Changelogs

Invicti Standard

RSS Feed

12 Mar 2020

NEW FEATURES Added a new Form Validation Errors node to the Knowledge Base panel, and to scan reports, to show Form Validation errors Added the capability to abort requests from the Pre-Request Scripts tab of the Start a New Website or Web Service URL dialog Added CVSS 3.1 support, to help with vulnerability scores Added …

NEW FEATURES

  • Added a new Form Validation Errors node to the Knowledge Base panel, and to scan reports, to show Form Validation errors
  • Added the capability to abort requests from the Pre-Request Scripts tab of the Start a New Website or Web Service URL dialog
  • Added CVSS 3.1 support, to help with vulnerability scores
  • Added a new Query Parameters checkbox to the Parameter-Based Navigation section of the Crawling tab in the Scan Policy Editor

NEW SECURITY CHECKS

  • Added a Login Page Identified security check
  • Added a Content Delivery Networks (CDN) security check
  • Added a Reverse Proxies security check

IMPROVEMENTS

  • Added two new settings to the list available in the Advanced tab of the Options dialog, including DisableRequestParametersReordering (to disable the reordering of query parameters) and DisableIriParsing (to change the IRI parsing configuration of the .NET framework) 
  • Improved the ability to crawl URLs with fragments
  • Added reflected parameter names and sensitive keywords to the BREACH Attack’s report template
  • Added a metadata section to the Custom Security Check scripting templates in the Custom Script Checks section of the Security Checks tab in the Scan Policy Editor
  • Added extra information to error reports
  • Added a check for the vulnerability GUIDs used to create vulnerabilities in Custom Security Check scripts

FIXES

  • Fixed the tab order in the Scan Profile settings in the Start a New Website or Web Service Scan dialog
  • Resized the Type column in the Logs panel
  • Added a scrollbar to the Get Shell panel
  • Fixed an issue that prevented a backspace key from working in Save Profile As dialog’s name editor
  • Fixed the issue where vulnerabilities’ Fixed states were not updated following a Controlled scan
  • Fixed an issue that prevented custom fields from being rendered for the YouTrack Send To Action
  • Added missing tooltips to the Enabled check box of the Script Settings and Manual Authentication settings panels
  • Added a Frame Injection XSS pattern
  • Fixed a typo in the Copy to Clipboard tooltip
  • Fixed the issue where POST parameters were not parsed correctly in the HAR importer
  • Fixed the location of the Override Version vulnerability severities ch
  • Fixed the typo in the description of the NotifiedExpiringLicenses setting
  • Fixed an issue in the JSON Response panel that caused the Address textbox to be editable instead of read-only
  • Fixed an localization issue that occurred while displaying severities in the Vulnerability Editor dialog in the Report Policy Editor
  • Fixed escaping Form Authentication’s Custom Script username and password.
  • Fixed the problem where day-long scan durations were not displaying correctly in the Knowledge Base reports and screens
  • Fixed a couple of design problems in reports
  • Fixed the usage of the ‘/v’ command line parameter
  • Updated the default User-Agent
  • Fixed the scheduling of Incremental Scans to be consistent with the regular Incremental Scan, so that the system checks for the current session and offers the option to use it as the base scan before trying to open a scan file
  • Fixed typos in the tooltips in URL Rewrite tab of the Start a New Website or Web Service Scan dialog
  • Fixed problem caused by a missing obfuscation exclusion in the License validation process
  • Fixed the issue where the wrong engine was selected in Controlled Scans when a vulnerability was detected by a Custom Script
  • Fixed the issue where localized values were not displayed for some custom fields
  • Fixed the issue where duplicate notifications were displayed following the import and export of scans
  • Fixed a Null Reference Exception that was caused when Basic, NTLM/Kerberos Authentication settings were null in old profile files 
  • Fixed an issue where the default values were not set for the Scan Policy Optimizer options’ properties while deserializing a Scan Policy
  • Fixed an issue that caused the same Authentication method to be added twice in the Basic, NTLM/Kerberos Authentication settings
  • Updated OpenAPI.NET to 1.1.4 version to support the latest Swagger files
  • Fixed the issue where single engines were not working in the Import Only scan mode
  • Fixed an issue where the Request body was encoded improperly, caused an error following the sending of requests
  • Fixed some typos in the WAF Identified dialog, along with some refactorings
  • Fixed the issue where Incremental Scan caused unnecessary DOM simulations

20 Feb 2020

IMPROVEMENT Null values have been changed to an empty string on text-based reports to avoid integration problems FIXES Updated the Singular Scripting Check’s script template Fixed an issue where migrating old Scan Profiles files failed to produce authentication information Fixed an issue where cookie domains were not set for cookies that were set in a …

IMPROVEMENT

  • Null values have been changed to an empty string on text-based reports to avoid integration problems

FIXES

  • Updated the Singular Scripting Check’s script template
  • Fixed an issue where migrating old Scan Profiles files failed to produce authentication information
  • Fixed an issue where cookie domains were not set for cookies that were set in a JavaScript context and captured during DOM simulation
  • Fixed an Out of Memory exception that was caused when the target web application had HTML attributes with long string values
  • Fixed the issue where the text was trimmed when it contained null bytes when copied from the Raw Request/Response panels to the clipboard 
  • Fixed an issue where the value of the cookie source custom field was incorrect
  • Cookies are no longer analyzed if the Cookie checks are disabled in the Scan Policy
  • Fixed an issue where an error message was not shown for empty fields while using the Create Samples Issue feature in the TFS Send To Actions panel
  • Fixed a NullReferenceException that was thrown during Manual Proxy scans when the ‘Do not expect challenge’ option was enabled in the Basic, NTLM/Kerberos Authentication tab
  • Fixed an incorrect ‘Login confirmation has failed’ log
  • Fixed a NullReferenceException that was thrown in the Keyword Based logout detection

06 Feb 2020

IMPROVEMENTS Added a new field to the Out-of-date Vulnerabilities that specifies end of life date for abandoned branches Added missing tooltips to the Enabled check box of Script Settings and Manual Authentication Settings panels Added missing XML documentations to the Custom Scripting templates FIXES Updated Youtrack Send To action to render custom fields Fixed an …

IMPROVEMENTS

  • Added a new field to the Out-of-date Vulnerabilities that specifies end of life date for abandoned branches
  • Added missing tooltips to the Enabled check box of Script Settings and Manual Authentication Settings panels
  • Added missing XML documentations to the Custom Scripting templates

FIXES

  • Updated Youtrack Send To action to render custom fields
  • Fixed an issue where dock panels were not properly initialized when a command line argument was provided and autopilot mod was off
  • Fixed an issue that caused a rendering problem in the login/logout detection and the custom script panels
  • Fixed duplicate listing of authentication types in OAuth2 settings panel
  • Fixed an issue where the Sitemap sorting method was not being applied when None method was selected

23 Jan 2020

IMPROVEMENTS Added Reflected Parameter and matched sensitive keyword names to the Breach Attack vulnerability report Additional websites information will now display ‘None’ in reports when there are no additional websites set for a scan FIXES Fixed the JSON Metadata Regex check  to match the whole JSON object instead of each part separately Fixed responses with …

IMPROVEMENTS

  • Added Reflected Parameter and matched sensitive keyword names to the Breach Attack vulnerability report
  • Additional websites information will now display ‘None’ in reports when there are no additional websites set for a scan

FIXES

  • Fixed the JSON Metadata Regex check  to match the whole JSON object instead of each part separately
  • Fixed responses with a ‘201’ status code so that they are ignored by the  OAuth2 authentication flow
  • Fixed an issue where ignored parameters were displayed as attack parameters in reports
  • Fixed an issue where reporting options were not being applied in scheduled scans
  • Fixed a memory and GDI object leak in the Imported Links dialog
  • Fixed an OutOfMemoryException that was thrown while generating reports
  • Fixed an ArgumentOutOfRangeException in CsrfEngine that was thrown when form instance contained a negative start index
  • Fixed an issue where incorrect links were being captured from JavaScript contexts

16 Jan 2020

NEW FEATURES Added Invicti Enterprise Integration to the license activation dialog which enables the activation of a license using the Invicti Enterprise Information Added a WAF Identification feature that detects whether the target website is using a Web Application Firewall that blocks Invicti attacks, and warns the user about it Added a SANS Top 25 Scan …

NEW FEATURES

  • Added Invicti Enterprise Integration to the license activation dialog which enables the activation of a license using the Invicti Enterprise Information
  • Added a WAF Identification feature that detects whether the target website is using a Web Application Firewall that blocks Invicti attacks, and warns the user about it
  • Added a SANS Top 25 Scan Policy and report
  • Added login confirmation to ensure that Invicti was able to acquire an authentication session after conducting the login sequence, in order to notify users in case of any failure due to changed credentials
  • Added an Auto Export feature which enables the automatic export of all old session files not previously uploaded to Invicti Enterprise when connected to its servers
  • Added FortiWeb WAF integration
  • Added YouTrack Send To integration
  • Added Freshservice Send To integration

NEW SECURITY CHECKS

  • Added version disclosure and out-of-date checks for Telerik Web UI
  • Added detection and out-of-date checks for Java and GlassFish

IMPROVEMENTS

  • Improved the Postman importer to generate URL Rewrite rules automatically from the postman file
  • Added a new logout confirmation request to the Logout Detection process
  • Updated the AttackUsage properties of mXSS patterns to increase scan performance
  • Added a text field to the Report Policy Editor for displaying GUID values of custom vulnerabilities
  • Added a Copy Rules button to the URL Rewrite tab in the Start a New Website or Web Service Scan dialog
  • Added Region information to the new Invicti Enterprise Information section in the Invicti Enterprise tab
  • Added search tags and a shortcut key to the Search tab on the ribbon
  • Added the ability to sort the Name and Value grid view in the OAuth2 tab
  • Added a warning about unsupported settings in the OTP column in the Form authentication tab
  • Added a transparency feature to the Scan Search, accessed by pressing CTRL
  • Added a URL to provide extra information to help distinguish similar results in the Raw Requests and Responses tabs
  • Improved vulnerability summary suggestions to recommend that only confirmed vulnerabilities should be fixed immediately in the Executive Summary Report
  • Improved the Report Policy using the CWE and SANS top 25 standards
  • Added a new Max Response Headers Length option to the Advanced tab

FIXES

  • Fixed an issue where the RedirectBodyTooLarge vulnerability was being falsely reported when the redirect location was triple encoded
  • Fixed a NullReferenceException that was thrown in the ReflectedParameterAnalyzer component
  • Fixed an issue where Invicti Assistant retains generated optimized Scan Policies even if it has been disabled
  • Fixed the Pre-Request Script tab’s Presets button’s enabled state
  • Fixed a visual text wrapping issue that occured when all Resource Finder options were selected in the Scan Policy Optimizer dialog
  • Fixed an issue where the Proxy Authentication fields in Proxy tab of the Scan Policy Editor was not being disabled when the Use Current User’s Windows Credentials checkbox was selected
  • Fixed an issue that caused Invicti to freeze when the Scan Finished dialog was displayed while another dialog was open
  • Fixed the signature of the nginx.conf pattern
  • Fixed an issue that caused the Total Vulnerability Count not to be updated when a vulnerability was removed from the Issues panel
  • Fixed an issue that caused the wrong information to be copied about the node when Ctrl+C was used in the Issue and Sitemap panels
  • Fixed an issue that caused the Context button to overlay the Vulnerability Counts icons in the Local Scans files tab
  • Fixed an issue where the Import From File dropdown in the Imported Links tab was not displaying the last opened folder
  • Fixed an issue that showed the wrong exception message in the Test Credentials dialog for the authentication tabs, when the website was unreachable
  • Fixed WAF button display names in the Vulnerability tab on the ribbon
  • Fixed a validation problem that occured in mandatory fields in the WAF settings tab
  • Fixed an issue that caused the scrollbar color not to be applied in the request/response panel.
  • Fixed an issue that showed the wrong tooltip in the  Form Authentication tab’s verified settings
  • Fixed an issue that caused vulnerability counts to be calculated incorrectly when grouping the Issue panel by URL
  • Fixed an issue that caused some 404 nodes to not be visible when a filter was applied using search text
  • Fixed a problem that caused the generation of empty Comparison Reports 
  • Fixed an issue where version vulnerabilities could not be fetched from the database when application names contained space characters
  • Fixed an issue that caused inconsistent sorting results for the Sitemap nodes.
  • Fixed an issue that caused an ArgumentException in the CORS Checker
  • Fixed an issue that caused the Exploit LFI panel to not display its content when the height was set too small
  • Fixed the Extracted Version of Java Servlet Version Disclosure vulnerability so that it no longer includes a slash
  • Fixed an issue where the WebLogic Server was occasionally being incorrectly reported as the Application server of the target website
  • Fixed an issue where the XSS attack file had been overwritten, which caused the wrong injection request to be displayed when reporting Stored XSS vulnerabilities
  • Changed the notifications icons, and removed unnecessary extra space from the unread Notifications button
  • Fixed a NullReferenceException in the XSS Analyzer
  • Fixed a scope issue in the Resource Finders and in the Drupal RCE Engine
  • Fixed a subdomain problem in the Phishing by Navigating Tabs vulnerability
  • Removed a context menu from the Send To Actions tab
  • Fixed an issue that caused the template not to be applied in the Subscriptions context menu
  • Fixed a grammatical error in an Invicti Assistant notification
  • Fixed issues in the Blind SQL injection confirmation for redirects and timeouts
  • Fixed an issue that caused OTP settings to be applied when Persona information was missing in the Form Authentication tab
  • Fixed an issue that prevented the Local Scans’ file’s context buttons from being clicked when the scroll bar was displayed.
  • Fixed the issue where Custom Field values were incorrectly displayed in older scans
  • Fixed the signature patterns of the ASP.NET and Apache Module version disclosures so that they capture the version correctly
  • Fixed the handling of null Responses in Requests made using the Pre-Request Script feature.
  • Fixed a problem where a horizontal scrollbar was displayed in the search dialog
  • Refactored the JSON Regex to eliminate excessive backtracking
  • Fixed an issue where the Internal Proxy was updating headers that already had default values
  • Fixed a problem in Report Templates where custom logos were incorrectly aligned 
  • Fixed a NullReferenceException error that was thrown when a Theme was not selected in the General tab of the Options dialog
  • Fixed the Send To Action panel to display default names with normal font instead of bold
  • Fixed an issue that caused a crash when an internal server error occurred during the export of a scan to Invicti Enterprise.
  • Fixed the width of the grid view in the Report Policy Editor 
  • Fixed the focus back on the Sitemap and Issues panels after their search boxes are cleared
  • Fixed a race condition in the parsing of the Finish Time calculation which caused an exception to be thrown
  • Fixed a couple of localization problems in the Knowledge Base Report.
  • Fixed URL alignment in reports

02 Jan 2020

IMPROVEMENTS Added sort functionality to the grid view of the OAuth2 settings tab in the Start a New Website or Website Service New Scan dialog The default selected tab is now the first one in the Manual Authentication settings tab in the Start a New Website or Website Service New Scan dialog FIXES Fixed an …

IMPROVEMENTS

  • Added sort functionality to the grid view of the OAuth2 settings tab in the Start a New Website or Website Service New Scan dialog
  • The default selected tab is now the first one in the Manual Authentication settings tab in the Start a New Website or Website Service New Scan dialog

FIXES

  • Fixed an issue where empty Comparison Reports were still created even when report generation was canceled
  • Fixed several visual defects in generated reports
  • Fixed a race condition issue with DOM Simulation
  • Fixed an issue where expired cookies were not being removed properly when they were set in a JavaScript context
  • Fixed some Azure DevOps error messages
  • Fixed an issue with GWT parsing where a request without a body was causing an exception
  • Fixed a concurrency issue that was causing several exceptions that slowed down the overall scan performance
  • Fixed an issue where the incorrect estimated finish time was shown in the progress panel
  • Fixed an issue where DOM XSS attacks were failing on pages that had a POST request on the same page
  • Fixed a NullReferenceException error that was thrown in the XSS analyzer
  • Fixed an issue with SSL checks by improving the ClientHello structure with additional extensions

19 Dec 2019

IMPROVEMENTS Added a QR Code feature to OTP settings that captures the settings from the QR code on the web page The Known Vulnerabilities list for Out-of-date Version vulnerability reports can now be expanded The Enabled Engines list on scan reports is now sorted alphabetically FIXES Fixed an issue where importing the I/O Docs specifications …

IMPROVEMENTS

  • Added a QR Code feature to OTP settings that captures the settings from the QR code on the web page
  • The Known Vulnerabilities list for Out-of-date Version vulnerability reports can now be expanded
  • The Enabled Engines list on scan reports is now sorted alphabetically

FIXES

  • Fixed an issue where importing the I/O Docs specifications from a zip file was not working properly
  • Fixed a memory leak that was causing several issues with scans
  • Fixed an issue where Referer headers were not being sent to DOM simulations

13 Dec 2019

IMPROVEMENTS Improved GitHub Send To Action for GitHub Enterprise FIXES Fixed several issues with scan reports Fixed an ArgumentException that was thrown when invalid characters were entered in the URL Rewrite tab in the Start a New Website or Web Service Scan dialog Fixed an issue in the Database Connection String Detected vulnerability report Fixed …

IMPROVEMENTS

  • Improved GitHub Send To Action for GitHub Enterprise

FIXES

  • Fixed several issues with scan reports
  • Fixed an ArgumentException that was thrown when invalid characters were entered in the URL Rewrite tab in the Start a New Website or Web Service Scan dialog
  • Fixed an issue in the Database Connection String Detected vulnerability report
  • Fixed a NullReferenceException that was thrown during Progress bar updates
  • Fixed an issue where the Logout Detection mechanism was occasionally triggered unnecessarily
  • Fixed an issue where DOM XSS window.name attacks were not being detected properly
  • Fixed the order of URLs in MIME Type node in the Knowledge Base
  • Fixed an issue where ignored vulnerabilities were causing the vulnerability counter to increase
  • Fixed an issue where the Content Type header was occasionally not sent
  • Fixed an ArgumentNullException that was thrown while deserializing issues in Jira

29 Nov 2019

IMPROVEMENTS Added Kenna Send To Action integration Added a database error signature pattern for Apache Derby databases Updated missing WASC and CWE values for vulnerabilities in the Default Report Policy Improved XXE vulnerability templates to provide more detailed information FIXES Fixed an issue with the HTTP Request Builder where attack headers were being duplicated Fixed …

IMPROVEMENTS

  • Added Kenna Send To Action integration
  • Added a database error signature pattern for Apache Derby databases
  • Updated missing WASC and CWE values for vulnerabilities in the Default Report Policy
  • Improved XXE vulnerability templates to provide more detailed information

FIXES

  • Fixed an issue with the HTTP Request Builder where attack headers were being duplicated
  • Fixed an issue where invalid version numbers were being added to the Site Profile node in the Knowledge Base
  • Removed unnecessary customization and picture edit context menus from the What’s New panel
  • Fixed an issue where JavaScript cookies set in the context of popup windows that open during the login sequences of some websites were not being captured during Form Authentication
  • Fixed an issue where recurring parameter optimization was causing non-recurring parameters to be marked as recurring

22 Nov 2019

NEW FEATURES Added a scan search feature which is accessible from the CTRL+K shortcut that allows searching for anything in the scan Added a configuration wizard for GitLab Send To Action Added a Web Application Firewall tab to the Options dialog Added AWS WAF integration Added Cloudflare WAF integration Added SecureSphere WAF integration Added an …

NEW FEATURES

  • Added a scan search feature which is accessible from the CTRL+K shortcut that allows searching for anything in the scan
  • Added a configuration wizard for GitLab Send To Action
  • Added a Web Application Firewall tab to the Options dialog
  • Added AWS WAF integration
  • Added Cloudflare WAF integration
  • Added SecureSphere WAF integration
  • Added an Auto WAF Rule tab to the Scan Policy Editor dialog
  • Added a Send To Tasks dialog to display the Send To Action and WAF Rule task’s status
  • Added a configuration wizard for “rest.testsparker.com” into the Start a New Website or Web Service Scan dialog
  • Added a What’s New panel to the right hand side of the Welcome Dashboard, which shows the latest blog posts
  • Added OTP support to the Form Authentication tab in the Start a New Website or Web Services Scan dialog
  • Added “localhost.invicti” host resolution support to allow remote connections to localhost

NEW SECURITY CHECKS

  • Added a new Security Check – HTTP Parameter Pollution (HPP)
  • Added a new Security Check – BREACH Attack Detection
  • Added Out-of-Date checks for Ext JS
  • Added Oracle Cloud and Packet Cloud SSRF attack patterns

IMPROVEMENTS

  • Improved progress bar estimation by populating engine runtimes instead of request count
  • Improved the Scan Performance node by including engine runtimes in the Knowledge Base
  • The Download buttons in the Local File Inclusion Exploitation panel are renamed to Get
  • Improved statistical information in the scan reports
  • Improved Custom 404 settings in the Knowledge ase report 
  • Improved the Knowledge Base check icon 
  • Improved the display of OAuth2 Authentication information on reports 
  • Added Culture Info to error reporting information
  • Renamed the F5 Big-IP ASM WAF Rules button in the Reporting tab
  • Added an Apply button to the Options window, so the dialog stays open until the Save button is  clicked
  • Improved the Custom Field Editor dialog to validate custom field values before saving them
  • Improved the I/O Docs Importer to support the latest version
  • Improved the Jira Send To Action to support a new Security Level field 
  • Updated Trello Send To Action wizard to hide inactive boards
  • Improved the Crawler and Attacker to identify links separately according to their Accept header. (application/json and application/xml are commonly used in Rest APIs. Invicti can identify and attack for both mime types.)
  • Improved the OpenAPI (Swagger) parser to import links more than once according to their Accept header
  • Updated the AdNetworks file which is used by Invicti to block ad networks
  • Improved the Update Available dialog UI
  • Improved the Report Policy Editor UI.
  • Improved Apache Struts attack patterns by randomizing the attack payloads
  • Improved the Custom Scripting API docs
  • Improved parsing the JavaScript code written inside HTML element attributes
  • Improved the Crawler to detect links with application/xml and application/json headers commonly used in REST APIs, so Invicti can attack each link separately
  • Improved Progress panel’s Request per Second setting, to that its value can be viewed by clicking its label
  • Added the ability to parse OAuth2 access token response headers to get the access token value

FIXES

  • Fixed an issue that caused very long URLs to become invisible in the vulnerability report
  • Fixed an issue that caused the Target Website or Web Service URL dropdown list’s delete button to become invisible in the Start a New Website or Web Service Scan dialog
  • Fixed a false-positive report of a Windows Username Disclosure in the vulnerability report issue
  • Fixed the problem where the Windows Username Disclosure attack pattern did not match invalid file characters
  • Fixed the problem where a null Scan Profile name was displaying when opening a scan file
  • Fixed an issue where headers were duplicating when imported from a Swagger file.
  • Fixed the license expiration to occur a day after the license Expiration date
  • Fixed an issue that caused a Collection Modified exception when restarting Invicti after changing the storage directory
  • Fixed an issue where the HTTP Request / Response panel did not open when the Sitemap root node was selected
  • Fixed an issue in the Request Builder where the changes in the Raw request tab were not being saved
  • Fixed an issue that caused the name of the vulnerability to be blank in the Report Policy Editor dialog
  • Fixed a High dpi issue in the Update Available dialog
  • Fixed an issue that caused the Context button to overlay information counts in the File menu
  • Fixed the URI format exception that occured on the SSRF configuration screen
  • Fixed an issue that caused the tab key not to work in the Request Builder
  • Fixed an issue where encoded characters and new line characters appeared in the exploit responses in JSON format
  • Fixed an issue where the application name was captured as the version in the Java Servlet Version Disclosure pattern
  • Fixed an issue where some console commands were reported as proofs of exploit even though they had not been executed in the code evaluation
  • Fixed an issue where the Report Policy Editor dialog was showing html encoded values in the grid view and in the Edit dialog
  • Fixed an issue where report template changes were lost when the Cancel button clicked while searching in the  Report Policy Editor dialog
  • Fixed an issue where the Dom Parser occasionally made requests to excluded or out of scope URLs
  • Fixed an issue where relative links found during a DOM simulation were sometimes not added to the link pool
  • Fixed a request timeout default value tooltip that was displaying in the  HTTP Request settings
  • Fixed property names in the Redmine Send To Actions fields
  • Fixed an issue that caused the vulnerability URL to change when running a custom script on a vulnerability originally detected also by using a custom script
  • Fixed an issue that caused the UI to freeze when activating or deactivating licenses
  • Fixed an issue that caused the UI to freeze when verifying OAUTH settings
  • Disabled layout customization in the Manual Authentication and Test Credential screens
  • Fixed an issue that caused the scan manager to request a login URL in the OAuth2 Authentication settings when the Web Cache Deception security check group was disabled
  • Fixed an issue that caused late UI loading when the Scan Profile contained too many Imported Links
  • Fixed JSON and XML request identifiers to detect the type properly when content contains whitespace characters
  • Handled communication errors that occured while testing credentials
  • Fixed the log for corrupted variation information
  • Fixed a NullReferenceException that was occasionally thrown in the Additional Websites tab in the Start a New Website or Web Service Scan dialog
  • Fixed a performance issue caused when the number of the Sitemap nodes increases
  • Fixed the Regex Pattern of SQLite error message patterns
  • Updated the Remedy sections of some vulnerability report templates.
  • Fixed the internal proxy localhost’s handling when adding the loopback override to the system’s {roxy settings
  • Fixed misleading logout detection warnings shown during the retest of cookie vulnerabilities
  • Fixed an issue that caused the system to crash when sorting the Sitemap
  • Improved ApacheStruts to report where it would be possible for the attack to succeed at least one time
  • Fixed a NRE in the Signature Detection
  • Fixed the issue where some proofs were duplicated in the Knowledge Base
  • Fixed extensive CPU usage on cloud instances and virtual machines
  • Fixed a Set-Cookie response header parsing issue that occured where empty name/value pairs were skipped and cookie attributes were incorrectly parsed as name/value pairs
  • Fixed the ArgumentNullException error that occured when a null parameter value was sent to the Request Builder
  • Fixed the Knowledge ase’s Out of Scope Links resource problem 
  • Fixed I1 item’s title in the Vulnerability Editor dialog, available from the Report Policy dialog to display as ‘No Message’
  • Fixed the Asana Send To Action field, as an identifier field has changed in the Asana API
  • Fixed the issue where Raw and Builder tabs were not synchronized in the HTTP Request Builder
  • Fixed an incorrect localization issue that occurred while displaying custom field values of vulnerabilities
  • Fixed an issue that caused the Issues and Sitemap panels to open before opening a scan session
  • Fixed a problem where the Search box background color changed when there were no results
  • Users are now allowed to enter custom HTTP methods in the Request Builder panel when the Raw request body is enabled
  • Fixed an ArgumentNullException that was thrown when trying to refresh the OAuth2 access token after resuming an imported scan
  • Fixed a couple of alignment problems in reports 
  • Fixed the last file name cache problem 
  • Fixed the Request response word wrap and border problem solved. 
  • Removed capitalization from titles in reports 
  • Fixed an issue where the AutoComplete Enabled Vulnerability was being falsely reported if input fields included a new password option
  • Fixed a NullReferenceException that was thrown when the headers were null in the Webhook Send To Action

01 Nov 2019

FIXES Fixed a NullReferenceException that was occasionally thrown during authentication verification Fixed a NullReferenceException that was occasionally thrown when a sitemap link was selected Fixed wrong tooltips that were shown on footer severity icons Fixed an application lock when the UI language was changed during a scan Fixed chunked encoding handling in the internal proxy …

FIXES

  • Fixed a NullReferenceException that was occasionally thrown during authentication verification
  • Fixed a NullReferenceException that was occasionally thrown when a sitemap link was selected
  • Fixed wrong tooltips that were shown on footer severity icons
  • Fixed an application lock when the UI language was changed during a scan
  • Fixed chunked encoding handling in the internal proxy
  • Fixed a deadlock that was occasionally happening during policy optimization

25 Oct 2019

FIXES Fixed an issue where the number of authentications was miscalculated in the Performance Report Fixed an ObjectDisposedException that was occasionally thrown during passive analysis Fixed an issue where passive analysis of XHR requests was causing a negative effect on scan times Fixed an issue where the Dom Parser was occasionally making requests to excluded …

FIXES

  • Fixed an issue where the number of authentications was miscalculated in the Performance Report
  • Fixed an ObjectDisposedException that was occasionally thrown during passive analysis
  • Fixed an issue where passive analysis of XHR requests was causing a negative effect on scan times
  • Fixed an issue where the Dom Parser was occasionally making requests to excluded or out of scope URLs.
  • Fixed an issue where relative links found during DOM simulation were sometimes not added to the link pool
  • Fixed a NullReferenceException that was occasionally thrown by the Request Builder
  • Fixed a design problem that was causing empty areas in PDF reports
  • Fixed an issue where a wrong update button image was shown when Invicti was run for the first time after an update
  • Fixed a NullReferenceException that was thrown during Bulk Export operations
  • Fixed an issue where the tooltips of Advanced Settings were not properly displayed
  • Fixed the date controls in the Schedule Scan Dialog for high DPI screens
  • Fixed an issue where the Known Vulnerabilities section in the Out-of-Date Version vulnerabilities was being duplicated
  • Fixed a NullReferenceException that was thrown when the Target Url and the Basic Authentication Authority were different