Home
/
Documentation
/
2-Dec-2019
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
02 Dec 2019

2-Dec-2019

NEW FEATURES

  • Introduced Technologies feature which finds and lists the technologies used in web applications and reports on problems
  • Added out of the box issue tracking integration for PagerDuty, Clubhouse, Trello, Asana, Webhook, Microsoft Teams, and CircleCI
  • Added new API endpoints for managing Team Members and listing Activity Logs
  • Added a new Scan Profiles page in the Scans menu
  • Added a new Comments box to the New Scan window, accessible while launching scans
  • Added facility to send New Scan notifications using the Slack integration
  • Upgraded the Invicti scanning engine to version 5.5.1.26518

NEW SECURITY CHECKS

  • Added a new Security Check – HTTP Parameter Pollution (HPP)
  • Added a new Security Check – BREACH Attack Detection
  • Added Out-of-Date checks for Ext JS
  • Added Oracle Cloud and Packet Cloud SSRF attack patterns
  • Added a Web Cache Deception engine to the list of Security Checks
  • Added a new XXE pattern for detecting the Axway SecureTransport 5.x XXE vulnerability
  • Added new attack patterns for DOM based XSS
  • Added new attack patterns for Remote Code Execution in Ruby
  • Added new attack patterns for Out-of-Band Remote Code Execution in Ruby
  • Added new attack patterns for Remote Code Execution in Python
  • Added new attack patterns for an Open Redirect security check
  • Added an email validation bypass payload for XSS
  • Added a header injection XSS pattern
  • Added a security check to determine whether an HTTP website has been implemented with SSL/TLS
  • Added a security check for File Content Disclosure in Ruby on Rails by exploiting an Accept header
  • Added mutation XSS patterns
  • Fixed the SSRF confirmation problem
  • Added Apple’s App-Site Association file detection
  • Added exploitation support for File Content Disclosure in Ruby On Rails, CVE-2019-5418
  • Added new LFI attack patterns for the access.log file
  • Added support for exploiting JSONP endpoints with the format parameter in Ruby On Rails
  • Added support for detecting Python Remote Code Execution
  • Added RFC compatible SSRF IPv6 patterns
  • Improved the Apache Struts (CVE-2013-2251) attack pattern
  • Added PHP Injection Fixed One Time Referrer attack
  • Updated the attack value of the PHP Injection Fixed One Time Attack pattern to use short notation instead of the print function
  • Improved the Regex pattern of the WebLogic Version Disclosure pattern
  • Added a PoC pattern for Apache Struts (CVE-2013-2251)
  • Added Out-of-Date checks for the Slick JavaScript library
  • Added Out-of-Date checks for the ScrollReveal JavaScript library
  • Added Out-of-Date checks for the MathJax JavaScript library
  • Added Out-of-Date checks for the Rickshaw JavaScript library
  • Added Out-of-Date checks for the Highcharts JavaScript library
  • Added Out-of-Date checks for the Snap.svg JavaScript library
  • Added Out-of-Date checks for the Flickity JavaScript library
  • Added Out-of-Date checks for the D3.js JavaScript library
  • Added Out-of-Date checks for the Google Charts JavaScript library
  • Added Out-of-Date checks for the Hiawatha and Cherokee server
  • Added Out-of-Date checks for the Oracle WebLogic server
  • Added Out-of-Date check for IIS
  • Added Version Disclosure detection for the Hiawatha Server
  • Added Version Disclosure detection for the Cherokee Server
  • Added Source Code Disclosure checks for Java Servlets
  • Added Source Code Disclosure checks for Java Server Pages
  • Added New Source Code Disclosure patterns for Java
  • Added detection for .htaccess file Identified
  • Added detection for Opensearch.xml files
  • Added detection for SQLite error messages
  • Added detection for security.txt files
  • Added detection for swagger.json files
  • Added detection for Open Search files

IMPROVEMENTS

  • Added the ability to create custom fields for ServiceNow integration
  • Added auto-detection of the Time zone during the sign up process
  • Improved Jira integration to support raw values for complex custom field types
  • Added a new format option to the Date and Time Format dropdown in the Change Account Settings window
  • Improved the text in Email Notifications
  • Improved the Category field's option names in the New ServiceNow Integration window
  • Improved the Issue template for Azure DevOps integrations
  • Added capability to add User Mapping for hosted Jira systems
  • Added more details to the CSV report which can be generated from the Activity Logs window
  • Added ongoing scan information for the target agent in the Manage Agents window
  • Added the capability to disable the Maximum Scan Duration field in the New Scan window (On-Premises only)

BUG FIXES

  • Fixed an inaccurate warning message that was displayed when canceling a scan
  • Fixed an issue where the Technical Contact was not set as expected in the Edit Website window
  • Fixed an issue where a website could not be added if the target URL contained a hyphen character
  • Fixed an issue where the configured Scan Profile was not used in Azure DevOps integrations
  • Fixed various browser compatibility issues with Safari
  • Fixed a bug where validation was not working as expected for the Hawk settings in the Scan Policy window