Invicti Enterprise On-Premises 11 Apr 2016

New Features

• Added the functionality to pause and resume scans.
• Added support for automatic crawling and scanning of Parameter-Based Navigation websites.
• Added a new option in the Scan Policy to allow users to add new extensions for the crawler to text parse.
• Added support to allow users to select a scanning agent for a scan in an on-premises installation.
  

New Security Checks

• Added Missing X-XSS-Protection Header vulnerability check.
• Added Video.js JavaScript library detection.
• Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

Improvements

• Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid  multiple scanning of the same or similar parameters.
• Improved “Not Found Analyzer” to better handle binary responses and long strings.
• Added a link to the proof URL for XSS vulnerabilities.
• Added link generation to Text Parser for all select element options.
• Improved DOM parser to skip redirect responses.
• Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
• Added support for modifying asynchronous javascript executions in order to increase DOM Parser coverage.
• Improved relative link parsing on JavaScript files.
• Improved the coverage of file upload security checks.
• Improved the coverage of XSS security checks.
• Improved UI of the scan policy optimized wizard.
• API authentication method updated for backward compatibility.

Bug Fixes

• Fixed an issue where LFI attack patterns were being reported as internal path disclosure.
• Fixed the incorrect raw response representing SSL connections.
• Fixed an issue where forms containing ignored parameters were not reported as a CSRF vulnerability.
• Fixed a case where dynamically generated HTML option elements’ change event were not being triggered.
• Fixed cross-domain document access errors on DOM parser and XSS scanner.
• Fixed an issue where a JSON request’s method was incorrectly recognized as POST rather than GET.
• Fixed a retest issue where a vulnerability fix is reported by mistake.
• Fixed form values target setting to use Name as the default value when a Target is not selected.
• Fixed a file extension parsing issue related with File Extension List knowledgebase item.
• Fixed a hang issue that occurs while performing JavaScript library security checks.
• Fixed a custom form authentication API issue where “ns” namespace was conflicting with a global variable on target website – auth API has been moved to “netsparker” namespace preserving the “ns” backward compatibility.
• Fixed a DOM Parser and XSS scanner bug that incorrectly followed redirects.
• Fixed a form values issue – empty form values should not set any default values for parameters.
• Fixed an issue during which the setting of the Connection request header failed.