Invicti Enterprise On-Premises

NEW FEATURES

• Added support to save and re-use filters on the list pages (Recents Scans, Websites, Issues etc)
• Added out of the box integration for Slack and ServiceNow
• Introduced Report Policy Editor which allows to customize Scan Report results
• Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

• Added Out of Band Server Side Template Injection security checks
• Added signature detection check for Caddy web server
• Added signature detection check for aah Go server
• Added signature detection check for JBoss application server
• Added CakePHP framework detection
• Added CakePHP version disclosure detection
• Added CakePHP out-of-date version detection
• Added CakePHP Stack Trace Disclosure
• Added CakePHP default page detection
• Added Out of Date checks for CKEditor 5

IMPROVEMENTS

• Configured scanner agent's service options to recover automatically if it stops
• Improved display order of vulnerabilities in several reports
• Improved the wording in OWASP and Trend Matrix reports
• Updated the licensing model
• Allowed team members to manage their IP restrictions (previously only account administrators were allowed)
• Scheduled Scans will not be queued if a delayed one already exists in scan queue
• Improved Agent List page to display unavailable agents
• Improved the wording in Website and Global Dashboard pages
• Improved '/websites/get' API endpoint to allow filtering by URL
• Improved validation messages for SSO settings
• Improved styling of Permission Matrix on New Team Member page
• Fixed error where Scheduled Scans were disabled by the system on license expiry (they're now available again on license renewal)
• Updated .NET Framework version requirement to 4.7.2
• All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into a single vulnerability
• Added Label field for JIRA Send To actions
• Added Tags field for Manuscript (FogBugz) Send To actions
• Improved SQL Injection proof data by stripping HTML tags
• Improved CSRF token detection in cookie values

BUG FIXES

• Fixed wrong PDF scaling issue which causes fonts to be rendered very small for Report templates
• Fixed pagination problem on Scheduled Scans and Website Group pages
• Fixed a bug where screenshots are displayed for Scans run by Internal Agents
• Fixed the incorrect Content-Type header sent during Form Authentication requests
• Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were blocking the other HTTP methods too
• Fixed the URL encoding issue for vulnerabilities that are send to Manuscript (formerly FogBugz)
• Fixed the error where the ExpectCT header was reported as an interesting header
• Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
• Fixed the incorrect response displayed for Server Side Request Forgery (SSRF) vulnerabilities when the request was redirected to another page
• Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
• Fixed an incorrect possible LFI vulnerability when the response was redirected
• Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
• Fixed broken case sensitivity check for crawled links
• Fixed FormatException that occurred while parsing cookies
• Fixed a JsonReaderException that occured while trying to parse a Swagger document
• Fixed parsing URLs with encoded chars
• Fixed hanging Open Redirect checks caused by binary responses
• Fixed the issue where a Swagger YAML file cannot be imported
• Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie's HttpOnly flag
• Fixed the Weak Signature Algorithm that is not reported for a self-signed root certificate

NEW FEATURES

• Added scan policy settings for CSRF security checks.
• Added ability to use custom HTTP headers during scan.
• Added attacking optimization option for recurring parameters on different pages.
• Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.
• Redesigned the Basic, NTLM, Digest and Kerberos authentication settings which now supports multiple credentials for different URL paths.

NEW SECURITY CHECKS

• Added Referrer Policy security checks.
• Added markdown injection XSS patterns.
• Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
• Added Database Name Disclosure security checks for MS SQL and MySQL.
• Added Out of Date security checks for several JavaScript libraries.
• Added Remote Code Evaluation (Node.js) security checks.
• Added SSRF detection with server-status.
• Added user controllable cookie detection.
• Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.
• Added Default Page checks for IIS 7.0, 7.5, 8.5 and 10.0.
• Added IIS 10.0 Version Disclosure checks.
• Added WordPress Setup Configuration File checks.

IMPROVEMENTS

• Improved design of the group scan email template.
• Improved accessibility of several pages to follow WCAG guidelines.
• Optimized compression time while archiving the raw scan files.
• Added support for allowing users to launch scheduled scans manually.
• Disabled scheduled scans if the license is expired.
• Updated the links to several external references.
• Improved JavaScript and CSS resource parsing.
• Added DOM simulation options to scan policy optimizer wizard.
• Improved Mixed Content vulnerability reporting by separating them according to resource types.
• Improved boolean SQL injection detection for redirect responses.
• Improved WSDL parsing for files that contain optional extensions.
• Improved .sql file detection signature.
• Added extra confirmation for weak credentials detection.
• Added scan policy option to allow XHR requests during DOM simulation.
• Added form value for password input types to default scan policy.
• Increased the maximum response size limit for JavaScript resources.
• Improved the send to JIRA error message.
• Added maximum number of option elements per select element to simulate scan policy setting.
• Added filter 'colon' events scan policy option to filter events that contain colon character in its name during DOM simulation.
• Improved error based SQLi exploitation by generating prefix/suffix dynamically.
• Improved command injection vulnerability detection by prepending original parameter value to attack payload.
• Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.
• Improved LFI attack patterns.
• Improved DOM XSS attack patterns.
• Improved DOM/JavaScript simulation.
• Improved the performance of email address disclosure detection.
• Improved the performance of database connection string disclosure detection.
• Improved the performance of JavaScript library detection.
• Improved the performance of RoR database configuration detection.
• Improved Blind Command Injection detection on Linux systems.
• Improved resource finder to find more hidden resources.
• Improved support for simulating customized select elements.
• Improved NTLM, Digest and Kerberos authentication support.
• Improved DOM simulation stability and performance.
• Improved the default parameter name list for Parameter Based Navigation.
• Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
• Improved boolean and blind SQL injection checks for MySQL databases.
• Improved blind SQL injection checks for PostgreSQL databases.
• Improved reflected and stored XSS detection.
• HSTS checks now reports missing preload directives.
• Updated Korean translation.
• Improved JSON response parsing.
• Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
• Improved email disclosure checks by checking host names against to public suffix list.

BUG FIXES

• Fixed a NullReferenceException which may have been thrown while editing settings of an user.
• Fixed an issue where email notifications are not sent for unconfirmed phone numbers.
• Fixed an issue which may have been thrown while deleting an account.
• Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
• Fixed the duplicate import link issue.
• Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
• Fixed crawling of URLs on pages where base element points to some other URL.
• Fixes an issue where blacklisted Invicti attacks prevent further source code disclosures in HTML response.
• Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
• Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
• Fixed an issue where signature fails to match MS SQL username in error messages.
• Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.
• Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
• Fixed an incorrect "Password Transmitted over HTTP" issue for relative URLs on pages redirected to HTTPS addresses.
• Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
• Fixed incorrect "Interesting Header" report for Content-Security-Policy header.
• Fixed directory listing is not reported issues on some IIS versions.
• Fixed the issue where comments in CSS files are not parsed.
• Fixed the incorrect URL found in CSS comments.
• Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
• Fixed an IndexOutOfRangeException caused by CSP checks.
• Fixed the signature pattern which fails to match "Programming Error Message (PHP)" in multiple lines.
• Fixed markdown XSS attack patterns causing incorrect findings.
• Fixed incorrect "Interesting Header" reports for some headers.
• Fixed the incorrect http protocol displayed for SSL vulnerabilities.
• Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
• Fixed the maximum crawled URL limit exceeded issue.
• Fixed duplicate resource finder requests.
• Fixed the WADL import issue where the operation fails for responses with no status codes.
• Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
• Fixed the incorrect missing object-src report on CSP checks.
• Fixed an issue where default crawled value is double-encoded instead of single.
• Fixed the missing content for Site Profile section of Knowledge Base report.

FEATURES

• Mobile friendly UI with a lot of design improvements
• Added support for sending notification email for canceled scans

IMPROVEMENTS

• Improved resource finder checks for websites which have custom 404 pages
• Increased the default value of Maximum 404 Signature setting to be store more signatures
• Improved timeout calculation for vulnerability checks which require late confirmation
• Replaced scan finish dates with scan urls in global dashboard
  
• Permissions can be entered while inviting user
• Added icon for scheduled scan items
• Optimized instance launch times for AWS agents
• Improved API documentation for scan policy and website endpoints
• Improved website address validation rules
• Improved website selection on the new scan page
• Added tooltips to scan policy and new scan pages
• Added Enable Content Type Checks setting to scan policy scope section
• Improved validation for scan profile names
• Improved notification email templates

FIXES

• Scheduled scan's target url's scheme could not be changed
• Fixed tooltip text for completed scans
• Fixed a bug where entered URL rewrite rule was overridden on focusing to regex input
• Fixed an issue where Ignore These Content Types setting was not set correctly
• Fixed an issue where scan policy names were duplicated
• Fixed an issue where form authentication settings were not initialized correctly for group scans
• Fixed DOM simulation issue where all delegated events on an elements were not being called
• Fixed a Heartbleed security check issue where it was causing the crawling phase to be stalled

FEATURES

• Added automatic configuration of URL rewrite rules
• Added the Scan Policy Optimizer
• Added automated evidence collection to several confirmed vulnerabilities
• Added sessionStorage and localStorage support
• Added URL Rewrite knowledgebase node to list the URL patterns that have been discovered
• Added support for deleting a team member permanently
• Added support for detecting outdated versions of popular JavaScript client-side libraries
  
• Added vulnerability tasks' todo list to dashboard
• Added "Do not expect challenge" option to basic authentication settings
• Added "Override Target URL with authenticated page" option to form authentication settings
• Added several new knowledge base nodes to report SSL and CSS issues, and one for slowest pages
• Added "Websites that have shortest fix time" and "Websites that have longest fix time" tables on global dashboard
• Added support for displaying relative dates in a friendly format
• Added import links support to new scan API endpoint

NEW SECURITY CHECKS

• Added Windows Short File Name security checks
• Added several new backup file checks
• Added web.config pattern for LFI checks
• Added boot.ini pattern for LFI checks
• Added a signature which checks against a passive backdoor affecting vBulletin 4.x and 5.x versions
• Added a signature which checks against an error message generated by regexp function at MySQL database
• Added DAws web backdoor check
• Added MOF Web Shell backdoor check
• Added RoR database configuration file detection
• Added RoR version disclosure detection
• Added RoR out-of-date version detection
• Added RoR Stack Trace Disclosure
• Added RubyGems version disclosure detection
• Added RubyGems out-of-date version detection
• Added Ruby out-of-date version detection
• Added Python out-of-date version detection
• Added Perl out-of-date version detection
• Added RoR Development Mode Enabled detection
• Added Django version disclosure detection
• Added Django out-of-date version detection
• Added Django Development Mode Enabled detection
• Added PHPLiteAdmin detection
• Added phpMoAdmin detection
• Added DbNinja detection
• Added WeakNet Post-Exploitation PHP Execution Shell (WPES) detection
• Added Adminer detection
• Added Microsoft IIS Log File detection
• Added Laravel Configuration File detection
• Added Laravel Debug Mode Enabled detection
• Added Laravel Stack Trace Disclosure
• Added S/FTP Config File detection

IMPROVEMENTS

• Improved calculating algorithm of vulnerability fix times
• Manage team permission replaced with "Admin" permission
• Added support to see website dashboard without scan group filter
• Added scan type information to "Detailed Scan Report"
• Added paging support for scan policy list
• Improved new user email template
• Increased website verification failure limit
• Changed vulnerability chart's colors on the dashboard page
• Added icons for displaying vulnerability status on the vulnerability task page
• Knowledgebase items are expanded by default if they contain a single item
• Added retestable information to vulnerability detail on the scan report page
• Users are redirected to scan group create page if no scan group is found on new scan
• Added a warning message if target path does not end with a trailing slash on the new scan
• Added first seen date information to vulnerabilities page
• Several scan performance improvements to reduce memory usage
• Improved credit card detection to eliminate false positives
• HTTP cookie handling code written from scratch to conform with the latest RFCs which modern browsers also follow
• SSL cipher support check code has been rewritten to support more cipher suites
• SSL checks are now made for target URLs even when protocol is HTTP
• Updated embedded chrome based browser engine to version 41
• Added more ignored parameters for ASP.NET web applications
• Improved scan policy versioning where new security checks are automatically included or excluded by default on existing scan policies
• Improved LFI pattern that matches win.ini files
• Improved XSS coverage by adding an attack pattern for email inputs which require an @ character
• Improved cookie vulnerability details to show all cookies that are not marked as Secure or HttpOnly
• Improved out-of-date vulnerability templates by including severity information of vulnerabilities for that version of software
• Improved out-of-date vulnerability reporting by increasing the severity of the vulnerability if that version of software has an important vulnerability
• Improved Ruby version disclosure detection
• Improved SQL injection vulnerability template by adding remedy information for more development environments
• Improved common directory checks by adding more known directory names
• Updated default user agent
• Improved the default Anti-CSRF token name list
• Improved database error messages vulnerability detection for Informix
• Added new XSS attack pattern for title tag in which JavaScript execution is not possible
• Improved XHTML attacks to check against XSS vulnerabilities
• Optimized confirmation of Boolean SQLi
• Added exploitation for Remote Code Evaluation via ASP vulnerability
• Revamped DOM based XSS vulnerability detail with a table showing XPath column
• Changed SQLi attack patterns specific to MSSQL database with shorter ones
• Improved SQLi attack pattern which causes a vulnerability in LIMIT clauses specific to MySQL database
• DOM simulation is turned off for hidden input types which causes a false-positive confirmed XSS vulnerability
• Improved the "Name" form value pattern to match more inputs
• Improved confirmation of Expression Language Injection vulnerability
• Improved Frame Injection vulnerability details
• Added .phtml extension to detect code execution via file upload
• Improved blind SQL injection detection on some INNER JOIN cases
• Improved external references section of "Remote Code Evaluation (PHP)" vulnerability
• Added retest support for several vulnerability types
• Improved Apache Tomcat detection patterns
• Increased the number of sensitive comments reported
• Improved text parser improvements
• Added separate checks in scan policy for each supported web app fingerprint application

FIXES

• Fixed an issue where imported relative links were not set correctly
• Fixed an issue where scheduled scan names were duplicated
• Fixed URL rewrite analysis to respect case sensitivity settings
• Fixed a form authentication issue which image submit elements were not clicked
• Fixed an issue occurs when the HTTP response body starts with unicode BOM
• Fixed Open Redirect security checks where it should not perform DOM based checks if DOM checks are turned off
• Fixed static resource finder where it was not following a redirect
• Fixed DOM simulation hangs if a rogue JavaScript call enters an endless loop
• Fixed slow XSS highlights on some responses
• Fixed a bug where Full-Url LFI attack which is specific to Ruby-on-Rails applications could not be confirmed
• Fixed a bug where XSS vulnerability could not be confirmed when injection occurs in the middle of a CSS style
• Fixed a bug where generated XSS exploit did not work due to incorrect encoding
• Fixed a bug where a false-positive file upload vulnerability was reported
• Fixed a bug where maximum amount of hard fails was preventing next scan making HTTP requests
• Fixed ""Missing Content-Type"" reporting issue where redirected responses should not be reported
• Fixed an issue where send failures were not being handled while making HTTP requests
• Fixed credit card reporting issue where the value specified in default form values section should not be reported
• Fixed the trimmed parameter name issue on controlled scan panel
• Fixed documentation for nginx vulnerability template that explains how to fix the issue
• Fixed HSTS support for form authentication HTTP requests
• Fixed a URI parsing issue where non-HTTP(S) protocols are ignored
• Fixed a bug where an attribute based attack could not be confirmed as XSS
• Fixed a bug where an injection with ""javascript:"" protocol for XSS attacks occurs after a new line
• Fixed a bug where exploitation goes into loop and causes an unresponsive UI for error based SQLi
• Fixed a bug where redirection happens relatively and reported as Open Redirect vulnerability
• Fixed an issue where a Groovy RCE is reported as Perl RCE
• Fixed a WSDL parsing issue where reference parameters were not handled correctly
• Fixed a WSDL parsing issue where XML types were not handled correctly
• Fixed an issue that occurs during form authentication with an HSTS site that performs redirects to an URL with http protocol
• Fixed a bug where the hash is reported incorrectly in a DOM based XSS vulnerability
• Fixed the misleading content in basic authentication over clear text vulnerability
  

FIXES

• Fixed a bug where vulnerability evidence was not persisted as expected

BUG FIXES

• Fixed a bug where crawling is not working as expected.
• Fixed a security vulnerability in form authentication verification.

New Features

• Added the ability to configure the scanner to scan websites which are linked from the target website.
• Added the Common Vulnerability Scoring System (CVSS) in vulnerability reports.
• Added the OWASP Proactive Guide to classification list.

New Web Security Checks

• Added security checks for Content Security Policy (CSP) web security standard.
• Added DOM based open redirection security check.

Improvements

• Improved the Cross-site Scripting (XSS) vulnerability security checks coverage.
• Renamed "Permanent XSS" vulnerability to "Stored XSS".
• Added type ahead search functionality for Scan Policy > Security Checks.
• Added HTTP methods to AJAX / XML HTTP Requests knowledge base section.
• Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
• Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
• Improved DOM simulation by simulating "contextmenu" events.
• Increased the default values for "Maximum Page Visit" and "Max. Number of Parameters to Attack on a Single Page" settings.
• Improved XML parsing during crawling by parsing empty XML elements as parameters too.
• Added the ability to attack parameter names.
• Added a note to vulnerability detail for non-exploitable frame injection.
• Added .jhtml and .jsp attacks to file upload engine.
• Improved CORS security checks.
• Improved Open Redirect engine to detect CNAME injection such as example.com.r87.com.
• Improved XSS confirmation for vulnerabilities found inside noscript tags.
• Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.

Bug Fixes

• Fixed a form authentication issue where the last form authentication sequence requests were prematurely cancelled.
• Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
• Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
• Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
• Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
• Fixed a DOM simulation issue occurs when there is a form element with name "action" on target web page.
• Fixed duplicate "Email Address Disclosure" reporting issue.
• Fixed a NullReferenceException on occurs during CORS security checks.
• Fixed a CSRF exploit generation issue where the generated file is empty.
• Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
• Fixed a text parsing issue where relative URLs were not supported as base href values.
• Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
• Fixed an XSS attacking issue where duplicate attacks are made for same payload.
• Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
• Fixed an issue where post exploitation does not work sometimes.
• Fixed a form authentication issue where any slash character in credentials cannot be used.

Fixes

• Fixed a licensing bug in a third-party library.

NEW FEATURES

• Added out of the box issue tracking integration for Kenna
• Added OTP support to the Form Authentication tab in the New Scan window
• Added filtering support to the New Notification window, which means you can filter the issues that will be sent for a Scan Completed event
• Upgraded the Invicti scanning engine to version 5.5.4.26863

IMPROVEMENTS

• Added a new setting, Max Uploaded File Size, to the General Settings window (On-Premises only)
• Improved the UI design of the Scan Summary section on the Report window
• A Time Zone option has been added to the Scan Time Window tab
• Improved the Azure DevOps integration to support email addresses for the Assigned To setting
• Improved the Scan Completed event template's SMS notification text
• Added an About page to display VDB and app versions, available by clicking your name (On-Premises only)
• Added the ability to filter using Website Group names for various API endpoints
• A detailed error message is now displayed if an imported file is invalid
• Improved GitHub integration to support the GitHub Enterprise edition

BUG FIXES

• Fixed an issue where Imported Links were not being saved when the Target URL was empty
• Fixed an issue where all proofs were not displayed for Stored Cross-Site Scripting vulnerabilities
• Fixed a bug where the 'Do not stop scan when maximum logout is exceeded' setting was not working as expected

NEW FEATURES

• Added issue synchronization support for Jira and Manuscript issue trackers
• Added notification support for Fixed, Revived, False Positive and Accepted Risk Issues to Slack integration
• Upgraded the Invicti scanning engine to v5.2-hf2 (5.2.0.22027)
• Added a new Vulnerability Families feature, where similar types of vulnerabilities are no longer reported separately
• Added out of the box Issue tracking integration for GitLab, Bitbucket, Unfuddle, Zapier, and Azure DevOps
• Added support for Swagger 3/OpenAPI link import
• Added support for importing links in the IOdocs file format
• Added Retest support for several Cookie vulnerabilities
• Added a new Knowledge Base item for Not Found pages
• Added ISO 27001 vulnerability classifications and report template
• Added custom field support for Issue tracking integrations
• Added Azure DevOps Continuous Integration system integration
• Added PowerShell support to the Gitlab Continuous Integration system integration. The Gitlab page now has Integration Script Generator information for Gitlab PowerShell scripts.
• Added Pipeline Script Generation support to Jenkins Continuous Integration system informtion. The Jenkins page now has Integration Script Generation information for Jenkins Pipeline scripts.

NEW SECURITY CHECKS

• Added a new pattern for CherryPy Version Disclosure
• Added an LFI attack pattern for WEB-INF/web.xml
• Added Ruby Error Disclosure detection
• Added WP Engine Configuration File detection
• Added CherryPy Stack Trace Disclosure detection
• Added Intro.js Out-of-date Version detection
• Added Axios Out-of-date Version detection
• Added Fingerprintjs2 Out-of-date Version detection
• Added XRegExp Out-of-date Version detection
• Added DataTables Out-of-date Version detection
• Added Lazy.js Out-of-date Version detection
• Added FancyBox Out-of-date Version detection
• Added Underscore.js Out-of-date Version detection
• Added Lightbox Out-of-date Version detection
• Added JBoss application server Out-of-date Version detection
• Added SweetAlert2 Out-of-date Version detection
• Added Lodash Out-of-date Version detection
• Added Bluebird Out-of-date Version detection
• Added Polymer Out-of-date Version detection

IMPROVEMENTS

• Added Content Security Policy (CSP) to the Invicti Enterprise web application
• Changed enum values to display in alphabetical order in the Value column in the Filter popup
• Added an Audit Log for Rate Limited requests
• Highlighted selected option for JavaScript section on the New Scan Policy page
• Highlighted relevant tabs for validation errors on the New Scan Policy page
• Improved the Report Policy page to make it more responsive and added a scroll bar
• Improved help text for Application and Service Discovery pages
• Added a Check/Uncheck by Severity filtering option on the Report Policy page
• Added PHP extension attack for Nginx vulnerability to the File Upload engine
• Added File Upload patterns for the Nginx Parsing vulnerability
• Added settings to the File Upload engine for configuring upload folders
• Added errorlog.axd detection support
• Improved elmah.axd detection
• The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
• Improved SSTI PHP Smarty attack detection
• Improved the Swagger link importer to handle additional properties with integer and string value types
• Improved the Expect-CT engine by only reporting a vulnerability once for each host
• Improved RSA key confirmation by handling OpenPGP format
• Increased the HSTS Not Enabled vulnerability severity from Information to Low
• Improved HTTP 407 Proxy Authentication error handling
• Added classifications to the HSTS Not Enabled vulnerability
• Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
• Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
• Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
• Improved JSON format detection
• Replaced Unicode replacement characters with question marks in responses
• Added a Scan Policy option to attack cookies
• Improved element click DOM simulation for various element types
• SRI Not Implemented will no longer be reported for localhost URLs
• Improved ASP.NET error message detection
• Added descriptions to PCI categories in the PCI Compliance Report
• Improved Boolean SQL Injection detection
• Improved the Blind Command Injection attack patterns
• Improved the representation of Report Template compilation errors
• Misconfigured X-Frame-Options Header is now reported separately
• Improved Source Code Disclosure checks to prevent the reporting of JavaScript template pages
• Status Code, Status Description and Content Length information have been added to the Slowest Pages node in the Knowledge Base
• Improved WADL document parsing by ignoring DTDs
• Improved Open Redirect DOM based confirmation performance
• Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
• Cookie vulnerabilities report where the cookie is set from
• Improved Swagger Document Format detection
• The file upload engine now detects new links in the response after the file is uploaded

BUG FIXES

• Fixed the issue where Authentication did not work when retesting
• Fixed the issue where the Swagger importer generated an invalid JSON request body
• Fixed the ArgumentException thrown while performing Heartbleed security checks
• Fixed the issue where the wrong version was identified for Drupal
• Fixed a disallowed HTTP method issue where some methods were still being allowed
• Fixed a typo in the CSP Not Implemented vulnerability details
• Fixed a Form Authentication issue that occured on some React-based websites
• Fixed signature detection for links found via the crawler
• Fixed an issue in the CSP engine where it reported an incorrect vulnerability
• Fixed a URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
• Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
• Fixed duplicate parsing source field values reported for IFrame vulnerabilities
• Fixed an issue where Apache MultiViews could not be detected in the target server
• Fixed the incorrect Cookie Expire Date set during Form Authentication
• Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
• Fixed a Content-Type parsing issue in Form Authentication
• Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
• Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
• Fixed a bug in cookie handling code during Form Authentication
• Fixed the incorrect severity reported for the Cookie not Marked as Secure vulnerability on some scans
• Fixed an ArgumentOutOfRangeException thrown on some long scans

IMPROVEMENTS

• Added the option to provision a new member with SSO in the New Team Member addition screen.
• SSO Email requirement is not necessary for SSO-enabled accounts without enforcement
• Renewed PCI Compliance Report template
• Added scan profile and scan profile URL to scan report.
• Added the option to add a customized header text on the Account Settings page
• Improved issue severity sorting. Issues will be sorted as Critical, High, Medium, Low, Best Practice, Information Alerts on all pages.
• Redesigned Scan Time Window
• Improved design of important information, such as email and name, in dialogs
• Updated descriptions on edit and signup web pages
• Changed "Enable Limitless Scan" option under the General Settings to "Allow scanning without a duration limit"
• Redesigned Basic Authentication Form
• Added advanced script feature for the Azure Pipelines integration
• Updated related RegEx to let users using parentheses with the website name and profile name
• Added silent mode installation for Web Application
• Added phone number confirmation countdown timer
• Added the document link for Linux Agent installation on the New Agent page.
• Improved the speed of page loading on the Custom Script screen
• Improved the agent stability to prevent scans from being stuck
• Added the possibility to add non-registered emails in notifications
• Added SANS Top 25 report
• The Target URL will be displayed instead of the website URL in the scan reports

FIXES

• Fixed JSON Serialization problem in the scan profile
• Fixed typos in Invicti Rest API Endpoint explanation
• Fixed the validation message on the password change page
• Fixed the validation message for admin password on the password change page
• Fixed the Bugzilla operating system field's name
• Fixed warning message for the Website Groups Update API
• Fixed undeleted scan files (which belong to completed scans) issue
• Disable status error fixed for Linux Agent
• Resolved Chromium's auto select certificate problem. So, the problem of not being authenticated with the client certificate was solved.
• Fixed empty exported XML issue in F5 BIG-IP ASM Rules Report
• Fixed an issue where "Password Transmitted over HTTP" issues were reported for HTTPS requests.

New Features

• Scan profiles can now be shared with all team members
• Scan profiles can be assigned as a primary scan profile for a website so whenever a new scan is being configured for a website, the default scan profile will be the primary one

New Web Security Checks

• Added security check for the new DROWN SSL/TLS vulnerability
• Added "HSTS (HTTP Strict Transport Security) Not Enabled" security checks
• Added various checks being reported with "HTTP Strict Transport Security (HSTS) Errors and Warnings"
• Added version checks for OpenCart web application

Improvements

• Improved JavaScript/DOM simulation for better DOM XSS security checks
• Added "Form Values" support for JavaScript/DOM simulation and DOM XSS attacks
• Authentication settings moved from website to scan launch screen to be included in scan profile
• Scan scheduling operations seperated from scan launch screen
• Changed the "Configure a new scan" page to a more ergonomic interface
• Users with admin permission can no longer see team member's API token
• Added endpoint type field to activity logs. (API or Web UI)
• Added a new scan policy setting section for JavaScript related settings
• Rewritten HSTS security checks
• Added evidence information to vulnerabilities list XML report
• Improved out-of-date reports for applications/libraries that have multiple active stable branches (i.e. jQuery 1.x and 2.x)
• Added the file name information for the local file inclusion evidence
• Added source code to vulnerability details for "Source Code Disclosure" vulnerabilities
• Improved Heuristic URL Rewrite implementation to detect more patterns and increase crawling efficiency
• Improved the performance of DOM simulation by aggressively caching external requests
• Improved the performance of DOM simulation by caching web page responses
• Improved the performance of DOM simulation by blocking requests to known ad networks
• Improved minlength and maxlength support for form inputs that sets a value with an appropriate length
• Added support for matching inputs by label and placeholder texts on form values
• Improved the vulnerability description on out-of-date cases where identified version is the latest version
• Added database version, name and user proof for SQL injection vulnerabilities
• Optimized the attacks with multiple parameters to reduce the number of attacks
• Added "Identified Source Code" section for "Source Code Disclosure" vulnerabilities

Bug Fixes

• Fixed an issue which fails reading cookies on form authentication verification for cases where Set-Cookie response header is empty
• Fixed an issue with client certificate authentication where the client certificate may be sent to external hosts while making HTTP requests
• Fixed cases where Invicti was making requests to addresses that are generated by its own attacks
• Fixed elapsed time stops when the current scan is exported
• Fixed an issue with JavaScript library version detection where wrong version is reported if the path to JavaScript file contains digits
• Fixed missing AJAX requests on knowledge base while doing manual crawling
• Fixed HSTS engine where an http:// request may cause to loose current session cookie
• Fixed an issue where extracted links by TextParser in a JavaScript file should be relative to the main document
• Fixed the issues of delegated events not simulated if added to the DOM after load time
• Fixed the issue where hidden resource requests made by Invicti are displayed on out of scope knowledgebase
• Fixed the issue with automatic SSL protocol fallback which attempts the fallback even if the current security protocol is same with the fallback value
• Fixed the issue of "Strict-Transport-Security" is being reported as "Interesting Header"
• Fixed the broken HIPAA classification link