserved when an exported session is imported

  • Fixed a bug on report templates where extra fields were missing when there are multiple fields

  • Fixed the radio button overlap issue on Encoder panel for high DPIs

  • Fixed an issue where CSRF tokens weren’t applied for time based (blind) engines in late confirmation

  • Fixed an issue where data grids on Settings dialog were preventing to cancel the dialog when an invalid row is present

  • Fixed an issue where some logouts occurred on attack phase couldn’t be detected

  • Fixed a bug which causes requests to URLs containing text HTMLElementInputClass

  • Fixed a bug where the injection request/response could be clipped wrong in the middle of HTML tags

  • Fixed the size of the Configure Authentication wizard for higher DPIs

  • Fixed an issue with CLI interpretation where built-in profiles couldn’t be specified

  • Fixed the COMException thrown on Configure Authentication wizard on pages that contain JavaScript calls to window.close()

  • Fixed clipped text issue on scan summary dashboard severity bar chart

  • Fixed the anchors to vulnerability details in OWASP Top Ten 2010 report template

  • Fixed incorrect buttons sizes on message dialogs on high DPI settings

  • Fixed a startup crash which occurs on systems where “Use FIPS compliant algorithms for encryption, hashing, and signing” group policy setting is enabled

  • Fixed click sounds on vulnerability view tab

  • Fixed an issue where find next button was not working on HTTP Request / Response tab

  • Fixed a bug on Configure Authentication wizard occurs when the response contains multiple headers with same names.

Note: Due to major updates to the scan files, Invicti version 3 cannot open scans exported with previous versions of Invicti (.nss files).