Changelogs

Invicti Standard

RSS Feed

18 Mar 2015

Read the blog post for more details about this version NEW FEATURE New option available to specify the type of parameter when configuring URL rewrite rules, e.g. numeric, date, alphanumeric IMPROVEMENTS Improved the performance of the DOM Parser Improved the performance of the DOM cross-site scripting scanner Optimized DOM XSS Scanner to avoid scanning pages …

Read the blog post for more details about this version

NEW FEATURE

  • New option available to specify the type of parameter when configuring URL rewrite rules, e.g. numeric, date, alphanumeric

IMPROVEMENTS

  • Improved the performance of the DOM Parser

  • Improved the performance of the DOM cross-site scripting scanner

  • Optimized DOM XSS Scanner to avoid scanning pages with same source code

  • Changed the default HTTP User agent string of built-in policies to Chrome web browser User agent string

  • Improved selected element simulation for select HTML elements

  • Added new patterns for Open Redirect engine

BUG FIXES

  • Fixed a bug in WSDL parser which prevents web service detection if XML comments are present before the definitions tag

  • Fixed a bug in WSDL parser which prevents web service detection if an external schema request gets a 404 not found response

  • Fixed a bug that occurs when custom URL rewrite rules do not match the URL with injected attack pattern and request is not performed

  • Fixed a configure form authentication wizard problem where the web browser does not load the page if the target site uses client certificates

  • Fixed a crash in configure form authentication wizard that occurs when HTML source code contains an object element with data: URL scheme is requested

  • Fixed a bug in DOM Parser where events are not simulated for elements inside frames

  • Fixed a cookie parsing bug where a malformed cookie was causing an empty HTTP response

18 Mar 2015

NEW WEB SECURITY TEST Added Bash Command Injection Vulnerability (Shellshock Bug) check. NEW FEATURE Added exploitation support for Remote Code Evaluation and Command Injection engines. FIX Fixed a bug in WSDL parser that crashes application when a type is recursively referenced.

NEW WEB SECURITY TEST

  • Added Bash Command Injection Vulnerability (Shellshock Bug) check.

NEW FEATURE

  • Added exploitation support for Remote Code Evaluation and Command Injection engines.

FIX

  • Fixed a bug in WSDL parser that crashes application when a type is recursively referenced.

18 Mar 2015

NEW WEB SECURITY TEST Added Insecure Transportation Security Protocol Supported (SSLv3) vulnerability check (POODLE vulnerability) BUG FIXES Fixed a specific issue where generic email addresses were not being reported. Fixed form authentication configuration wizard problem where it couldn’t handle pages with popups. Fixed an issue where Invicti was crashing when the application is closed during …

NEW WEB SECURITY TEST

BUG FIXES

  • Fixed a specific issue where generic email addresses were not being reported.

  • Fixed form authentication configuration wizard problem where it couldn’t handle pages with popups.

  • Fixed an issue where Invicti was crashing when the application is closed during report generation.

  • Fixed a crash which occurs on systems where Trebuchet MS font is missing

  • Fixed 2 Heartbleed engine bugs.

09 Mar 2015

BUG FIXES Fixed a bug in custom URL rewrite detection where encoded URL paths are not matched with the provided patterns. Fixed a bug that occurs while displaying details of an XSS vulnerability discovered on a redirected page.

BUG FIXES

  • Fixed a bug in custom URL rewrite detection where encoded URL paths are not matched with the provided patterns.

  • Fixed a bug that occurs while displaying details of an XSS vulnerability discovered on a redirected page.

09 Mar 2015

BUG FIXES Fixed a critical bug which crashes DOM Parser and DOM XSS processes on Windows 8.1 systems with KB3000850 update installed Fixed a bug in recrawler where the current concurrent connection count isn’t honored Fixed a bug in multipart/form-data parser to read parameter names with semicolons correctly Fixed a bug in multipart/form-data parser to …

BUG FIXES

  • Fixed a critical bug which crashes DOM Parser and DOM XSS processes on Windows 8.1 systems with KB3000850 update installed

  • Fixed a bug in recrawler where the current concurrent connection count isn’t honored

  • Fixed a bug in multipart/form-data parser to read parameter names with semicolons correctly

  • Fixed a bug in multipart/form-data parser to recognize the request body even if there are no parameters present

  • Fixed a bug where a form with multipart/form-data encoding type is incorrectly parsed with a POST method rather than a GET

  • Fixed an issue with DOM Parser to better simulate radio/check boxes with click event handlers attached

  • Fixed an issue with HTTP request parser to recognize the correct HTTP method with POST requests containing an empty request body

  • Fixed an issue where Content-Length header is not set to 0 with empty request bodies

  • Fixed an issue where some requests discovered using DOM Parser with POST HTTP method are recognized as GET requests

  • Fixed an issue with ASP.NET View State response viewer to show the View State data on cases where id attribute of input tag is missing

  • Fixed an ASP.NET View State parser issue occurs while reading .NET 1.x View States