Home
/
Documentation
/
Invicti Standard Release Notes
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
Release Notes

Invicti Standard

RSS FEED
13-Jul-2016
COPY LINK

FIXES

  • Fixed a NullReferenceException thrown during late confirmation.
  • Fixed an incorrect crawling activity reported on scan summary dashboard UI while performing a passive analysis of an attack response.
  • Fixed a Request Builder issue where response is incorrectly reported as binary.
  • Fixed a Request Builder issue where "Enable Raw Request Body" option is initially selected when a GET request is dropped on the builder.
13-Dec-2019
COPY LINK

IMPROVEMENTS

  • Improved GitHub Send To Action for GitHub Enterprise

FIXES

  • Fixed several issues with scan reports
  • Fixed an ArgumentException that was thrown when invalid characters were entered in the URL Rewrite tab in the Start a New Website or Web Service Scan dialog
  • Fixed an issue in the Database Connection String Detected vulnerability report
  • Fixed a NullReferenceException that was thrown during Progress bar updates
  • Fixed an issue where the Logout Detection mechanism was occasionally triggered unnecessarily
  • Fixed an issue where DOM XSS window.name attacks were not being detected properly
  • Fixed the order of URLs in MIME Type node in the Knowledge Base
  • Fixed an issue where ignored vulnerabilities were causing the vulnerability counter to increase
  • Fixed an issue where the Content Type header was occasionally not sent
  • Fixed an ArgumentNullException that was thrown while deserializing issues in Jira
12-Sep-2018
COPY LINK

NEW FEATURES

  • Added Bulk Export to Cloud feature
  • Added Scan Speed graph
  • Added Send To integration support for ServiceNow
  • Added custom field support for Send To fields
  • Added an encoder for JavaScript fromCharCode format
  • Added Go to Identification Page button to Go to Parent link of current selected link
  • Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

  • Added Out of Band Server Side Template Injection security checks
  • Added signature detection check for Caddy web server
  • Added signature detection check for aah go server
  • Added signature detection check for JBoss application server
  • Added CakePHP framework detection
  • Added CakePHP version disclosure detection
  • Added CakePHP out-of-date version detection
  • Added CakePHP Stack Trace Disclosure
  • Added CakePHP default page detection
  • Added Out of Date checks for CKEditor 5

IMPROVEMENTS

  • Updated the licensing model
  • Updated .NET Framework version requirement to 4.7.2.
  • Improved the user interface by reducing the number of borders between panels
  • Added more information to the window where Cloud integration is conducted
  • Improved the design of vulnerability details
  • Added a link to Cloud scan URL when a scan is exported to the Cloud
  • Improved the list of resources found by the Resources Finder
  • Added a button to start an incremental scan for a scan listed on File>Import>Local Scans
  • Added Hawk configuration validation to the Scan Optimizer
  • The state of vulnerability nodes are updated across the Sitemap and Issues trees when ignored or included in scan
  • All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into single vulnerability
  • Dialog locations and sizes are remembered each time you reopen Invicti
  • Added Request Method column to the Vulnerabilities List CSV report
  • Added vulnerability severity to email Send To action template
  • Added URL validation to Target URL textbox in the Start a New Scan dialog
  • Updated Vulnerabilities List CSV report template to display attack parameter only
  • Added fine grained options to Resource Finder step of Scan Policy Optimization wizard
  • A Summary dialog is displayed after the Controlled Scan informing users about whether new vulnerabilities have been found
  • Added cookie analyzer checks for cookies added using JavaScript
  • Added keyboard navigation support to navigation bar control in the Start a New Scan dialog
  • Variation count is included in the total vulnerability count in Detailed Scan Report
  • Improved LFI Exploitation panel usability
  • Added tokenized deletion using Ctrl + Backspace to Target URL text box
  • Variation count included in the total count in report templates
  • Improved the error message displayed when the retest fails if Form Authentication fails
  • Added Link Count to the Scan Summary dashboard
  • Added not found Link Count to the Scan Summary dashboard
  • Controlled scan shows the detected vulnerability count on parameters after it's finished
  • Improved the error message displayed when an incorrect command line argument is supplied
  • Added Label field for JIRA Send To actions
  • Added Tags field for Manuscript (FogBugz) Send To actions
  • Added WorkItem Tags field for TFS Send To actions
  • Added Disable Resource Finder button to the Scan Policy Editor
  • Added a Max Fail limit to Retest All so it does not abort after one retest has failed
  • Ignored vulnerabilities are excluded from Retest All
  • Improved SQL Injection proof data by stripping HTML tags
  • Controlled scan can be started for vulnerabilities that have no parameters
  • Vulnerabilities confirmed at the end of the Scan are retested separately in Retest All
  • Added Late Confirmation activity into Controlled Scans so the Scan progress can be observed
  • Added Copy and Copy Value context menu items to Headers' request and response viewers
  • Improved automatic Form Authentication by performing several additional attempts when the Submit button is disabled
  • Improved CSRF token detection in cookie values
  • Improved the error details displayed when link import fails

FIXES

  • Fixed the incorrect Content-Type header sent during Form Authentication requests
  • Fixed the vulnerability viewer display issue when a vulnerability node on Sitemap is reselected.
  • Fixed the incorrect badge drawn on the ribbon's Quick Access Toolbar buttons
  • Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were also blocking the other HTTP methods
  • Fixed the URL encoding issue for vulnerabilities which are sent to Manuscript (FogBugz)
  • Fixed several usability issues on the Short File Names exploitation panel
  • Fixed the error where the ExpectCT header was reported as an interesting header
  • Fixed the Multiple File Open Dialog high DPI issues
  • Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
  • Fixed the incorrect number on the Detailed Scan report template's instance column
  • Fixed patterns that weren't enabled when Security Checks were enabled with the Check All command
  • Fixed the issue that the Controlled Scan won't start on a link node
  • Fixed high DPI issues on Scan Policy Optimizer wizard
  • Fixed the issue that the style of child nodes was not updated when the vulnerability was ignored
  • Fixed the issues that a confirmed Permanent XSS vulnerability was not added to the Confirmed group on the Issues tree
  • Fixed the report templates that included ignored vulnerabilities in statistics
  • Fixed the incorrect response displayed for SSRF vulnerabilities when the request was redirected to another page
  • Fixed several dock panel issues
  • Fixed a NullReferenceException thrown when setting a custom user agent on a Scan Policy
  • Fixed the Critical Vulnerability Count in report templates
  • Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
  • Fixed a highlighting issue for vulnerabilities that display multiple responses
  • Fixed an incorrect possible LFI vulnerability when the response was redirected
  • Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
  • Fixed an issue where some Sitemap nodes were not added to the tree until a New Scan was started
  • Fixed the broken case sensitivity check for crawled links
  • Fixed a smartcard driver issue that occured when the path contained space characters
  • Fixed a FormatException that occurred while parsing cookies
  • Fixed several incorrect Source Code Disclosure reports
  • Fixed the issue where cookies that were set by JavaScript were not highlighted
  • Fixed a JsonReaderException that occured while trying to parse a Swagger document
  • Fixed an ObjectDisposedException thrown when a tooltip was closing
  • Fixed an ArgumentOutOfRangeException thrown while generating reports
  • Fixed a case sensitivity issue on the Sitemap tree where two nodes with same name but different cases were not added to the tree
  • Fixed a double HTML encoding problem in the generated exploit template
  • Fixed adding multiple empty rows to Additional Website settings
  • Fixed parsing URLs with encoded chars
  • Fixed the problem where scans could not be resumed when paused during the Recrawling phase
  • Fixed hanging Open Redirect checks caused by binary responses
  • Fixed double HTML encoding problem in the URL in the Detailed scan report template
  • Fixed the DOM parser so that the Exclude by CSS Selector setting is saved and displayed correctly in the custom preset
  • Fixed redundant Encode use in the report templates that caused double HTML encoding
  • Fixed InvalidOperationException thrown when using Manual Crawling
  • Fixes the error where the custom driver selection dialog was opening twice in the Import Smart Card Certificate dialog
  • Fixed incorrect count of Proof List knowledge base
  • Fixed the issue where XSS via RFI could not be detected with a certain payload
  • Fixed the issue where the Scan skipped to the attacking phase after the Crawling phase was skipped when the Scan started in Crawl & Wait mode
  • Fixed the issue where a Swagger YAML file could not be imported
  • Fixed the usability issues of JavaScript preset selection on Scan Policies where entered values could not be deleted
  • Fixed the vulnerabilities remaining from the previous scan on sitemap when an incremental scan has been started.
  • Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie's HttpOnly flag
  • Fixed the issue where the late confirmed vulnerability was not added to the Sitemap
  • Fixed the error where the activity time was not being updated during the extra confirmation phase
12-Oct-2016
COPY LINK

FIXES

  • Fixed the issue where HTTPS protocol is enforced while using JIRA Send To action.
  • Fixed an issue where print dialogs could be displayed during scans.
  • Fixed a form authentication issue where the last form authentication sequence requests were prematurely cancelled.
12-Mar-2020
COPY LINK

NEW FEATURES

  • Added a new Form Validation Errors node to the Knowledge Base panel, and to scan reports, to show Form Validation errors
  • Added the capability to abort requests from the Pre-Request Scripts tab of the Start a New Website or Web Service URL dialog
  • Added CVSS 3.1 support, to help with vulnerability scores
  • Added a new Query Parameters checkbox to the Parameter-Based Navigation section of the Crawling tab in the Scan Policy Editor


NEW SECURITY CHECKS

  • Added a Login Page Identified security check
  • Added a Content Delivery Networks (CDN) security check
  • Added a Reverse Proxies security check

IMPROVEMENTS

  • Added two new settings to the list available in the Advanced tab of the Options dialog, including DisableRequestParametersReordering (to disable the reordering of query parameters) and DisableIriParsing (to change the IRI parsing configuration of the .NET framework)
  • Improved the ability to crawl URLs with fragments
  • Added reflected parameter names and sensitive keywords to the BREACH Attack's report template
  • Added a metadata section to the Custom Security Check scripting templates in the Custom Script Checks section of the Security Checks tab in the Scan Policy Editor
  • Added extra information to error reports
  • Added a check for the vulnerability GUIDs used to create vulnerabilities in Custom Security Check scripts

FIXES

  • Fixed the tab order in the Scan Profile settings in the Start a New Website or Web Service Scan dialog
  • Resized the Type column in the Logs panel
  • Added a scrollbar to the Get Shell panel
  • Fixed an issue that prevented a backspace key from working in Save Profile As dialog's name editor
  • Fixed the issue where vulnerabilities' Fixed states were not updated following a Controlled scan
  • Fixed an issue that prevented custom fields from being rendered for the YouTrack Send To Action
  • Added missing tooltips to the Enabled check box of the Script Settings and Manual Authentication settings panels
  • Added a Frame Injection XSS pattern
  • Fixed a typo in the Copy to Clipboard tooltip
  • Fixed the issue where POST parameters were not parsed correctly in the HAR importer
  • Fixed the location of the Override Version vulnerability severities ch
  • Fixed the typo in the description of the NotifiedExpiringLicenses setting
  • Fixed an issue in the JSON Response panel that caused the Address textbox to be editable instead of read-only
  • Fixed an localization issue that occurred while displaying severities in the Vulnerability Editor dialog in the Report Policy Editor
  • Fixed escaping Form Authentication's Custom Script username and password.
  • Fixed the problem where day-long scan durations were not displaying correctly in the Knowledge Base reports and screens
  • Fixed a couple of design problems in reports
  • Fixed the usage of the '/v' command line parameter
  • Updated the default User-Agent
  • Fixed the scheduling of Incremental Scans to be consistent with the regular Incremental Scan, so that the system checks for the current session and offers the option to use it as the base scan before trying to open a scan file
  • Fixed typos in the tooltips in URL Rewrite tab of the Start a New Website or Web Service Scan dialog
  • Fixed problem caused by a missing obfuscation exclusion in the License validation process
  • Fixed the issue where the wrong engine was selected in Controlled Scans when a vulnerability was detected by a Custom Script
  • Fixed the issue where localized values were not displayed for some custom fields
  • Fixed the issue where duplicate notifications were displayed following the import and export of scans
  • Fixed a Null Reference Exception that was caused when Basic, NTLM/Kerberos Authentication settings were null in old profile files
  • Fixed an issue where the default values were not set for the Scan Policy Optimizer options' properties while deserializing a Scan Policy
  • Fixed an issue that caused the same Authentication method to be added twice in the Basic, NTLM/Kerberos Authentication settings
  • Updated OpenAPI.NET to 1.1.4 version to support the latest Swagger files
  • Fixed the issue where single engines were not working in the Import Only scan mode
  • Fixed an issue where the Request body was encoded improperly, caused an error following the sending of requests
  • Fixed some typos in the WAF Identified dialog, along with some refactorings
  • Fixed the issue where Incremental Scan caused unnecessary DOM simulations
12-Jan-2017
COPY LINK

New Features

  • Included support for the Invicti Hawk infrastructure for detection of SSRF and OOB vulnerabilities.
  • Support for importation of Postman files.
  • Added "Copy as cURL" context menu item to sitemap.
  • Added "Copy sqlmap Payload" context menu item for SQL Injection vulnerabilities.
  • Added HTTP request rate limiting options to Scan Policy.
  • Added "Ignored Email Addresses" section for Scan Policy.
  • Added accept and reject options for untrusted SSL certificates.
  • Added an option to disable automatic detection of 404 error pages.

New Security Checks

  • New security checks for Server Side Request Forgery (SSRF) vulnerability
  • New security checks for out-of-band vulnerabilities such as OOB SQL Injection, OOB XXE, Blind XSS, OOB RCE, OOB RFI etc.
  • Added "Missing object-src in CSP Declaration" vulnerability detection.
  • Added "Apache Multiple Choices" vulnerability detection.
  • Added "Stored DOM based XSS" vulnerability detection.

Improvements

  • Improved the message displayed when trying to open an invalid session file.
  • Added /nopdf command line switch to prevent generating PDF reports while performing automated scans.
  • Added AttackPattern.GetAllEngines() and AttackPattern.GetAllPatterns() methods to reporting API to get the list of engine and pattern IDs.
  • Added "Test Credentials" support for Basic, NTLM/Kerberos authentication configuration screen.
  • Added progress dialog for importing links.
  • Improved the performance of several link importers.
  • Added global proxy options under Tools > Options to configure an application wide proxy.
  • Added "Bearer Token" support for form authentication.
  • Added confirmation for Frame Injection vulnerabilities.
  • Added http: and https: checks for CSP vulnerability detection.
  • Improved link importers where redundant CONNECT requests are now excluded.
  • Optimized attacker performance for links containing single parameter.
  • Added SSL protocol selection for scan policies.
  • Added context menu items to the Report Policy Editor to multiple selected vulnerabilities by severity.
  • Optimized crawling parser by skipping DOM simulation on pages with static content.
  • Improved coverage of CORS security check with extra attacks.
  • Removed GWT attacks from file upload security checks.
  • Improved DOM simulation performance.
  • Improved CSS parsing which now follows CSS import directives.
  • Improved coverage of open redirect security checks by adding/updating attacks patterns.
  • Improved logout detection by skipping JavaScript responses.
  • Added support for "HTTP 410 Gone" and "HTTP 451 Unavailable For Legal Reasons" response status codes.

Bug Fixes

  • Fixed an issue where a multiple cookies issue should not be reported.
  • Fixed a JSON parsing issue with text parser.
  • Fixed a request builder issue where the credentials on URL were not preserved.
  • Fixed a request builder issue where the port number change is not reflected to raw request tab.
  • Fixed a NullReferenceException which may have been thrown while closing the splash screen.
  • Fixed a NullReferenceException which may have been thrown while updating activities on scan summary dashboard.
  • Fixed clipped texts on several windows while using higher DPI settings.
  • Fixed a request builder issue where the port on pasted URL is not parsed.
  • Fixed a request builder issue where Cookie request header is not sent.
  • Fixed a request builder issue where Cache-Control request header value was being duplicated.
  • Fixed an HTTP response reading issue where the response could not be read when only BOM bytes are sent on first read attempt.
  • Fixed the list on LFI exploitation panel where the same files were being duplicated.
  • Fixed an issue in report policy editor that causes CVSS editing controls to disappear.
  • Fixed a NullReferenceException on scan policy editor dialog thrown while clicking select inverse context menu on some security check groups.
  • Fixed an issue where a false-positive file upload vulnerability might be reported.
  • Fixed several DOM simulation issues on pages that have many iframe elements.
  • Fixed a NullReferenceException while performing an internal MD5 encoding operation.
  • Fixed an issue where the vulnerabilities found on a scan lingers to the next scan started.
  • Fixed an encoding issue on a proof URL of an XSS vulnerability.
  • Fixed a hang issue occurs when too many email addresses found on the response.
  • Fixed an issue where "Shell Script Identified" vulnerability is not found when retested.
  • Fixed a scan profile load issue occurs when a link with binary body is imported.
  • Fixed the table layout on comparison report which was having too wide columns when the URLs were too long.
  • Fixed the duplicate request issue on "AJAX / XML HTTP Requests" knowledge base report.
  • Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
  • Fixed an ArgumentOutOfRangeException thrown while trying to match the redirected URL to configured logout detection pattern.
11-Oct-2019
COPY LINK

IMPROVEMENTS

  • Added Authentication mode and Scheduled Scan information to new reports
  • Added Include and Exclude pattern difference information to new reports

FIXES

  • Fixed an issue where local scans got lost when the Invicti root directory was changed
  • Fixed an issue where the Dark theme was not applied in the Comparison Report dialog
  • Fixed an issue where true responses could not be processed correctly because of the '00' suffix
  • Fixed the cookie parser by removing the whitespace and disallowed character checks for cookie names
  • Fixed typos in the HSTS warning and error template
  • Fixed a NullReferenceException that was thrown during Authentication verification
  • Fixed a NullReferenceException that was thrown while the scan is moving from one phase to the next
  • Fixed a NullReferenceException that was thrown when a new root node was being added to the Sitemap
  • Fixed an issue where headers were duplicated in the Swagger importer
  • Fixed an issue where 201 (Created) responses occasionally caused incorrect redirects during Form Authentication and DOM simulation
  • Fixed an issue where the Update button icon was not changing when the download started
  • Fixed the problem where PDF reports did not generate when exporting reports on a network share path
  • Fixed the problem where it was not possible to change the default logo to a custom logo on new reports
  • Fixed the Summary information alignment on PDF reports
  • Fixed the problem of empty response information in XML reports
  • Fixed various localization problems in reports
11-Oct-2017
COPY LINK

IMPROVEMENT

  • Updated vulnerability database to latest version.
11-Nov-2016
COPY LINK

FIXES

  • Fixed a hang issue occurs on some configurations.
11-May-2018
COPY LINK

FIXES

  • Fixed an issue where old scan files fail to import.
  • Fixed Short File Names Exploiter by disabling it when other vulnerability types are selected.
  • Fixed disabled UI where Cloud is not reachable.
  • Fixed blocked UI during VDB update check.
  • Fixed copying URL Rewrite rules in knowledgebase by copying RegExp patterns with place holder patterns.
  • Fixed opening Scan Summary Dashboard when clicked root node from sitemap tree.
  • Fixed hiding backstage when export file dialog is canceled.
  • Fixed an incorrect encoded space character on Detailed Scan Report.
  • Fixed overlapping icons of optimized scan policies on Start a New Scan Dialog.
11-May-2018
COPY LINK

FEATURES

  • Netsparker Enterprise integration: ability to import and export scans between the scanners.
  • New user interface with new skin and improved usability.
  • Smart Card authentication support.
  • Attack Radar panel that shows detailed attacking progress of security checks.
  • Added the OWASP 2017 Top Ten classifications report template.
  • Added Server-Side Template Injection (SSTI) vulnerability checks.

SECURITY CHECKS

  • Expect-CT security checks.
  • Added various new web applications in the application version database.
  • Added out of date checks for Hammer.JS, Phaser, Chart.js, Ramda, reveal.js, Fabric.js, Semantic UI, Leaflet, Foundation, three.js, PDF.js, Polymer.

IMPROVEMENTS

  • Crawler can now parse multiple sitemaps in a robots.txt file.
  • Improved the representation of POST, JSON and XML parameters on sitemap.
  • Added support for opening links in all web browsers installed on the computer.
  • Improved high DPI support.
  • Improved sorting on Issues panel.
  • New Extensions scan policy settings to specify which extensions should be crawled and attacked.
  • Added activity status text for XSS and Open Redirect confirmation phases.
  • Added target link address to status bar on vulnerability descriptions.
  • Added "Import from Scan Session" option to populate form values based on an existing scan.
  • Added support for parsing swagger documents in yaml format.
  • Added Open Redirect and XSS confirmation timeout settings.
  • Added support for parsing relative meta refresh URLs.
  • Moved Knowledge base items to own panel.
  • Improved the vulnerability summary section of Detailed Scan Report.
  • Added "Copy to Clipboard" link to unmatched URL rewrite rules table within URL Rewrite knowledge base.
  • Improved the usability of User Agent scan policy settings.
  • Favicon of the target website shown to sitemap tree.
  • Search capability in the Knowledge base details.
  • Improved parsing of websites using React framework.
  • Content-Security-Policy-Report-Only header is not reported as an interesting header.
  • Added support for sending text to Encoder panel from other panels in the application.
  • Added save report button to Knowledge base.
  • Added "Ignore Authentication" option to Request builder.
  • Added a hotkey to "Ignore from This Scan" menu.
  • Added "Force User Agent" setting to force the selected User Agent value on scan policy.
  • Added support for Postman v2.1 version.
  • Scan logs in Logs panel are now saved along with scan file.
  • Added an extra consistency check to ROBOT attacks.
  • Added scan policy settings to include/exclude certain cookie names from Cookie security checks.
  • Improved the "Interesting Header" list support.
  • Added anti-CSRF token support for Blind SQL Injection exploitation.
  • Removed BOM from JSON and XML report templates.
  • Improved the numbers reported on dashboard.
  • Added summary table to several reports.
  • Variations are retested before starting an incremental scan.
  • Improved JavaScript content check performance while detecting out of date checks.
  • Added multi-thread support to Controlled Scan.
  • Added anti-CSRF token support for tokens in request headers, meta tags, manual crawling and imported links.
  • Added command line auto update option.
  • Renamed FogBugz send to action to its new name Manuscript.
  • Testing Send To actions now creates issues on target systems.
  • GitHub Send to action now works with organization accounts and private repositories.
  • Scan Policy and Report Policy editor dialogs remember their locations and sizes.
  • Added support for handling HTTP 307 redirects.
  • DS_STORE files are discovered and parsed.
  • Improved MySQL double encoded string attacks.

FIXES

  • Fixed scheduled scans to prevent incorrect settings to be saved.
  • Fixed the overflow issue of "Maximum 404 Signatures" scan policy setting.
  • Fixed the unsaved Disallowed HTTP Methods issue for scan profiles.
  • Fixed some possible vulnerabilities missing [Possible] indicator in title.
  • Fixed the exception that occurs when importing scan file because the path has invalid chars.
  • Fixed an ArgumentOutOfRangeException occurs when the back button clicked on the Scan Policy Optimizer.
  • Fixed the incorrect "Exclude Branch" icon.
  • Fixed the missing Host header issue on Request Builder.
  • Fixed the issue where header enabled and disabled states are not preserved in Postman v2 files.
  • Fixed the issue where the selected vulnerability is not being recognized while performing a retest.
  • Fixed the issue where all variations are removed from Issues panel if a parent vulnerability is removed.
  • Fixed the issue where parent vulnerability is striked out in sitemap when a variation is fixed after retest.
  • Fixed the issue where some vulnerabilities that are not fixed comes up as fixed after retest.
  • Fixed highlighting problem for "Password Transmitted over HTTP" vulnerability.
  • Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
  • Fixed incorrect "[Possible] WS_FTP Log File Detected" vulnerability.
  • Fixed the issue where a variation node is not added to the Issues panel.
  • Fixed incorrect average speed calculation on Detailed Scan Report.
  • Fixed some issues in Incremental Scan and Controlled Scan where some vulnerabilities are reported as fixed while they still exist.
  • Fixed the issue where same post parameters appears twice in the request builder form.
  • Fixed Hawk validation error by not following redirects.
  • Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
  • Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
  • Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
  • Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
  • Fixed the SSL check hang on HTTP only hosts.
  • Fixed LFI engine by not analyzing source code disclosure on binary responses.
  • Fixed a validation issue for some Swagger documents.
  • Fixed the issue where CSP keywords are not reported when used without single quotes.
  • Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
  • Fixed the issue where cookie header in raw request not added to the sqlmap command.
  • Fixed the issue where crawler keeps trying to crawl target URL when clicked Retry if there is a connection failure.
  • Fixed incorrect source code disclosures reported in binary responses.
  • Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
  • Fixed out of date version reporting behavior when no ordinal is found in version database.
  • Fixed Lighttpd version disclosure detection signatures.
  • Fixed a Swagger parsing issue.
  • Fixed broken proxy chaining in manual crawl mode.
11-May-2016
COPY LINK

IMPROVEMENTS

  • Added PCI DSS 3.2 vulnerability ratings
  • Update the PCI Compliance report template with the details of PCI DSS version 3.2