Invicti Standard 30 Sep 2020


  • Added a new signature limit for URL Rewrite matched links
  • Added a crawling limit for Not found (404) links
  • Added a WASC Classification Report template
  • Added an option to exclude authentication pages and removed authentication related regexes from the default settings


  • Added Out-of-date security checks for the Liferay portal
  • Added Version Disclosure and Out-of-date security checks for Jolokia
  • Added Nested XSS security checks
  • Added an ASP.NET Razor SSTI security check
  • Added a Java Pebble SSTI security check
  • Added a Theymeleaf SSTI security check
  • Added Version Disclosure and Out-of-date security checks for Grafana


  • Improved custom scripting to send raw requests
  • Improved the authenticator to hide passwords in request data in order to prevent exposing them in reports
  • Added an Auto Follow Redirect setting to the Advanced settings
  • Added request and response details to Out of Band vulnerabilities
  • Improved logging for timed out regexes in the Javascript Library Checker
  • Updated signature of Stack Trace/Custom Stack Trace (Python)
  • Improved the memory consumption on long running scans


  • Fixed an error that was caused when parsing duplicate response content-type headers
  • Updated Invicti logos, splash screen and icons
  • Fixed reporting of Crawl Performance for crawl-only scans
  • Fixed an issue where Form Value Errors were occurring after simulation was finished
  • Fixed the Maximum Body Length exceeded log message
  • Fixed the log level of the Dom Parser’s ignored link message
  • Fixed the Jira Send To application description
  • Fixed an issue that occured when the content-type and accept header was used in a parameter in the Open API (Swagger) file
  • Fixed an issue where the custom Comparison Report was not generated
  • Fixed an ArgumentNullException that was occuring in the TestSiteConfiguration dialog
  • Disabled the LFI button for possible xxe
  • Fixed a certificate error problem on the new ssl checker
  • Fixed the timezone problem on reports
  • Fixed the Executive Summary Report title
  • Fixed an ArgumentException that was thrown when the URI was empty
  • Fixed HIPAA classification links
  • Fixed the issue where the Invicti session importer did not import all links from the session
  • Fixed the bug where the URL was split incorrectly when a segment contained the file extension
  • Fixed the issue responses that were not being analyzed in the Signatures engine during the re-crawl phase
  • Fixed the HIPAA classification link when there are multiple classifications
  • Removed plugin functions that are used to detect bootstrap to prevent false positive versions from being reported
  • Fixed NRE in the static detection engine
  • Fixed the Swagger parser that caused an object to be imported with a parent node while the object was inside an array