Updated vulnerability database
Updated fingerprinting tables for WordPress and Movable Type
Improved the language used in knowledge base templates.
Fixed a bug to prevent auto update message dialog when the auto update setting is disabled
Ruby on Rails Remote Code Execution vulnerability
Off the shelf Web Application Fingerprinting and detection of known security issues (Such as WordPress, Joomla and Drupal)
Version disclosure checks for Apache module mod_ssl, Ruby and WEBrick HTTP web server
Identification of phpMyAdmin and Webalizer
Detection of SHTML error messages that could disclose sensitive information
New WebDAV engine that detects WebDAV implementation security issues and vulnerabilities
Server-Side Includes (SSI) Injection checks.
Scan Policy Editor that allows you to build own scan policies for more efficient web application security scans.
Oracle CHR encoding and decoding facility in the Encoder pane
Support for multiple exclude and include URL patterns which can also be specified in REGEX
Knowledge base node where additional information about the scanned website is reported to the user
New PCI Compliance Report template.
Default include and exclude URL pattern has been improved
DOM Parser now supports proxies and client certification support
The performance of the Controlled Scan user interface has been improved
HTTP Response text editor automatically scrolls to the first highlighted text when viewed
Improved vulnerability classifications
Vulnerability templates text has been improved
Updated the look and feel of the vulnerability templates
Version vulnerability database updated with new web applications version for better finger printing
Cross-site scripting exploit generation improved
Improved confirmed vulnerability representation on Detailed Scan Report
Internal Path Disclosure for Windows and Unix security tests have been improved
Improved version disclosure security tests for Perl and ASP.NET MVC
Start a Scan user interface by moving rarely used settings to Invicti general settings
Improved the performance of security scans which are started using the same Invicti process
Scope documentation text has been updated
Updated WASC links to point to the exact threat classification page
Improved custom 404 detection on sites where the start URL is redirected.
Fixed a bug in XSS report templates where plus char encoding was wrong
Fixed a bug which causes multibyte unicode characters to be corrupted upon retrieval
Fixed a bug where "Auto Complete Enabled" isn't reported
Fixed a bug where Community Edition was asking for exporting sessions
Fixed a bug causes redundant responses to be stored on redirects
Fixed a bug causing a NullReferenceException during reporting
Fixed a bug where custom cookies are not preserved when an exported session is imported
Fixed a bug on report templates where extra fields were missing when there are multiple fields
Fixed the radio button overlap issue on Encoder panel for high DPIs
Fixed an issue where CSRF tokens weren't applied for time based (blind) engines in late confirmation
Fixed an issue where data grids on Settings dialog were preventing to cancel the dialog when an invalid row is present
Fixed an issue where some logouts occurred on attack phase couldn't be detected
Fixed a bug which causes requests to URLs containing text HTMLElementInputClass
Fixed a bug where the injection request/response could be clipped wrong in the middle of HTML tags
Fixed the size of the Configure Authentication wizard for higher DPIs
Fixed an issue with CLI interpretation where built-in profiles couldn't be specified
Fixed clipped text issue on scan summary dashboard severity bar chart
Fixed the anchors to vulnerability details in OWASP Top Ten 2010 report template
Fixed incorrect buttons sizes on message dialogs on high DPI settings
Fixed a startup crash which occurs on systems where "Use FIPS compliant algorithms for encryption, hashing, and signing" group policy setting is enabled
Fixed click sounds on vulnerability view tab
Fixed an issue where find next button was not working on HTTP Request / Response tab
Fixed a bug on Configure Authentication wizard occurs when the response contains multiple headers with same names.
Note: Due to major updates to the scan files, Invicti version 3 cannot open scans exported with previous versions of Invicti (.nss files).
Vulnerability Database Update
Configure Authentication user interface enhancements.
HTTP Strict Transport Security (HSTS) Test
Shell Script Found detection
XHTML XSS Attack
Database Connection String Found vulnerability
Possible Administration Page Found Issue
UNC Server and Share Disclosure.
Integration with Bug Tracking Tools and Send To Feature
Generate Exploit Feature
OWASP Top Ten Report.
Vulnerability Database Update
Windows 8/Server 2012 Support.
Possible Windows Username Disclosure
LigHTTPD Directory Listing
Nginx Directory Listing
LiteSpeed Directory Listing
Generic Email Address Disclosure
LigHTTPD Version Disclosure
Nginx Version Disclosure
SharePoint Version Disclosure
IIS 8 Default Page Detection
Struts2 Development Mode Enabled.
Seamless Update Support
Error Reporting and Help Desk Integration
Improved PDF reports.
Detect web statistic applications
Web.config check added
WS_FTP log check added
Perl RCE (Remote Code Evaluation) checks added.
Ability to scan much bigger websites with high performance
Expression Language Injection check added
MyFaces Stack Trace Disclosure check added
Mongrel Server Version Disclosure check added
Password over GET check added
WebLogic Detection check added
Elmah.axd Detection check added
OpenSSL vulnerabilities added to Vulnerability Database
PHP vulnerabilities added to Vulnerability Database.
New Authentication System (SSO, Multiple-step Authentication, Extensibility)
New Injection Points added
Comparison Reports added
Complete x64 Support
SSL Checks added
Tomcat default files check added
ASP.NET MVC version disclosure check added
Mongrel and Nginx version disclosure checks added.
Added the Vulnerability Database
Redirect BODY is too large and Redirect includes 2 Responses.
Anti-CSRF Token Support.
Brute Force Support
Tomcat Source Code Disclosure
Default Tomcat Page Identified
Retest single vulnerability.
Silverlight Open Access Policy / Silverlight Access Policy Found Checks
Django Stack Trace Disclosure Check
MySQL Username Disclosure Check
New Backup File Checks
Client Certificate Authentication Support
Vulnerability Classification data reported the GUI and reports
New Save / Load Files.
Import / Enter Proxy Logs and HTTP Requests
Manual Crawling / Internal Proxy / Proxy Mode
New reporting format
New Security Tests
New Settings Interface
Better GUI for Permanent XSS vulnerabilities.
Command Line Automation Support
ASP.NET Viewstate Analyzer
Confirmation for Remote code evaluation
Confirmation for Remote file inclusion
Custom Reporting API
New Security Tests
Confirmation for RCE