Home
/
Documentation
/
14-Dec-2017
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
14 Dec 2017

14-Dec-2017

NEW FEATURES

  • Realtime scan results
  • Added out of the box integration support for: FogBugz, Github and TFS issue tracking systems.
  • Grouping of notifications so a single email or SMS alert is sent with a list of all alerts rather than multiple individual alerts.
  • New API endpoint for launching group scans.
  • Scheduling for incremental scans both from the web UI and API.
  • New API endpoint for generating custom scan reports.
  • New scan policy setting to define Web (Session and Local) Storage.
  • New Header Authentication settings to manually add request headers with authentication information.
  • Added support to import links from CSV files.
  • Added support for parsing of gzipped sitemaps.

NEW SECURITY CHECKS

  • Check for reflected Code Evaluation in Apache Struts 2 (CVE-2017-12611).
  • Check for Remote Code Execution in Apache Struts (CVE-2017-5638).

IMPROVEMENTS

  • Scan Time Window setting is now available to new group scans page.
  • Improved scan stability and performance.
  • Improved default Form Values settings.
  • Updated external references for several vulnerabilities.
  • Updated default User-Agent HTTP request header string.
  • Changed API endpoints to return 201-Created response status code for new resources.
  • Added several UI improvements for WCAG guidelines compliance.
  • Improved the email template that reports issues.
  • Added "Attack Parameters" information to Scanned URLs report.
  • Renamed the "Important" vulnerability severity to "High".
  • Added Form Authentication performance data to Scan Performance knowledge base node.
  • Improved Active Mixed Content vulnerability description.
  • Improved DOM simulation for events attached to document object.
  • Added parsing of "Alternates", "Content-Location" and "Refresh" response headers.
  • Improved CSP engine performance by checking CSP Nonce value per directory.
  • Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
  • Added --batch argument to sqlmap payloads.
  • Removed Markdown Injection XSS attack payloads.
  • Added ALL parameter type option to the Ignored Parameters settings.
  • Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
  • Updated the Accept HTTP header value for default scan policy.
  • Added CSS exclusion selector supports frames and iframes.
  • Added embedded space parsing for JavaScript code in HTML attribute values.
  • Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
  • Email disclosure will not be reported for email addresses used in form authentication credentials.
  • Added focus and blur event simulation for form authentication set value API calls.
  • Added more information about HTML forms and input for vulnerabilities found in HTML forms.
  • Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
  • Added Parameter Value column to the Vulnerabilities List report in CSV format.
  • Added match by HTML element id for form values.
  • Added "Ignore document events" to JavaScript settings to ignore triggering events attached to document object.
  • Improved Windows Short Filename vulnerability details Remedy section.
  • URL Rewrite parameters are now represented as asterisks in sqlmap payloads.

BUG FIXES

  • Fixed an issue where AutoSave filename is missing during resuming a scan.
  • Fixed an issue where "Test" button of authentication settings does not work as expected.
  • Fixed an issue where model binding does not work as expected for scan profile API endpoints.
  • Fixed CSRF vulnerability reporting on change password forms.
  • Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
  • Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
  • Fixed various source code disclosure issues.
  • Fixed an escaping issue with CSS exclusion selectors.
  • Fixed the issue where the basic authentication credentials were not being sent on logout detection phase.
  • Fixed a random DOM simulation exception occurs when site creates popup windows.
  • Fixed a RemotingException occurs on Form Authentication Verifier.
  • Fixed a possible NullReferenceException on Form Authentication.
  • Fixed the broken form authentication custom script when the last line of the script is a single line comment.
  • Fixed huge parameter value deserialization memory usage.
  • Fixed the wrong URLs added with only extension values.
  • Fixed a NullReferenceException which may be thrown while importing a swagger file.
  • Fixed form authentication not triggered on retest.
  • Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
  • Fixed a swagger file parsing issue where target URL should be used when host field is missing.
  • Fixed swagger importer by ignoring any metadata properties.
  • Fixed a NullReferenceException occurs during DOM simulation.
  • Fixed the incorrect URLs parsed on attack responses.
  • Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
  • Fixed ignore parameter issue for parameters containing special characters.
  • Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
  • Fixed missing vulnerabilities requiring late confirmation for incremental scans.
  • Fixed a NullReferenceException may occur on iframe security checks.