Home
/
Documentation
/
14-Jun-2017
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
14 Jun 2017

14-Jun-2017

NEW FEATURES

  • Manual Crawling (Proxy Mode) now supports protocols like TLS 1.1 and 1.2.
  • Added scan policy settings for CSRF security checks.
  • Added ability to use custom HTTP headers during scan.
  • Added element exclusion support using CSS query selectors for DOM/JavaScript simulation.
  • Added /generatereport CLI argument for report generation from scan session files.
  • Added hex editor view for requests on request builder.
  • Added attacking optimization option for recurring parameters on different pages.
  • Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.

NEW SECURITY CHECKS

  • Added Referrer Policy security checks.
  • Added markdown injection XSS patterns.
  • Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
  • Added Database Name Disclosure security checks for MS SQL and MySQL.
  • Added Out of Date security checks for several JavaScript libraries.
  • Added Remote Code Evaluation (Node.js) security checks.
  • Added SSRF detection with server-status.
  • Added user controllable cookie detection.
  • Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.

IMPROVEMENTS

  • Updated the links to several external references.
  • Added cancellation of ongoing attack activities when excluded from site map.
  • Improved JavaScript and CSS resource parsing.
  • Added exploitation for XXE vulnerabilities.
  • Added DOM simulation options to scan policy optimizer wizard.
  • Improved Mixed Content vulnerability reporting by separating them according to resource types.
  • Improved the CSS query selector generation on form authentication custom script dialog.
  • Improved boolean SQL injection detection for redirect responses.
  • Improved WSDL parsing for files that contain optional extensions.
  • Added current scan profile, scan policy and report policy names to status bar.
  • Improved .sql file detection signature.
  • Improved the highlighting of patterns on HTTP responses.
  • Added extra confirmation for weak credentials detection.
  • Added POST parameters to crawling activities on scan activity list.
  • Added scan policy option to allow XHR requests during DOM simulation.
  • Added response statistics to request builder.
  • Added form value for password input types to default scan policy.
  • Added status column to the request history in request builder.
  • Increased the maximum response size limit for JavaScript resources.
  • Improved the send to JIRA error message.
  • Added maximum number of option elements per select element to simulate scan policy setting.
  • Added filter 'colon' events scan policy option to filter events that contain colon character in its name during DOM simulation.
  • Improved error based SQLi exploitation by generating prefix/suffix dynamically.
  • Improved command injection vulnerability detection by prepending original parameter value to attack payload.
  • Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.

FIXES

  • Fixed the incorrect imported link count when search panel is active on the grid view.
  • Fixed the "Open in Browser" context menu action broken for root nodes on site map.
  • Fixed the undefined password value issue on form authentication custom script dialog.
  • Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
  • Fixed the duplicate import link issue.
  • Fixed request builder issues on parsing query string and encoding.
  • Fixed a request builder issue where the error dialog should not be shown while switching tabs if the raw request is empty.
  • Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
  • Fixed the broken custom cookie issue where the custom cookie is not sent for imported scan files.
  • Fixed crawling of URLs on pages where base element points to some other URL.
  • Fixed some missing vulnerabilities on site map.
  • Fixed the slow performing certificate load operation on start new scan dialog.
  • Fixed the incorrect vulnerability severity counts on bar chart and status bar.
  • Fixes an issue where blacklisted Invicti attacks prevent further source code disclosures in HTML response.
  • Fixed the splash screen which stays open when Invicti is started from command line.
  • Fixed the focus stealing issue when HTML response contains the autofocus attribute.
  • Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
  • Fixed missing response on request builder when the request is loaded from history list.
  • Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
  • Fixed an issue where signature fails to match MS SQL username in error messages.
  • Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.