18 Mar 2015
Read the blog post for more details about this version
NEW FEATURE
-
New option available to specify the type of parameter when configuring URL rewrite rules, e.g. numeric, date, alphanumeric
IMPROVEMENTS
-
Improved the performance of the DOM Parser
-
Improved the performance of the DOM cross-site scripting scanner
-
Optimized DOM XSS Scanner to avoid scanning pages with same source code
-
Changed the default HTTP User agent string of built-in policies to Chrome web browser User agent string
-
Improved selected element simulation for select HTML elements
-
Added new patterns for Open Redirect engine
BUG FIXES
-
Fixed a bug in WSDL parser which prevents web service detection if XML comments are present before the definitions tag
-
Fixed a bug in WSDL parser which prevents web service detection if an external schema request gets a 404 not found response
-
Fixed a bug that occurs when custom URL rewrite rules do not match the URL with injected attack pattern and request is not performed
-
Fixed a configure form authentication wizard problem where the web browser does not load the page if the target site uses client certificates
-
Fixed a crash in configure form authentication wizard that occurs when HTML source code contains an object element with data: URL scheme is requested
-
Fixed a bug in DOM Parser where events are not simulated for elements inside frames
-
Fixed a cookie parsing bug where a malformed cookie was causing an empty HTTP response
18 Mar 2015
NEW WEB SECURITY TEST
-
Added Bash Command Injection Vulnerability (Shellshock Bug) check.
NEW FEATURE
-
Added exploitation support for Remote Code Evaluation and Command Injection engines.
FIX
-
Fixed a bug in WSDL parser that crashes application when a type is recursively referenced.
18 Mar 2015
NEW WEB SECURITY TEST
BUG FIXES
-
Fixed a specific issue where generic email addresses were not being reported.
-
Fixed form authentication configuration wizard problem where it couldn’t handle pages with popups.
-
Fixed an issue where Invicti was crashing when the application is closed during report generation.
-
Fixed a crash which occurs on systems where Trebuchet MS font is missing
-
Fixed 2 Heartbleed engine bugs.
09 Mar 2015
BUG FIXES
-
Fixed a bug in custom URL rewrite detection where encoded URL paths are not matched with the provided patterns.
- Fixed a bug that occurs while displaying details of an XSS vulnerability discovered on a redirected page.
09 Mar 2015
BUG FIXES
-
Fixed a critical bug which crashes DOM Parser and DOM XSS processes on Windows 8.1 systems with KB3000850 update installed
-
Fixed a bug in recrawler where the current concurrent connection count isn’t honored
-
Fixed a bug in multipart/form-data parser to read parameter names with semicolons correctly
-
Fixed a bug in multipart/form-data parser to recognize the request body even if there are no parameters present
-
Fixed a bug where a form with multipart/form-data encoding type is incorrectly parsed with a POST method rather than a GET
-
Fixed an issue with DOM Parser to better simulate radio/check boxes with click event handlers attached
-
Fixed an issue with HTTP request parser to recognize the correct HTTP method with POST requests containing an empty request body
-
Fixed an issue where Content-Length header is not set to 0 with empty request bodies
-
Fixed an issue where some requests discovered using DOM Parser with POST HTTP method are recognized as GET requests
-
Fixed an issue with ASP.NET View State response viewer to show the View State data on cases where id attribute of input tag is missing
- Fixed an ASP.NET View State parser issue occurs while reading .NET 1.x View States