Invicti Standard 18 May 2015

NEW SECURITY TESTS

  • Form Hijacking Security Checks added
  • Base Tag Hijacking Security Checks added

IMPROVEMENTS

  • Added several new backup file checks to improve the coverage
  • Improved the number of combinations that Common Directory checks find
  • Added support for using digits in custom URL rewrite parameter names
  • Added new XSS attack patterns to detect a full URL vulnerability and remote XSS attacks
  • Added HTTP POST method support for Open Redirection security tests
  • Improved resource finder behavior by falling back to GET requests when HEAD requests are failing
  • Improved detection of XSS vulnerabilities in CSS blocks
  • Improved vulnerability template for Open Redirection vulnerabilities
  • Increased coverage by finding LFI vulnerabilities exposed to file:// protocol
  • Set default maximum vulnerability report limit to 1000 for active engines
  • Improved detection of Remote Code Execution and DoS in HTTP.sys vulnerability

FIXES

  • Fixed a race condition issue which occurs while adding new links on DOM simulation
  • Fixed an InvalidOperationException issue which occurs while trying to apply token parameter values
  • Fixed incorrect parsing of multiple response headers with same name on DOM simulation and DOM XSS attacks
  • Fixed a vulnerability template generation issue where temporary files were being kept on disk
  • Fixed installer to handle .NET framework versions released after 4.5.2
  • Fixed the incorrect description text for SQL Injection security test on scan policy editor dialog
  • Fixed “Maximum 404 Pages to Attack” scan policy option which was previously limiting the maximum page number to 10 no matter what set with this option