Home
/
Documentation
/
6.6.0.36485
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
14 Jun 2022

6.6.0.36485

NEW FEATURES

IMPROVEMENTS

  • Updated embedded Chromium browser.
  • Added a new IAST vulnerability: Overly Long Session Timeout.
  • Added new config vulnerabilities for the IAST Node.js sensor.
  • Added new config vulnerabilities for the IAST Java sensor.
  • Added support for detecting SQL Injections on HSQLDB.
  • Added support for detecting XSS through file upload.
  • Updated DISA STIG Classifications.
  • Updated Java and Node.js IAST sensors.
  • Improved time-based blind SQLi detection checks.
  • Improved the Content Security Policy Engine.
  • Updated XSS via File Upload vulnerability template.
  • Updated License Agreement on the Invicti Standard installer.
  • Added Extract Resource default property to DOM simulation.
  • Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
  • Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
  • Added vulnerabilityType filter to add VulnerabilityLookup table.
  • Added the agent mode to the authentication request.
  • Added a default behavior to scan the login page.
  • Added an option to disable anti-CSRF token attacks.
  • Added an option to block navigation on SPAs pages.
  • Added a default behavior to disable TLS1.3

FIXES

  • Fixed basic authorization over HTTP bug.
  • Fixed SQL Injection Vulnerability Family Reporting Bug.
  • Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
  • Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
  • Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
  • Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
  • Fixed a typo bug on GraphQL importing window.
  • Fixed the report naming bug that occurs users create a custom report from a base report.
  • Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
  • Fixed a bug that updates all built-in scan policies instead of edited scan policy.
  • Fixed a typo on Skip Crawling & Attacking pop-up.
  • Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
  • Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
  • Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
  • Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
  • Fixed missing template section migration on report policy.
  • Fixed a bug that throws an error when a report is submitted upon error.
  • Fixed the LFI Exploiter null reference.
  • Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
  • Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
  • Fixed a bug that occurs when users search the Target URL on the New Scan panel.
  • Fixed typo in the timeout error message.
  • Fixed a bug that prevents the WSDL files from being imported.
  • Fixed reporting "SSL/TLS not implemented" when scanning only TLS 1.3 supported sites.
  • Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
  • Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.

REMOVAL

  • Removed Expect-CT security check.
  • Removed the End-of-Text characters in URL rewrite rules.