Home
/
Documentation
/
18-Mar-2015
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
18 Mar 2015

18-Mar-2015

Read the blog post for more details about this version

NEW WEB SECURITY TESTS

  • Ruby on Rails Remote Code Execution vulnerability
  • Off the shelf Web Application Fingerprinting and detection of known security issues (Such as WordPress, Joomla and Drupal)
  • Version disclosure checks for Apache module mod_ssl, Ruby and WEBrick HTTP web server
  • Identification of phpMyAdmin and Webalizer
  • Detection of SHTML error messages that could disclose sensitive information
  • New WebDAV engine that detects WebDAV implementation security issues and vulnerabilities
  • Server-Side Includes (SSI) Injection checks.

NEW FEATURES

  • Scan Policy Editor that allows you to build own scan policies for more efficient web application security scans.
  • Oracle CHR encoding and decoding facility in the Encoder pane
  • Support for multiple exclude and include URL patterns which can also be specified in REGEX
  • Knowledge base node where additional information about the scanned website is reported to the user
  • New PCI Compliance Report template.

IMPROVEMENTS

  • Default include and exclude URL pattern has been improved
  • DOM Parser now supports proxies and client certification support
  • The performance of the Controlled Scan user interface has been improved
  • HTTP Response text editor automatically scrolls to the first highlighted text when viewed
  • Improved vulnerability classifications
  • Vulnerability templates text has been improved
  • Updated the look and feel of the vulnerability templates
  • Version vulnerability database updated with new web applications version for better finger printing
  • Cross-site scripting exploit generation improved
  • Improved confirmed vulnerability representation on Detailed Scan Report
  • Internal Path Disclosure for Windows and Unix security tests have been improved
  • Improved version disclosure security tests for Perl and ASP.NET MVC
  • Start a Scan user interface by moving rarely used settings to Invicti general settings
  • Improved the performance of security scans which are started using the same Invicti process
  • Scope documentation text has been updated
  • Updated WASC links to point to the exact threat classification page
  • Improved custom 404 detection on sites where the start URL is redirected.

BUG FIXES

  • Fixed a bug in XSS report templates where plus char encoding was wrong
  • Fixed a bug which causes multibyte unicode characters to be corrupted upon retrieval
  • Fixed a bug where "Auto Complete Enabled" isn't reported
  • Fixed a bug where Community Edition was asking for exporting sessions
  • Fixed a bug causes redundant responses to be stored on redirects
  • Fixed a bug causing a NullReferenceException during reporting
  • Fixed a bug where custom cookies are not preserved when an exported session is imported
  • Fixed a bug on report templates where extra fields were missing when there are multiple fields
  • Fixed the radio button overlap issue on Encoder panel for high DPIs
  • Fixed an issue where CSRF tokens weren't applied for time based (blind) engines in late confirmation
  • Fixed an issue where data grids on Settings dialog were preventing to cancel the dialog when an invalid row is present
  • Fixed an issue where some logouts occurred on attack phase couldn't be detected
  • Fixed a bug which causes requests to URLs containing text HTMLElementInputClass
  • Fixed a bug where the injection request/response could be clipped wrong in the middle of HTML tags
  • Fixed the size of the Configure Authentication wizard for higher DPIs
  • Fixed an issue with CLI interpretation where built-in profiles couldn't be specified
  • Fixed the COMException thrown on Configure Authentication wizard on pages that contain JavaScript calls to window.close()
  • Fixed clipped text issue on scan summary dashboard severity bar chart
  • Fixed the anchors to vulnerability details in OWASP Top Ten 2010 report template
  • Fixed incorrect buttons sizes on message dialogs on high DPI settings
  • Fixed a startup crash which occurs on systems where "Use FIPS compliant algorithms for encryption, hashing, and signing" group policy setting is enabled
  • Fixed click sounds on vulnerability view tab
  • Fixed an issue where find next button was not working on HTTP Request / Response tab
  • Fixed a bug on Configure Authentication wizard occurs when the response contains multiple headers with same names.


Note: Due to major updates to the scan files, Invicti version 3 cannot open scans exported with previous versions of Invicti (.nss files).