Home
/
Documentation
/
12-Sep-2018
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
12 Sep 2018

12-Sep-2018

NEW FEATURES

  • Added Bulk Export to Cloud feature
  • Added Scan Speed graph
  • Added Send To integration support for ServiceNow
  • Added custom field support for Send To fields
  • Added an encoder for JavaScript fromCharCode format
  • Added Go to Identification Page button to Go to Parent link of current selected link
  • Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

  • Added Out of Band Server Side Template Injection security checks
  • Added signature detection check for Caddy web server
  • Added signature detection check for aah go server
  • Added signature detection check for JBoss application server
  • Added CakePHP framework detection
  • Added CakePHP version disclosure detection
  • Added CakePHP out-of-date version detection
  • Added CakePHP Stack Trace Disclosure
  • Added CakePHP default page detection
  • Added Out of Date checks for CKEditor 5

IMPROVEMENTS

  • Updated the licensing model
  • Updated .NET Framework version requirement to 4.7.2.
  • Improved the user interface by reducing the number of borders between panels
  • Added more information to the window where Cloud integration is conducted
  • Improved the design of vulnerability details
  • Added a link to Cloud scan URL when a scan is exported to the Cloud
  • Improved the list of resources found by the Resources Finder
  • Added a button to start an incremental scan for a scan listed on File>Import>Local Scans
  • Added Hawk configuration validation to the Scan Optimizer
  • The state of vulnerability nodes are updated across the Sitemap and Issues trees when ignored or included in scan
  • All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into single vulnerability
  • Dialog locations and sizes are remembered each time you reopen Invicti
  • Added Request Method column to the Vulnerabilities List CSV report
  • Added vulnerability severity to email Send To action template
  • Added URL validation to Target URL textbox in the Start a New Scan dialog
  • Updated Vulnerabilities List CSV report template to display attack parameter only
  • Added fine grained options to Resource Finder step of Scan Policy Optimization wizard
  • A Summary dialog is displayed after the Controlled Scan informing users about whether new vulnerabilities have been found
  • Added cookie analyzer checks for cookies added using JavaScript
  • Added keyboard navigation support to navigation bar control in the Start a New Scan dialog
  • Variation count is included in the total vulnerability count in Detailed Scan Report
  • Improved LFI Exploitation panel usability
  • Added tokenized deletion using Ctrl + Backspace to Target URL text box
  • Variation count included in the total count in report templates
  • Improved the error message displayed when the retest fails if Form Authentication fails
  • Added Link Count to the Scan Summary dashboard
  • Added not found Link Count to the Scan Summary dashboard
  • Controlled scan shows the detected vulnerability count on parameters after it's finished
  • Improved the error message displayed when an incorrect command line argument is supplied
  • Added Label field for JIRA Send To actions
  • Added Tags field for Manuscript (FogBugz) Send To actions
  • Added WorkItem Tags field for TFS Send To actions
  • Added Disable Resource Finder button to the Scan Policy Editor
  • Added a Max Fail limit to Retest All so it does not abort after one retest has failed
  • Ignored vulnerabilities are excluded from Retest All
  • Improved SQL Injection proof data by stripping HTML tags
  • Controlled scan can be started for vulnerabilities that have no parameters
  • Vulnerabilities confirmed at the end of the Scan are retested separately in Retest All
  • Added Late Confirmation activity into Controlled Scans so the Scan progress can be observed
  • Added Copy and Copy Value context menu items to Headers' request and response viewers
  • Improved automatic Form Authentication by performing several additional attempts when the Submit button is disabled
  • Improved CSRF token detection in cookie values
  • Improved the error details displayed when link import fails

FIXES

  • Fixed the incorrect Content-Type header sent during Form Authentication requests
  • Fixed the vulnerability viewer display issue when a vulnerability node on Sitemap is reselected.
  • Fixed the incorrect badge drawn on the ribbon's Quick Access Toolbar buttons
  • Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were also blocking the other HTTP methods
  • Fixed the URL encoding issue for vulnerabilities which are sent to Manuscript (FogBugz)
  • Fixed several usability issues on the Short File Names exploitation panel
  • Fixed the error where the ExpectCT header was reported as an interesting header
  • Fixed the Multiple File Open Dialog high DPI issues
  • Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
  • Fixed the incorrect number on the Detailed Scan report template's instance column
  • Fixed patterns that weren't enabled when Security Checks were enabled with the Check All command
  • Fixed the issue that the Controlled Scan won't start on a link node
  • Fixed high DPI issues on Scan Policy Optimizer wizard
  • Fixed the issue that the style of child nodes was not updated when the vulnerability was ignored
  • Fixed the issues that a confirmed Permanent XSS vulnerability was not added to the Confirmed group on the Issues tree
  • Fixed the report templates that included ignored vulnerabilities in statistics
  • Fixed the incorrect response displayed for SSRF vulnerabilities when the request was redirected to another page
  • Fixed several dock panel issues
  • Fixed a NullReferenceException thrown when setting a custom user agent on a Scan Policy
  • Fixed the Critical Vulnerability Count in report templates
  • Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
  • Fixed a highlighting issue for vulnerabilities that display multiple responses
  • Fixed an incorrect possible LFI vulnerability when the response was redirected
  • Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
  • Fixed an issue where some Sitemap nodes were not added to the tree until a New Scan was started
  • Fixed the broken case sensitivity check for crawled links
  • Fixed a smartcard driver issue that occured when the path contained space characters
  • Fixed a FormatException that occurred while parsing cookies
  • Fixed several incorrect Source Code Disclosure reports
  • Fixed the issue where cookies that were set by JavaScript were not highlighted
  • Fixed a JsonReaderException that occured while trying to parse a Swagger document
  • Fixed an ObjectDisposedException thrown when a tooltip was closing
  • Fixed an ArgumentOutOfRangeException thrown while generating reports
  • Fixed a case sensitivity issue on the Sitemap tree where two nodes with same name but different cases were not added to the tree
  • Fixed a double HTML encoding problem in the generated exploit template
  • Fixed adding multiple empty rows to Additional Website settings
  • Fixed parsing URLs with encoded chars
  • Fixed the problem where scans could not be resumed when paused during the Recrawling phase
  • Fixed hanging Open Redirect checks caused by binary responses
  • Fixed double HTML encoding problem in the URL in the Detailed scan report template
  • Fixed the DOM parser so that the Exclude by CSS Selector setting is saved and displayed correctly in the custom preset
  • Fixed redundant Encode use in the report templates that caused double HTML encoding
  • Fixed InvalidOperationException thrown when using Manual Crawling
  • Fixes the error where the custom driver selection dialog was opening twice in the Import Smart Card Certificate dialog
  • Fixed incorrect count of Proof List knowledge base
  • Fixed the issue where XSS via RFI could not be detected with a certain payload
  • Fixed the issue where the Scan skipped to the attacking phase after the Crawling phase was skipped when the Scan started in Crawl & Wait mode
  • Fixed the issue where a Swagger YAML file could not be imported
  • Fixed the usability issues of JavaScript preset selection on Scan Policies where entered values could not be deleted
  • Fixed the vulnerabilities remaining from the previous scan on sitemap when an incremental scan has been started.
  • Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie's HttpOnly flag
  • Fixed the issue where the late confirmed vulnerability was not added to the Sitemap
  • Fixed the error where the activity time was not being updated during the extra confirmation phase