Invicti Standard

New feature

• Added WebLogic support for JAVA Shark sensor

Resolved issues

• Corrected a typo in the Ivanti RCE CVE-2024-21887 report template
• Improved detection of CSP directives

‍

Security checks

• Added detection of Pega Infinity as a technology in the Vulnerability Database (VDB)

Improvements

• Defined the Hawk check delay in the scanning policy
• Added a Maximum Cookie Count setting to manage cookie numbers when necessary

Resolved issues

• Implemented fix to ensure that manual scanning continues without interruption when using a proxy
• Implemented If-Modified-Since header to minimize false positives during vulnerability scans
• Fixed logging in Post-Request scripts
• Implemented fix to ensure Post-Request script is triggered for all requests in the browser context

‍

Security checks

• Added a new CVE check for CVE-2019-19326
• Added a new XSS attack for CVE-2024-11831

Improvements

• Improved XSS detection to reduce noise
• Increased the timeout duration for IAST responses to prevent premature failures
• Implemented an enhancement to capture the token information present in the response during the OAuth2 Implicit Flow
• Implemented an enhancement to enable more effective cookie management when HTTP/2 is enabled
• Updated dependencies with known vulnerabilities
• Improved prototype-pollution detection to reduce noise

Resolved issues

• Enhanced support for using multiple secrets simultaneously within a single custom header
• Resolved an issue where duplicate X-Content-Type-Options headers triggered false missing header reports
• A fix was implemented to prevent the application from crashing due to faulty custom scripts
• Addressed an issue encountered during report policy migration
• Corrected the MOVEit SQLi check to avoid reporting an incorrect version

Improvements

• Improved Stack Trace Disclosure (Java) detection pattern
• Added support for configuring the temp file via appsettings.json or an environment variable
• Updated Microsoft.OpenApi to version 2.0 preview to support OpenAPI 3.1.0 for improved API scanning

Resolved issues

• Fixed a file access conflict issue during VDB update
• Resolved an issue where multiple versions of Next.js were not properly displayed in the Technologies dashboard and Scan Reports

New features

• Added Post-request script feature (Read more)

New security check

• Added a new XSS Security check

Resolved issues

• Fixed an issue with verifying the existence of links in the link pool
• Improved incremental scanning
• Implemented logic to create the UserDocumentsDirectoryPath when it doesn't already exist
• Added support for defining headers and HTTP method during CSV importImproved usage and reliability of SmartCard authentication
  
  

Improvements

• Added the ability to add Parent Relations for Azure products, enabling easier hierarchical management
• Implemented agent for secure storage and retrieval of passwords for Pre-Request scripts

Resolved issues

• Fixed naming issues of WordPress plugin Contact Form 7
• Fixed the issue of LoginRequiredUrl and Pre-Request script requests causing bottlenecks in HTTP requests
• Fixed an issue that unnecessarily included the code parameter in OAuth2 authorization requests
• The scanning engine now correctly processes merged request headers received from browser
• Improved usage and reliability of SmartCard authentication
  
  

Improvements

• Updated remediation details for outdated AngularJS versions

Resolved issues

• Fixed restrictions for JIRA integration
• Updated Chromium and Node.js versions, resolving Chromium-related issues, including the unexpected increase in Chromium count
• Exclude URL rules now function correctly even when the excluded URL is the target
• Fixed an issue with retrieving OAuth2 token data from JSON responses

Improvements

• Enhanced technology version identification from URI
• Improved reporting of multiple technology detections on the same file

Resolved issues

• Implemented a fallback mechanism to mitigate Chrome-related issues
• Updated OpenSSL from version 3.3.1 to 3.3.2
• Implemented a fix for an import issue caused by gRPC backward compatibility failure

Improvements

• Improved importing GraphQL queries
• Added the option to select US2 in the Enterprise Integration section, enabling IS connectivity for US2 instance customers
  

Resolved issues

• Resolved issue preventing the use of the Chromium Extension in Scanner and Verifier Agent
• Fixed the issue which was causing exports from Invicti Standard to Acunetix 360 to fail
  

New features

• Added single-tab crawling for websites that do not allow multiple-tab browsing (Read more)
• Upgraded the Shortcut integration API endpoint to v3

Improvements

• Improved payload for Log4j detection
• Added a feature to automatically override some headers in MFA cases
  

Resolved issues

• Resolved scan authentication issues for multiple pages
• Resolved issues related to screenshots and login processes
• Fixed security check for popper.js detection
• Added control for URLs that should not be included in the scope
  

New security checks

• Added detection of cookieconsent2 as a technology in the Vulnerability Database (VDB)

Improvements

• Added the ability to replace placeholders in browser for Authorization Headers
• Improved report template of JWT Signature is not verified vulnerability
  

Resolved issues

• Fixed tar file import error by addressing the invalid HAR file syntax, which was causing the web app to disclose the local path of the OnDemand web app machine in the error message
• Fixed duplicated links issue while proto file import
  

Improvements

• Redirected support email addresses to the http://support.invicti.com/ link
• Updated Chromium from version 121 to version 131 for enhanced performance and compatibility
• Enhanced detection accuracy for Weak Ciphers Enabled by analyzing false positives

Resolved issues

• Resolved the “Internal Server Error” encountered on the Invicti scans/report API endpoint after enabling the “Prevent any sensitive information showing within the product” setting
• Resolved the issue where the Agent Verifier was encountering errors when using certificates in a Linux environment
• Resolved a coverage issue where the login page reappeared during scans

Improvements

• Added new paths to forced browsing
• Updated the vulnerability template for the Internal Server Error vulnerability
• Improved Insecure HTTP Usage detection

New Security Checks

• Added detection of Google Tag Manager as a technology in the Vulnerability Database (VDB)

Improvements

• Invicti Standard Agent upgraded to .NET 8 for improved performance and compatibility
• Improved analysis and remediation capabilities for [Possible] Server-Side Template Injection vulnerabilities

Fixes

• Fixed a missing proxy implementation for ICBD and Puppeteer
• Fixed an issue where Retest-type scans did not identify the same vulnerabilities detected during full scans
• Fixed high CPU usage in some agents caused by Chromium
• Fixed an issue where the Misconfigured Access-Control-Allow-Origin Header vulnerability was not detected
• Improved detection of the [Possible] Password Transmitted over Query String vulnerability.
  

Improvements

• Multiple .proto files can now be used for scanning gRPC API Web Services

Fixes

• Fixed an issue where uploading a .proto file caused a "No links found in the file" error
• Fixed missing request/response details for some out-of-band vulnerabilities

New Security Checks

• Added detection for multiple JavaScript libraries
• Added detection for Masa CMS (CVE-2022-47002 and CVE-2021-42183)

Fixes

• Fixed a bug that was disabling the skip scan phase option

New Security Checks

• Updated detection for ActiveMQ - Remote Code Execution (CVE-2023-46604) and TorchServe Management API SSRF (CVE-2023-43654)

Improvements

• Added 'save as new' and 'overwrite' options when importing scans
• Reporting improvements for the “Unknown Option Used In Referrer-Policy” vulnerability
• Added the ability to export/import scan profiles and scan policies between different instances of Invicti Standard

Fixes

• Various fixes for the verifiers
• Out-of-date version for Boolean Based MongoDB Injection is now reported correctly

New Security Checks

• Added XWiki version disclosure vulnerability and attack patterns.

Fixes

• Fixed the false negative issue related to Polyfill.io.
• Fixed an issue related to creating a custom script for a web application using the OIDC method with a login pop-up.

New Security Checks

• Adjusted the severity of SSLv3 and TLS 1.0 vulnerabilities to reflect their security risks
• Added support for CSP frame-ancestors
• Added detection for CVE-2024-6297, affecting several WordPress plugins

Improvements

• Pre-request script now works in DOM as well

Fixes

• Resolved an issue with a pre-request script that was affecting crawling functionality

New Security Checks

• Added detection for Jenkins Secret as a Sensitive Data Exposure

Improvements

• Started to utilize the Microsoft Azure Trusted Signing service for code signing of Invicti Standard

Fixes

• Fixed chromium-related issues in the agent
• Fixed the issue where temp folders could not be deleted and Chromium instances remained open when Puppeteer encountered an error
• Fixed the false positive on detection of "Stack Trace Disclosure (Java)"
• Fixed an issue related to the Moment.js regex
• Fixed the OIDC authentication issue
• Fixed the issue where the REST API endpoint returned HTTP 400 instead of HTTP 200 when sending custom values
• Fixed the issue preventing proper login to the target URL

New Security Checks

• Incorporated the reporting of sensitive information disclosures from Okta
• Added a check for Authentication bypass in Fortra's GoAnywhere MFT (CVE-2024-0204)
• Added a check for Open SSH server RC (CVE-2024-6387)
• Added a check for cached pages that contain sensitive data (CWE-525)

Improvements

• Resolved an issue where scans were failing due to the TLS connection not being established

Fixes

• Resolved a problem that was causing scans to become stuck

Improvements

• Disabled the detection of CSRF vulnerabilities from built-in policies
• Added custom header support for SSRF registration

Fixes

• Fixed an issue related to BLR links

New Security Checks

• Added a new security check to identify supply chain attacks through Polyfill JS
• Added a detection for GeoServer SQLi vulnerability (CVE-2023-25157)
• Added checks for various WordPress plugins

Improvements

• Improved Credit Card Disclosure Security Check
• Added custom headers for communication between Agents and Invicti Hawk
• Set the severity of 'Possible XSS' vulnerabilities to 'Informational'
• Improved various Sensitive Data Exposure security checks
• Improved the detection of the Short SSL Key Length vulnerability
• Added the capability to check for Sensitive Data in XML responses

Fixes

• Fixed missing Request Body content in vulnerability details
• Fixed an issue with the 'IgnoreCertificateErrors' Agent setting for SSL Validation
• Fixed a problem in the JWT Engine to resolve a false positive issue
• Fixed an issue related to the OTA app scan
• Fixed HTTP 413 responses resulting from nonce cookies stacking

New Features

• Added functionality for scanning gRPC API Web Services → Learn more

New Security Checks

• Added a new attack pattern for missing Open Redirection

Improvements

• Added an option to trigger only specified lists of events
• Updated all the IAST Sensors:
  • .NET Framework and .NET Core 6.2.0
  • Java 16.0.0
  • Node.js 2.1.3
  • PHP 8.0.1

Fixes

• Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
• Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
• Fixed vulnerabilities with the Invicti Scan Agent Docker image
• Fixed the disk space utilization issue that was causing the InvictiCommon folder size to increase significantly during scans
• Improved the crawling capability to allow for automatic crawling of XHR requests
• Fixed an AWS4Signer authentication issue

New Security Checks

• Added detection methods for five more WordPress Templates
• Added detection of Fortinet vulnerabilities (CVE-2020-12812, CVE-2019-5591, CVE-2018-13379)

Improvements

• Updated CWE IDs for several vulnerabilities

Fixes

• Fixed an issue in the detection of the 'Improper XML parsing leads to Billion Laughs Attack' vulnerability
• Resolved an issue with the Business Logic Recorder

New Feature

• Enabled Korean language support

New Security Checks

• Added detection method for Angular
• Added a new security check for Oracle EBS RCE

Fixes

• Fixed a scan authentication issue and a crawling issue with Cloud Agents
• Fixed the HTTP 401 forbidden response form authentication error
• Fixed an issue with the detection method for wp-admin vulnerabilities
• Fixed an error that was occurring when generating knowledge base reports
• Updated the extraction algorithm for downloaded scan files from Invicti Enterprise
• Fixed a scan issue that was producing 413 error responses

Improvements

• Improved AWS Secret Key ID detection security checks
• Improved Google Cloud API Key detection security checks
• Updated remediation information for Angular JS related vulnerabilities
• Improved Boolean-Based MongoDB Injection detection method

Fixes

• Fixed a validation error when validating Shark settings
• Fixed an issue with duplicate custom user agents that was preventing scanning
• Fixed an issue where authentication would fail when started with an Authentication profile
• Fixed an issue that caused proxy usage for Chromium even when no proxy was selected from the scan policy settings

New features

• Provided a new encryption method of API Token for Agent/Verifier Agent
• Added a pre-request script to generate AWS Signature token

New security checks

• Added a new security check for TLS/SSL certificate key size too small issue
• Improved WP Config detection over backup files
• Added a new security check for CVE-2023-46805 / CVE-2024-21887
• Added detection for exposed WordPress configuration files
• Added a new Security Check that allows to report two vulnerabilities: TorchServe Management API Publicly Exposed and TorchServe Management API SSRF
• Command Injection in VMware Aria Operations for Networks can now be detected

Improvements

• Implemented enhancements: Highlighting and Verification of Response Status Codes
• Disabled the BREACH Security Engine
• Report template of Possible XSS is updated to cover mime sniffing
• Increased the default Severity level of Version Disclosure (Varnish) from 'Information' to 'Low'

Fixes

• Fixed the issue where the customer couldn't scan their target with the additional website properly
• Fixed an issue that was causing a memory issue in Javascript Parser
• Fixed the inability of the custom script editor to load the form authentication fields

New features

• Added the ability to force authentication verifier agents to use incognito mode by default on Chromium browsers

New security checks

• Added detection for ActiveMQ RCE to the OOB RCE Attack Pattern (CVE-2023-46604)

Fixes

• Added a Cookie Source field to the Knowledge Base Cookies screen

New features

• Added a new BLR log providing details on BLR execution

New security checks

• Implemented a detection and reporting mechanism for the Backup Migration WordPress plugin (CVE-2023-6553)
• Added detection for TinyMCE

Improvements

• Updated the "Insecure Transportation Security Protocol Supported (TLS 1.0)" vulnerability to High Severity
• Updated the WSDL serialization mechanism
• Implemented support for scanning sites with location permission pop-ups
• Added support for FreshService API V2
• Removed obsolete X-Frame-Options Header security checks

Fixes

• Fixed a bug in the Request/Response tab of Version Disclosure vulnerabilities
• Removed the target URL from the scope control list

New security checks

• Added a check for dotCMS
• Added a check for the Ultimate Member WordPress plugin
• Added a new mXSS pattern
• Added new signatures to detect JWKs

Improvements

• Improved the recommendations for the Weak Ciphers Enabled vulnerability
• Improved detection of swagger.json vulnerabilities
• Added support for AWS WAFv2 rules
• Improved more of our error and warning messages so they are more user friendly
• Added Sentry implementation into the Agent repository

Fixes

• Fixed a proxy issue that was impacting the detection of weak ciphers
• Fixed a problem with importing WDSL files

New features

• In the scan settings section, we've added a checkbox (under Authentication > Form) to collect all logs about the authentication progress
• Enhanced reporting of DOM XSS vulnerabilities

Improvements

• Updated the Shark Dotnet Sensor to .NET Core 6
• Improved site-logout detection

Fixes

• Resolved a problem with missing information in the report policy database
• Fixed an issue with the import of scan data from Invicti Enterprise to Invicti Standard
• Fixed a bug in the importing of links
• Fixed some vulnerabilities on our Invicti Docker Image by updating the packages
• Fixed reporting of some false/positive passive out-of-date vulnerabilities

New features

• Added CVSS 4.0 categorization of vulnerabilities
• Added support for PCI DSS 4.0
• Added new messaging for when scans fail due to mistyped http/https protocols

New security checks

• Added new HSQLDB vulnerabilities and report templates
• Added new Typo3 vulnerabilities and report templates

Improvements

• Improved the vulnerability calculator for Boolean MongoDB
• Improved the signature for .dockerignore file detected issues
• Improved the request body rating algorithm
• Improved the signature for Joomla detection
• Improved the signature for other docker-related signatures
• Improved the Postman collection parsing algorithm
• Resolved an issue with adding a client certificate to set up a scan
• Added logs for better traceability of BLR playbacks

Fixes

• Fixed the NRE in the agent log if any authentication is adjusted
• Fixed an issue that was causing verifiers to not use scan policy proxy settings
• Fixed an auth verifier client certificate authentication path error

New features

• Added an option under New Scan Policy > Ignored Parameters to allow customers to set 'Cookie' as a type of ignored parameter

New security checks

• Added new checks for the WordPress Login with Phone Number Plugin: CVE-2023-23492
• Added new checks for the WordPress JupiterX Core Plugin: CVE-2023-38389, CVE-2023-38388

Improvements

• Added support for custom authentication tokens without token type
• Improved LFI attack patterns for better accuracy
• Fixed some vulnerabilities in the Docker image
• Stricter sensitive data rules
• Improved bot detection bypass scenarios

Fixes

• Fixed custom header values in scan profiles so that they are masked
• Docker Cloud Stack check has been updated to reduce noise
• Fixed an issue with adding configuration files to scan profiles
• SSL/TLS classification updated from CWE-311 to CWE-319

Improvements

• Added a MaxAuthenticationTime configuration and set the default value as 480 seconds

Fixes

• Fixed a bug that was preventing the import of WSDL files to Invicti Standard
• Fixed version information reported in Web App Fingerprint Vulnerabilities

New features

• Added encoding for sensitive data
• Added the option to enable CSRF checks for authenticated scans only
• Added a sensitive data (password, session cookie, token etc.) encoder

New security checks

• Added JQuery placeholder detection methods
• Added a new security check for the Missing X-Content-Type-Options vulnerability

Improvements

• Improved the JS Delivery CDN disclosure check to increase stability
• Improved the remediation part for the Weak Ciphers Enabled vulnerability
• Reduced the certainty value to 90 for the Robot Attack Detected vulnerability
• Improved the detection method for CSP
• Improved the detection method for the Dockerignore File Detected vulnerability
• Improved the detection method for the Docker Cloud Stack File Detected vulnerability

Fixes

• Improved our XSS capabilities
• Fixed an NTLM login issue
• Fixed a bug that was overwriting proxy settings in scan policies
• Fixed a unique analyzer bug for the WSDL importer
• Fixed a custom proxy bypass list issue

New feature

• We’ve added the ability to set proxy configurations to Docker Agent as an environment variable when creating a container

Improvements

• Disabled caching from the boolean-based MongoDB security engine to avoid possible false positives
• Improved the content-type exemption for non-HTML content types in the CSP engine
• Improved the typehead.js check to increase stability
• Removed the X-XSS-Protection header check because it is deprecated by modern browsers
• Fixed a scan coverage issue
• Improved the remediation part for the JetBrains .idea detected vulnerability
• Added functionalities to prevent bot detection and fixed an issue that was causing cookie loss after authentication

Fixes

• Fixed the update agent command that was not working correctly
• Fixed the internal Linux v23.7 AV agent that wasn’t sending header configurations
• Encrypted the proxy password used in the scan policy file
• Fixed an issue with missing links when importing a .nss file from Invicti into Acunetix 360
• Fixed the external SOAP web service import problem
• Fixed a custom script issue so that now passwords written to the logs are encrypted
• Fixed an issue that might cause broken functionality for popup pages
• Fixed an issue where vulnerabilities could not be generated as CloudFlare WAF rules via API
• Fixed a bug with Multiple Declarations in the X-Frame-Options Header
• Fixed a localized time issue in the Files area
• Fixed a problem that was causing default values to be filled incorrectly, resulting in false negatives

New security checks

• Added new patterns to detect XSS

Improvements

• Improved detection and reporting of File Inclusion vulnerabilities
• Improved detection and reporting of Sensitive Data Exposure vulnerabilities
• Improved detection and reporting of Dockerfiles
• Added a custom authentication support header to scan policy

Fixes

• Fixed incorrect reporting of outdated technology versions
• Fixed a bug that was preventing reports from being saved
• Fixed the navigation check error on the dom parsing phase
• Fixed an issue that can cause too much browser user data to be left in the temp folder
• Fixed a custom script that was preventing successful basic authentication in some scenarios

Features

• Added Diana.jl support for GraphQL Library Detection
• Added Hot Chocolate support for GraphQL Library Detection
• Added Zero Day Vulnerability for MOVEit Software

Improvements

• Improved logout detection for OAuth2 authenticated websites
• Improved detection of IT Hit WebDav Server .Net versions
• Improved Internal Path Disclosure detection
• Improved Remediation Advice for Autocomplete Enabled vulnerability
• Improved detection logic for LFI vulnerability
• Improved identification and version disclosure for PopperJS, CanvasJS, and Next.js
• Improved WAF Detection for F5 BIG IP

Fixes

• Fixed issue with scans stopping with the Find & Follow New Links option enabled
• Fixed issue with agent compression of chromium and node files
• Fixed InvalidCastException with REST API
• Fixed ArgumentNullException with Custom Security Checks
• Fixed BLR cannot fill address fields
• Fixed adding some MongoDB vulnerabilities to Knowledge Base report
• Fixed scans unauthenticated after successful authentication verification
• Fixed rare stuck scan issue
• Fixed false positive due to TLS v1.3 not enabled
• Fixed ArgumentNullException during scan launch
• Fixed Authentication Verifier fails creating a new scan while another scan is running
• Fixed GraphQL import OutOfMemoryException

New security checks

• Added the check for Boolean-based MongoDB injection.
• Added the check for MongoDB Operator Injector.
• Implemented the XML external entity check for IAST.
• Added the ISO/IEC27001:2022 Classification.
• Added the report template and attack pattern to the Out-of-band RCE.
• Added passive check for Lua.
• Added a security check to detect public Docker files.
• Implemented a new engine to identify WordPress themes and Plugins.
• Added new security checks for SAML.
• Added security check for IT Hit WebDAV Server .Net Version Disclosure.
• Added security check for MS Exchange Version Disclosure.
• Added new payloads for Command Injection.
• Added support for PopperJS.
• Added support for CanvasJS.
• Added new security check for the SQLite Database Detection.
• Added new payloads for Header Injection.
• Added new security check for Spring Boot Actuator Detection.
• Added security check for NodeJS Stack Trace Disclosure.
• Added security check for SailsJS and ActionHero Identified.
• Added security check for JetBrains .idea Detected.
• Added security check for GraphQL Stack Trace Disclosure.
• Added security checks for Javascript Libraries.
• Added security checks for Web Application Fingerprinter Engine.
• Added new security checks for WordPress Hello Elementor Theme Detection.
• Added new security checks for WordPress Twenty Twenty-Three Theme Detection.
• Added new security checks for WordPress Twenty Twenty-Two Theme Detection.
• Added new security checks for WordPress Astra Theme Detection.
• Added new security checks for WordPress Twenty Twenty-One Theme Detection.
• Added new security checks for WordPress Twenty Twenty Theme Detection.
• Added new security checks for WordPress OceanWP Theme Detection.
• Added new security checks for WordPress Twenty Seventeen Theme Detection.
• Added new security checks for WordPress Kadence Theme Detection.
• Added new security checks for WordPress Twenty-Sixteen Theme Detection.
• Added new security checks for WordPress Twenty Nineteen Theme Detection.
• Added new security checks for WordPress PopularFX Theme Detection.
• Added new security checks for WordPress GeneratePress Theme Detection.
• Added new security checks for WordPress Inspiro Theme Detection.
• Added new security checks for WordPress Go Theme Detection.
• Added new security checks for WordPress Smash Balloon Social Photo Feed Plugin Detection.
• Added new security checks for WordPress Contact Form 7 Plugin Detection.
• Added new security checks for WordPress Yoast SEO Plugin Detection.
• Added new security checks for WordPress Elementor Website Builder Plugin Detection.
• Added new security checks for WordPress Classic Editor Plugin Detection.
• Added new security checks for WordPress Akismet Spam Protection Plugin Detection.
• Added new security checks for WordPress WooCommerce Plugin Detection.
• Added new security checks for WordPress Contact Form by WPForms Plugin Detection.
• Added new security checks for WordPress Really Simple SSL Plugin Detection.
• Added new security checks for WordPress Jetpack Plugin Detection.
• Added new security checks for WordPress All-in-One WP Migration Plugin Detection.
• Added new security checks for WordPress Wordfence Security Plugin Detection.
• Added new security checks for WordPress Yoast Duplicate Post Plugin Detection.
• Added new security checks for WordPress WordPress Importer Plugin Detection.
• Added new security checks for WordPress LiteSpeed Cache Plugin Detection.
• Added new security checks for WordPress UpdraftPlus WordPress Backup Plugin Plugin Detection.
• Added new security check for EZProxy Identified.

Improvements

• Updated the Signature Detection pattern.
• Improved the wordlist for Forced Browsing checks.
• Changed the Session Cookie not marked as Secure severity from High to Medium.
• Improved the task queue by optimizing code.
• Improved Drupal and Joomla detection.
• Improved the Next.js version detection.
• Improved Django debug mode enabled.
• Updated the SSL/TLS report template.

Fixes

• Fixed the navigational error by ignoring initial requests other than the document-type resources.
• Fixed an issue about HTTP Status codes on the crawler performance in the Knowledge Base Report.
• Fixed the importing GraphQL introspection issue.
• Fixed the weak Nonce detection in Content Security Policy.

New security checks

• Added new security check for LDAP injection for IAST.
• Added new security check for MongoDB injection.
• Added new security check for Server-side Template Injection for IAST.
• Added new security check for XPath injection for IAST.
• Implemented security check for Sensitive Data Exposure.

Improvements

• Improved the text parser to check URI before parsing.
• Added the Response Receiver information event to remove waiting time for requests.
• Improved the GraphQL Introspection query.

Fixes

• Fixed an issue that caused a bad CSRF token when confirming Cross-site Scripting.
• Fixed an issue that caused an argument null exception when the browser context was closed.
• Fixed the issue that is filling out the login form on the logout page during the login verification.
• Fixed the issue of changing the order of API parameters while importing the JSON file.
• Fixed the dark template issue that displayed the What's New section in the light template.
• Fixed the vulnerability signature types for Cloudflare and Cdnjs.

Version information: 23.4.0.40376

New security checks

• Added new patterns for GrapQL attack usage.
• Added new attack pattern to CommandInjection.xml.
• Implemented Bootstrap Libraries Detection.
• Added Out-of-Date vulnerability for mod_ssl.
• Added a report template and vulnerability type for Spring Framework Identified.
• Added JavaMelody Interface Detected Signature.
• Changed WAF Identification Signature for F5 Big IP.
• Added the support for Nested objects for GraphQL attacks.

Improvements

• Updated Invicti Standard with new brand logo.
• Added external schema import to solve a WSDL file importing another WSDL file.
• Removed the interactive login button from the verifier dialog.
• Added the Retest All Subitems in the Sitemap to prevent non-retestable issues from being retested.
• Added a null check for HAR files imported.
• Improved the cookie importing process in order for cookies to be compatible with RFC.
• Updated IAST NuGet PHP package.
• Updated StaticDetection.xml & StaticResourceFinder.xml.
• Added service worker request support for authentication, login simulation, and crawling.

Fixes

• Fixed an issue that caused high memory usage while collecting form values.
• Fixed the untrusted certificate error for internal proxies.
• Fixed the issue that caused the change in the date and time format during the Postman file importing.
• Fixed the Linux agents problem that failed to work in the FIPS-enabled environment.
• Fixed the untrusted certificate error for internal proxies.
• Fixed the "Catastrophic Backtracking" in Whoops Debugging detection.

Version information: 23.3.0.39944

New security checks

• Added package.json Configuration File attack pattern.
• Added new File Upload Injection pattern.
• Added SSRF (Equinix) vulnerability.
• Added Swagger user interface Out-of-Date vulnerability.
• Added a file upload injection pattern.
• Added StackPath CDN Identified vulnerability.
• Added Insecure Usage of Version 1 GUID vulnerability.
• Added JBoss Web Console JMX Invoker check.
• Added Windows Server check.
• Added Windows CE check.
• Added Cloudflare Identified, Cloudflare Bot Management, Cloudflare Browser Insights, and cdnjs checks.
• Added Varnish Version Disclosure vulnerability check.
• Added Stack Trace Disclosure (Apache Shiro) vulnerability check.
• Added Java Servlet Ouf-of-Date vulnerability check.
• Added AEM Detected vulnerability check.
• Added CDN Detected(JsDelivr) vulnerability check.

Improvements

• Improved the scan compression algorithm to lower the size of the scan data.
• Improved WS_FTP Log vulnerability test pattern.
• Improved X-XSS-Protection Header Issue vulnerability template.
• Improved MySQL Database Error Message attack pattern.
• Improved XML External Entity Injection vulnerability test pattern.
• Improved Forced Browsing List.
• Added CWE classification for Insecure HTTP Usage.
• Added GraphQL Attack Usage to existing test patterns by default.

Fixes

• Fixed an issue that may cause out-of-memory when cloning callbacks of the browser.
• Fixed the update issue in the Proof node in the Knowledge Base panel.

Version information: 23.2.0.39705

New security checks

• Added JWT Forgery through Kid by using static files.
• Added the JSON Web Tokens detected check.

Improvements

• Improved the default browser settings to be reflected in the business logic recorder (BLR).
• Improved the JWT Finder Regex in the JWT engine.
• Extended excluded header names with new headers.
• Updated JWT Forgery check condition.
• Improved the JSON Web Tokens' vulnerability detection logic.
• Added the link scope check for the user-controllable cookie vulnerability.

Fixes

• Fixed an issue that caused unhandled exceptions when there is no service endpoint definition in the WSDL file.
• Fixed "file in use error" while archiving scan logs.
• Fixed the OAuth 2.0 authentication problem caused by the failure to get code information and certification validation in out-of-scope links.
• Fixed missing cookies for the JSON Web Tokens attack requests.
• Fixed the vulnerability family issue that caused the Hawk not to detect issues.
• Fixed the vulnerability serialization issue that caused the out-of-memory error.

Improvements

• Added control for login and logout during vulnerability retest.
• Added auto responder for images to escape the onerror issue.

Fixes

• Fixed an issue that overrode TLS settings available in the scan policy when the Ignore SSL Certificate Errors is set to True in the Appsetting.json file.
• Fixed a bug that throws a null reference exception at the authentication.
• Fixed missing CSP 3 Directive.
• Fixed an issue about 3-legged OAuth which cause failed authentication at scan.
• Fixed the scheduled scans not being exported issue to Invicti Enterprise.
• Fixed an issue about header encoding that cause false positive CSP reporting.
• Fixed the bug on the Interactive Login page where the Ok and Pause buttons are not available.
• Fixed case sensitivity when checking HTTP headers for JSON Web Tokens.
• Fixed the IPv6 registered website resolution issue thrown before scanning.
• Improved the vulnerability database updating process to enable it to use a proxy.
• Fixed a bug that prevents the scanner from attacking to login and logout pages.
• Fixed the bug in which OAuth2 settings were not transferred properly from the web application to the agent.

Improvements

• Added an explanation for the failed requests error.
• Added name variable support for Passive and Singular Custom Security Checks.

Fixes

• Fixed WSDL parse issue for non-defined object types.
• Fixed the deserialization problem when importing the scan session.
• Fixed the CSP analyzer Regex enumeration problem.
• Fixed the null reference exception on HTTP Requester.

New security check

• Added the Text4Shell (CVE-2022-42889) check.

Improvements

• Updated the embedded Chromium browser.
• Improved the importing link to parse the complex example value for RAML.
• Added the support for browser flag.
• Improved the scan failure messages on the issue page.
• Added the URL decode to scanned and crawled URL list reports.

Fixes

• Fixed the issue that deleted the customization folder in the agent's folder after the update.
• Fixed the knowledge base report format to display information clearly.

NEW FEATURES

• Added auto-GraphQL attack after endpoint is detected.
• Added request wait filter for request wait handler.

NEW SECURITY CHECKS

• Added MongoDB Time-based (Blind) Injection.
• Added SQLite Boolean SQL Injection.
• Added MongoDB Error-based Injection.

IMPROVEMENTS

• Updated the embedded browser.
• Updated the hardcoded scan policy for http://rest.testinvicti.com.
• Added the out-of-scope check for the target website content links.
• Updated the Check for VDB Update status and tooltip when users start the check for update.
• Updated Vulnerability Detection Logic in JWT engine.
• Updated Liferay portal signature and added a mapping for version conversion.

FIXES

• Fixed the web security issue for the origin header problem.
• Fixed the sitemap bug that caused missing information when imported.
• Fixed the bug that threw an error when exporting as SQL script.
• Fixed the bug that threw an error, as HTTP Requester deletes the whole body part of the request which contains the login credentials.
• Fixed multiple headers highlighting for the same value.
• Fixed highlighting CSP Directives in different header issues.
• Fixed duplicate bearer tokens for some requests.
• Fixed the out-of-memory bug at the browser manager.
• Fixed the null reference exception on the custom script screen.
• Fixed the connection time-out issue caused by the RegEx engine.
• Fixed an issue that resulted in false positive Cross-site Scripting (DOM-based).
• Fixed the retest issue that displays zero requests in the repetitive retests.
• Fixed the bug that shows the previous version of VDB.
• Fixed parsable false attack patterns place.

IMPROVEMENTS

• Updated embedded Chromium browser.

SECURITY CHECKS

• Added pattern for XSS via file upload SVG.

IMPROVEMENTS

• Added the Cache By CSS Selector and Max Cache Elements to the scan policies.
• Added the GraphQL endpoints and libraries to the Knowledge Base.
• Updated the Jira tooltip for the access token or password field.
• Removed the target URL health check that lets the scan continue despite getting error messages such as 403.
• Improved the raw scan file expired information message.
• Improved the scan profile test coverage.
  
• Updated regex for Stack Trace Disclosure (Java) - Java.Lang Exceptions.
• Improved the JSON Web Tokens secret list.
• Improved the re-login process when the logout is detected.

FIXES

• Fixed the retest issue.
• Fixed the null reference error thrown during the late confirmation.
• Fixed an issue of using the disposed objects.
• Fixed the exception error when cloning the report policy.
• Fixed the broken links on the report policy.
• Fixed mistaken NIST and DISA classifications.
• Fixed a bug that threw the database locked error when Invicti is restarted after a scan.
• Fixed an issue where a JavaScript Setting option blocks inputs for the single-page applications to be reported in the Web Pages with Inputs node.
• Fixed a bug that caused the scan session failure when the scan is paused and resumed.
• Fixed failed scans where the Target URL is IPv6 and starting with ::1
• Fixed the Postman collection parsing by removing / in front of the query in the URL.
• Fixed the Shark validation issue that threw exceptions while validating.
• Fixed the issue with proxy settings, so Invicti prioritizes the settings in the scan policy.
• Fixed NodeJS RCE-OOB security check.

IMPROVEMENTS

• Improved the Late-Confirmation Storage Mechanism to lower disc usage.
• Improved the Links/API definition to add links with a single click.
• Added the Block navigation on SPAs to built-in scan policies.
• Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

• Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
• Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
• Fixed the bug that throws null reference exception at the link pool.
• Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
• Fixed the bug that resulted in running many Chromium instances when a new scan is started.
• Fixed a null reference error when a new scan is started via the command line.

IMPROVEMENTS

• Improved the Late-Confirmation Storage Mechanism to lower disc usage.
• Improved the Links/API definition to add links with a single click.
• Added the Block navigation on SPAs to built-in scan policies.
• Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.

FIXES

• Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
• Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
• Fixed the bug that throws null reference exception at the link pool.
• Fixed the bug that prevents GraphQL Endpoint detection when the scan policy is copied.
• Fixed the bug that resulted in running many Chromium instances when a new scan is started.
• Fixed a null reference error when a new scan is started via the command line.

NEW FEATURES

• Added GraphQL Libraries detection support.
• Added the Shark node to the Knowledge Base.
• Added Acunetix XML to URL Import.
• Added built-in DVWA policies to scan policies.

IMPROVEMENTS

• Updated embedded Chromium browser.
• Added a new IAST vulnerability: Overly Long Session Timeout.
• Added new config vulnerabilities for the IAST Node.js sensor.
• Added new config vulnerabilities for the IAST Java sensor.
• Added support for detecting SQL Injections on HSQLDB.
• Added support for detecting XSS through file upload.
• Updated DISA STIG Classifications.
• Updated Java and Node.js IAST sensors.
• Improved time-based blind SQLi detection checks.
• Improved the Content Security Policy Engine.
• Updated XSS via File Upload vulnerability template.
• Updated License Agreement on the Invicti Standard installer.
• Added Extract Resource default property to DOM simulation.
• Improved proxy usage in Netsparker Standard for outgoing web requests such as Hawk.
• Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
• Added vulnerabilityType filter to add VulnerabilityLookup table.
• Added the agent mode to the authentication request.
• Added a default behavior to scan the login page.
• Added an option to disable anti-CSRF token attacks.
• Added an option to block navigation on SPAs pages.
• Added a default behavior to disable TLS1.3

FIXES

• Fixed basic authorization over HTTP bug.
• Fixed SQL Injection Vulnerability Family Reporting Bug.
• Fixed a bug that the custom script throws a null reference exception when a script is added to the paused scan.
• Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
• Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
• Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
• Fixed a typo bug on GraphQL importing window.
• Fixed the report naming bug that occurs users create a custom report from a base report.
• Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
• Fixed a bug that updates all built-in scan policies instead of edited scan policy.
• Fixed a typo on Skip Crawling & Attacking pop-up.
• Fixed a bug that prevents an error icon from appearing after entering unacceptable characters for the scan policy name.
• Fixed a bug that does not migrate the Spring4Shell Remote Code Execution check to a new scan policy although more than 50% of the checks are selected.
• Fixed a bug that throws an error when the Large SPA is selected from the Load Preset Values drop-down on the Scan Policy window.
• Fixed a bug that does not show Configuration Wizard for the Rest API TestInvicti website.
• Fixed missing template section migration on report policy.
• Fixed a bug that throws an error when a report is submitted upon error.
• Fixed the LFI Exploiter null reference.
• Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
• Fixed a bug that occurs when the Log4J vulnerability profile is not migrated with the report policy migration.
• Fixed a bug that occurs when users search the Target URL on the New Scan panel.
• Fixed typo in the timeout error message.
• Fixed a bug that prevents the WSDL files from being imported.
• Fixed reporting "SSL/TLS not implemented" when scanning only TLS 1.3 supported sites.
• Fixed a bug that throws an error for NTLM authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
• Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.

REMOVAL

• Removed Expect-CT security check.
• Removed the End-of-Text characters in URL rewrite rules.

IMPROVEMENTS

• Updated embedded chromium browser
• Improved JWT confirmation to avoid false positives.

FIXES

• Fixed an issue that passive vulnerabilities were reported as out-of-scope links.
• Fixed an issue that imports global servers as Swagger files.
• Fixed an issue where the OK button disappears during interactive login.
• Fixed an issue that adds interactive login buttons to iframes.
• Fixed a null reference exception at the LFI exploit panel.

NEW SECURITY CHECKS

• Added Remote Code Execution (CVE-2022-22965) a.k.a. Spring4Shell detection support.

IMPROVEMENTS

• Netsparker Standard now Invicti Standard.
• Added a token matching rule when it is required to get the token from a website other than the target URL.
• Improved the GraphQL attacks to include non-string fields.

FIXES

• Fixed a consistency issue between the Software Composition Analysis and the Knowledge Base on reported vulnerabilities.
• Fixed a bug that prevents the Knowledge Base View from being shown properly when a user disables the knowledge base from a scan policy.
• Fixed a null reference exception by adding a control whether the current scan policy is empty.
• Fixed a bug that the agent does not continue the scan after a pause.
• Fixed a bug that does not properly show all components detected by a software composition analysis after a retest.

IMPROVEMENTS

• Implemented new Log4j attack patterns.
• Added the parameter types to exported reports for GraphQL.

FIXES

• Fixed an issue that Invicti uses a new token instead of the imported token when customers adds imported links.
• Fixed an issue that results in false positive Cross-site Scripting.
• Fixed an issue that prevents the scan policy migration when a newer Invicti Standard version is installed.
• Fixed an issue that the page counter goes to zero in the Recent Scans window.
• Fixed an issue that threw error during the pre-scan validation process in the case of websites that can only be accessed via the proxy.

IMPROVEMENTS

• Added the .deploy extension to Default Policy's extension list.
• Added a new command line interface parameter -called failfast- to close the Invicti Standard in the silent mode when error occurs.

FIXES

• Fixed a null reference error issue when a user right-clicks the target on the Sitemap.
• Fixed the URL response error of the main node when Override Target URL check is enabled.
• Fixed the Imported Links date and time value in the body that is cropped.
• Fixed an issue that opens the vulnerability panel instead of the HTTP Request and Response panel when the email node is selected in the Knowledge Base panel.
• Fixed the issue with the Missing XSS protection Header in the Out-of-Scope link.
• Fixed an issue that tries to stop the scan when the What's New tab is closed.
• Fixed an issue that Invicti Standard starts a retest for a vulnerability randomly.
• Fixed a payload for the GraphQL.

FIXES

• Fixed a scan policy migration issue that causes selecting all the security checks.

NEW FEATURES

• Added Software Composition Analysis (SCA) feature.
• Added OWASP Top 10 2021 classification and report.
• Added support for scanning GraphQL APIs.

NEW SECURITY CHECKS

• Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Jira.
• Added Stack Trace Disclosure Signature for Java.
• Added Shopify Identified Security Check.

IMPROVEMENTS

• Updated Invicti Standard .NET Framework version from 4.7.2 to 4.8.
• Allowed to enter hyphens for the proxy address on the Proxy Settings.
• Enabled that all child controlled scan parameters are listed in the Sitemap parent node.
• Changed classification for Cross-site Referrer Leakage and Breach in OWASP Top Ten 2021.
• Changed CryptographicException error log type.
• Added condition that when the max crawling link is reached, the DOM simulation stops.
• Updated Version Disclosure Signature for Apache Coyote.
• Added callback flag to prevent multi trigger of DOM parser view callback
• Improved the importing of RAML files includes other files.
• Added tags property to the Kenna Send to Action.
• Updated Freshservice integration not to send user agent header.
• Updated Version Disclosure Signature for Jolokia.
• Improved the Form Values to be entered into the relevant sections during the form authentication process in the React environment.
• Improved the login verification process by detecting page load properly.

FIXES

• Fixed an issue that created an incorrect issue link in Bitbucket Integration.
• Fixed an issue that occurred when the proxy information from the Proxy Auto-Configuration file cannot be transmitted in requests made by the browser.
• Fixed the null reference error (NRE) that occurred during importing the paused or canceled scan files.
• Fixed an issue that calculated total response time incorrectly.
• Fixed the bug related to Send To action of Kenna integration.
• Fixed the Jolokia version disclosure report to properly highlight the related lines.
• Fixed the OWASP classification links.
• Fixed an issue that does not show a vulnerability when sorted by the Vulnerability Type although it shows when sorted by Severity.
• Fixed the misleading tooltip in Scan Policy - Security Checks.
• Fixed the misaligned text on the PDF version of Executive Summary Report.
• Fixed an issue that Invicti Standard doesn't show out-of-scope warning when out-of-scope link is imported.
• Fixed the inconsistent vulnerability count between reports and status bar.
• Fixed the manual authentication issue when links are imported from URL.
• Fixed the Sitemap multilevel group count.
• Fixed Scan Policy security check count.
• Fixed a naming issue that occurred when a new custom report name contains a dot.
• Fixed an issue while changing the Data Directory option on Storage tab.
• Fixed the issue that external references were not rendered correctly.

NEW SECURITY CHECKS

• Added Out of Band Code Evaluation (Log4j - CVE-2021-44228) a.k.a. Log4Shell detection support.

NEW FEATURES

• Added Node.js sensor for Invicti Shark (IAST).
• Added OWASP API Top 10 classification and report template.

NEW SECURITY CHECKS

• Added signature matching to Web app fingerprint checker.
• Added patterns for Base64 encoded DOM Cross-site Scripting.
• Added phpMyAdmin Version Disclosure security check.
• Added Atlassian Confluence Version disclosure and Out-of-date security checks.
• Added exclusion feature to JavaScript Library detection.
• Added PHP Version Detection via phpinfo() call.
• Added the Shopify Identified security check.

IMPROVEMENTS

• Added the Bridge URL and Shark token support for Invicti Shark (IAST).
• Added setting to configure Session Cookie Names.
• Updated CWE classification category orders for Out-of-date templates.
• Improved Cross-site Scripting attack pattern.
• Added support for exploiting local storage and session storage in the DOM XSS security checks.
• Added highlighting support for custom scripts.
• Added Web Application Firewall to the site profile.
• Changed the default ignored parameter comparison to case insensitive.
• Added 'Is Encoded' option to OAuth2 parameters.
• Added JWT Token pre-request script template.
• Added the CSP Not Implemented that will be reported as confirmed.
• Added the Subresource integrity not implemented that will be reported as confirmed.

FIXES

• Fixed the issue that Content-Type header missing was reported when there was no content in the response.
• Fixed the issue FP JWT was reported in a not found response.
• Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
• Marked weak TLS ciphers.
• Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
• Fixed FP WAF Identified.
• Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
• Fixed the issue source code disclosure is reported in binary responses.
• Fixed the issue fingerprint checker crashes when an applications file could not be found.
• Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
• Fixed the issue that some cipher suites are not reported as weak.
• Fixed the issue classification links were not rendered correctly when there are multiple values.
• Fixed the issue proof prefix was added when there were no more characters to be found.

NEW FEATURES

• Added Authentication Profiles
• Added the Overall Latest Version field to out-of-date vulnerabilities
• Added multiple vulnerabilities reporting support to passive and singular custom scripts
• Added Acunetix 360 integration

NEW SECURITY CHECKS

• Implemented JSON Web Token (JWT) security check
• Added the SSL Certificate is About to Expire security check
• Added StackPath Web Application Firewall (WAF) detection.
• Added Identified, Version Disclosure, and Out-of-date security checks for Atlassian Proxy Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for JavaServer Pages
• Added Identified, Version Disclosure, and Out-of-date security checks for Kong Server
• Added Identified, Version Disclosure, and Out-of-date security checks for Liferay Digital Experience Platform.
• Added Identified, Version Disclosure, and Out-of-date security checks for Taleo Web Server
• Added Version Disclosure and Out-of-date security checks for Sugar Customer Relationship Management (CRM)
• Added Version Disclosure and Out-of-date security checks for Squid
• Added Identified and Out-of-date security checks for Magento
• Added Out-of-date security check for Daiquiri
• Added Identified security check for Plesk (Windows)
• Added Identified security check for Vegur
• Added Identified security check for HupSpot
• Added Identified security check for DataDome
• Added Identified security check for Craft CMS
• Added Identified security check for Windows Azure Web Apps
• Added Identified security check for OpenVPN Access Server
• Added Identified security check for Squarespace
• Added Identified security check for Plesk (Linux)
• Added Identified security check for Lighthouse
• Added Identified security check for BitNinja Captcha Server
• Added Identified security check for Pardot Server

IMPROVEMENTS

• Added Scan Paused, Scan Resumed, Scan Canceled, and Scan Finished states to the log category.
• Send to Request Builder option is now visible for Issue Group Nodes
• Added page type field to vulnerability reports
• Added Authentication Profile name to reports
• Improved RAML Importer to import the ZIP files
• Added application name and version information to a vulnerability report
• Implemented Swagger path parameter default value
• Fixed a Dom XSS scan stuck issue
• Fixed Daiquiri Identified reporting redundant custom field issue.
• Improved Common Weakness Enumeration (CWE) classifications for Out-of-Date Version vulnerabilities
• Added a new Akamai Content Delivery Network (CDN) detection signature
• Added a new Varnish Cache detection signature
• Added missing Identified security checks for the existing technologies
• Improved the summary section of the Version Disclosure template for SharePoint
• Improved TRACE/TRACK Method Detected security check
• Improved SVN Detected security check
• Improved Version Disclosure security check and report template for Phusion Passenger
• Improved Caddy Web Server Identified security check.
• Improved WAF Identifier security check.
• Added Blind SQL Injection security check with a new XOR payload for MySQL
• Proxy credential passed to Chrome page authentication
• Vulnerabilities ordered by severity in the Comparison Report

FIXES

• Fixed Invicti license decrypt problem
• HTTPS Requests are recorded as HTTP
• Fixed the requested security protocol is not supported error
• Fixed handling Protocol Buffers encoding type
• Fixed miswritten product name
• Fixed Phusion Passenger version disclosure template and added Out-of-Date mapping
• Fixed analyzing headers even if the identification source is the crawler
• Fixed an issue that may cause deadlock during adding items to Sitemap
• Fixed an issue that caused out-of-scope URLs to be scanned when the override target URL option is enabled and the authentication is failed while scanning.
• Fixed issue where headers in Postman collection were not replaced with variables
• Fixed an issue that cause SSL validation callback returns invalid SSL certificates as out-of-scope links
• Added disable-feature flag to the browser manager
• Fixed a null reference exception while generating Knowledge Base report
• Rare error when loading overlay window showed was ignored
• Fixed out-of-scope imported links showing in Knowledge Base Rest API List
• Fixed a detection issue with the Akamai CDN signature.
• Fixed a detection issue with Tomcat Identified security check.
• Fixed the signatures of phpMyAdmin Identified security check
• Fixed big size upload error
• The Exclude Authentication Page option will be checked if there is a selected authentication profile
• Fixed DPI settings at Custom Script Dialog
• Disabled GPU acceleration to prevent rendering errors and black bars
• Fixed UI bugs at General Scan Profile Settings
• Fixed issue max page visit was not received but showing in Knowledge Base because of max signature limit
• Fixed Custom 404 Regex in Invicti Enterprise scan data is shown as Auto 404 at Invicti Standard
• Fixed malformed VDB exception while getting the latest version of the application
• Severity null control added to the Vulnerability Profile dialog
• Fixed a non-recurring parameter while logging in with auto-authenticator
• Fixed Scan Policy Report migration primary key error
• Fixed saving Crawl & Attack option to the Scan Profile
• Fixed Logout detection window shows first entered URL for every login simulation error
• Fixed reporting false positive HSTS vulnerability

NEW FEATURES

• Added TLS 1.3 support
• Added the character limit setting for Blind SQL Injection proof generation and enabled proof generation by default
• Added the Common Vulnerability Scoring System field to the known vulnerabilities
• Added the Vulnerability Database version to the scan logs

IMPROVEMENTS

• Improved IPv6 support to cover all SSL checks
• Added an advanced setting option to turn on/off the "disable-web-security" command line option while launching chromium
• Added the redirect navigation support for DOM Parser
• Fixed Ghost Chromium problems and DOM simulation leaks
• Added multiple ISO Classification support
• Added alphabetical order to the Knowledge Base nodes
• Updated Invicti Shark (IAST) licensing
• Improved WAF Identification checks to prevent false positives
• Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled
• Improved Open Redirection checks
• Updated Capture Group for OpenResty Version Disclosure
• Updated DS_Store File Found Report Template
• Changed the Referrer-Policy Report Template names to be more accurate
• Refined Possible Stored XSS Vulnerability template
• Added missing external references to SSL Templates that are removed after the merge
• Added IAST suffix to titles of vulnerability detected by Invicti Shark
• Updated OpenSSL regex
• Updated OpenSSL version disclosure regex
• Updated SSTI patterns to use specific type to match code execution patterns

NEW SECURITY CHECKS

• Added Short XSS Attack to bypass character limit checks
• Added Revoked SSL Certificate check
• Added SSL Certificate's Name and Hostname Mismatch security check
• Added SSL Certificate is not signed by a trusted root certification authority security check
• Added Daiquiri Identified security check
• Added Expired SSL Certificate security check
• Added ZSH History File Detected
• Added DOM XSS pattern for the script SRC Injection

FIXES

• Fixed an issue with simultaneous access to the same object while updating the sitemap during scanning
• Fixed unexpected error when saving parse from URL in form values screen
• Fixed the Chrome address bar displaying in different resolutions on the verify login form
• Fixed the detected logout status when an unreachable link is given
• Fixed the customization menu at the form authentication's custom script dialog
• Fixed unsupported browser issue for Headless Chromium
• Fixed weak ciphers not reported for additional websites issue
• Fixed ignoring weak ciphers check because of the ROBOT attack
• Fixed logging HTTPS requests as HTTP when LogHttpRequests option is enabled
• Updated Invicti Updater icons
• Fixed an issue where the Postman Importer ignores the authorization header that is defined in a request item
• Updated requester not to send Accept-Language header if it is not enabled in a scan policy
• Fixed an issue that occurred when exporting custom reports generated from Compliance, Detailed Scan, and Executive Summary report
• Fixed a synchronization problem while creating puppeteer instances
• Fixed an issue where external schema was not added when importing WSDL
• Fixed the Write Lock Leak in LinkPool
• Disabled mouse wheel on the Include/Exclude URLs with Regex radio group
• Fixed the typo in the jQuery validation out-of-date vulnerability type
• Fixed the issue Untrusted Root certificate was not reported on the self-signed certificates
• Fixed the issue that the wrong version was reported in the web app fingerprinting
• Fixed False Positive weak credentials vulnerability
• Fixed the issue that logs were not correctly formatted in the Logs panel
• Fixed the issue that SSL vulnerabilities found in additional sites might be reported in the wrong URL
• Fixed the issue that authenticated link was not crawled
• Fixed the issue that the proof URL was not added to XSS
• Fixed word-wrapping in Tags label in the Azure DevOps Send to Action Configuration Wizard
• Removed the logging for the replacing control characters in headers
• Changed the log level of DOM simulation timeout from Error to Warning
• Fixed the issue that another hash was appended to URLs with a fragment on DOM XSS attacks
• Fixed the issue that SSL certificates were not analyzed for each website when there are additional websites
• Fixed the issue that URI fragment was parsed incorrectly
• Fixed OpenSSL version disclosure regex
• Fixed WS_FTP Log check
• Fixed F5 BIG-IP WAF detection
• Fixed the typo in the jQuery Validation Out-of-date Vulnerability type
• Fixed Extractor for Lodash in repository.json by adding a new function
• Fixed WildFly regex for the WildFly Application Server Identified
• Fixed Whoops Error Handling framework signature
• Fixed the signature for Liferay Portal Identified
• Fixed Version Disclosure for Artifactory by adding missing custom field tag
• Fixed regex of Grafana Version Disclosure
• Fixed OpenResty regex for Version Disclosure
• Fixed the regex of Liferay Portal Version Disclosure pattern

IMPROVEMENTS

• Added IAST suffix to titles of vulnerabilities identified by Invicti Shark

FIXES

• Fixed the issue that custom fields were removed when a vulnerability was cached
• Fixed a typo in the Invicti Shark dialog
• Fixed the issue that Invicti Shark responses were reported as comments in the Knowledge Base
• Fixed the issue that Invicti Shark engines were not enabled on old scan policies
• Fixed renaming default scan profile while using the Invicti Shark configuration with test websites
• Fixed setting explicit logout URL from the authentication verification dialog
• Fixed an NRE that occurred while opening the Invicti Enterprise options panel in Invicti Standard

NEW FEATURES

• Added NIST SP 800-53 compliance classification and report template.
• Added DISA STIG compliance classification and report template.
• Added the OWASP ASVS 4.0 classification and report template.
• Added header and footer section to customize reports.
• Added an option to customize POST attacks for the Open Redirect engine.

NEW SECURITY CHECKS

• Added PHP magic_quotes_gpc Is Disabled security check.
• Added PHP register_globals Is Enabled security check.
• Added PHP display_errors Is Enabled security check.
• Added PHP allow_url_fopen Is Enabled security check.
• Added PHP allow_url_include Is Enabled security check.
• Added PHP session.use_trans_sid Is Enabled security check.
• Added PHP open_basedir Is Not Configured security check.
• Added PHP enable_dl Is Enabled security check.
• Added ASP.NET Tracing Is Enabled security check.
• Added ASP.NET Cookieless Session State Is Enabled security check.
• Added ASP.NET Cookieless Authentication Is Enabled security check.
• Added ASP.NET Failure To Require SSL For Authentication Cookies security check.
• Added ASP.NET Login Credentials Stored In Plain Text security check.
• Added ASP.NET ValidateRequest Is Globally Disabled security check.
• Added ASP.NET ViewStateUserKey Is Not Set security check.
• Added ASP.NET CustomErrors Is Disabled security check.
• Added PHP session.use_only_cookies Is Disabled security check.
• Added new Blind SQL Injection attack pattern.
• Added Jinjava SSTI security check.
• Added Whoops Framework Detected security check.
• Added CrushFTP server detected security check.
• Added database error message signature pattern for Hibernate.
• Added Identified, Version Disclosure, and Out-of-date security checks for W3 Total Cache.
• Added Identified, Version Disclosure, and Out-of-date security checks for Next.JS React Framework.
• Added Identified, Version Disclosure, and Out-of-date security checks for Twisted Web HTTP Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for Werkzeug Python WSGI Library.
• Added Identified, Version Disclosure, and Out-of-date security checks for OpenResty.
• Added Identified, Version Disclosure, and Out-of-date security checks for GlassFish.
• Added Identified, Version Disclosure, and Out-of-date security checks for Resin Application Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for Plone CMS.
• Added Identified, Version Disclosure, and Out-of-date security checks for Trac Software Project Management Tool.
• Added Identified, Version Disclosure, and Out-of-date security checks for IBM RTC.
• Added Identified, Version Disclosure, and Out-of-date security checks for Tornado Web Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for Jetty Web Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for Axway SecureTransport Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for Artifactory.
• Added Identified, Version Disclosure, and Out-of-date security checks for Gunicorn Python WSGI HTTP Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for IBM Security Access Manager (WebSEAL).
• Added Identified, Version Disclosure, and Out-of-date security checks for Nexus OSS.
• Added Identified, Version Disclosure, and Out-of-date security checks for Cowboy HTTP Server.
• Added Identified, Version Disclosure, and Out-of-date security checks for Python WSGIserver.
• Added Identified, Version Disclosure, and Out-of-date security checks for Restlet Framework.
• Added Identified, Version Disclosure, and Out-of-date security checks for Phusion Passenger.
• Added Version Disclosure and Out-of-date security checks for Liferay Portal.
• Added Version Disclosure and Out-of-date security checks for Tracy debugging tool.
• Added detection for Varnish HTTP Cache Server.
• Added detection for SonicWall VPN.
• Added detection for Play Web Framework.
• Added detection for Private Burp Collaborator Server.
• Added detection for LiteSpeed Web Server.
• Added detection for JBoss Enterprise Application Platform.
• Added detection for JBoss Core Services.
• Added detection for WildFly Application Server.
• Added detection for Oracle HTTP Server.
• Added version disclosure Daiquiri security check.

IMPROVEMENTS

• Added Wordlist Entries feature to the Resource Finder security check group
• Added CVSS3.0 and CVSS3.1 scoring for HSTS Policy Not Enabled.
• Improved Open Redirect attack patterns.
• Improved TLS 1.0 issue remediation reference.
• Added WCF service support to WSDL importer.
• Added a fix to reduce the possibility of an out-of-memory problem.
• Added authentication support to system proxy for PAC file.
• Verification dialog remembers old logout keywords.
• Added scan profile information and URL to all reports.
• Added bypass list for scan policy settings.
• Added scan scope variables to the Pre-Request Scripts.
• Added information label to the Pre-Request Script settings panel
• Added a fail tolerance to Puppeteer launch.
• Improved Tomcat signature patterns.
• Improved authenticator not to store the plain password in the request data
• Added HTTP Request Logger to authentication
• Added Canada region to the Invicti Enterprise settings
• Added tooltip to the Excluded Usage Trackers feature.
• Removed X-Scanner header from default scan policies
• Added new sensitive comment patterns.
• Revised the description of the Resource Finder checks option.
• Removed header and footer settings for reports that do not contain header and footer in the save report dialog.
• Added Incremental Scan to Knowledge Base reports.
• Updated Invicti Standard splash screen.

FIXES

• Fixed Lodash Identified security check signature.
• Fixed WebLogic Version Disclosure security check signature.
• Fixed Whoops Error Handling Framework Identified security check signature.
• Fixed Zope Web Server Version Disclosure security check signature.
• Fixed Grafana Version Disclosure security check signature.
• Fixed ASP.NET MVC Version Disclosure security check signature.
• Fixed Telerik Version Disclosure vulnerability severity to be low.
• Fixed IIS Version Disclosure vulnerability severity to be low.
• Fixed the grammar issues at the CSP Not Implemented report template.
• Hide the scope tooltip at the manual authentication panel.
• Fixed the order of Out-of-Date vulnerabilities; now sorting vulnerabilities by their severities.
• Fixed the issue "link stuck error" was repeated many times in the scan logs.
• Fixed the typo in the Pre-Request Scripts Menu.
• Fixed a few typos in the Impact descriptions.
• Fixed validating WAF settings before trying to test WAF connection
• Fixed the issue where the Exclude Authentication Pages option could not be manually disabled when the Form Authentication is enabled.
• Fixed an issue where the Form Authentication verification dialog loses focus and disappears.
• Fixed directory modifiers limit usage
• Fixed sending previous request headers while navigating to the Form Authentication's latest response URL.
• Fixed an issue where the custom script dialog failed to display login page when requests encoded with Brotli
• Fixed an issue that causes Reflected Parameter analyzer attacks to the ignored parameters when the breach engine is disabled
• Fixed an issue that may cause the null reference exception when reflected parameter analyzer working
• Fixed an issue that caused WASC ID is not sent properly in the Kenna Send To Action
• Fixed an issue where the HTTP request is not redirected to HTTPS when Strict Transport Security is enabled
• Fixed an issue that caused DOM simulation to fail because of the null windows and elements
• Fixed an issue that is caused by NTLM, Kerberos, Negotiate authentication credentials send with every request without challenge
• Fixed an issue that causes the Pre-Request Script requests to be ignored when its method is disallowed from the Scope settings
• Fixed an issue that causes raw request created without cookies
• Added SSL, Attack Possibility, and JavaScript files to Knowledge Base
• Fixed the order of classification report ribbon menu.
• Fixed handling the invalid characters of request headers set from the Pre-Request Scripts.
• Fixed the tooltip of Send To Tasks button at the ribbon
• Fixed unwanted warning on the auto authenticator
• Fixed date and time zone problem on Swagger file.
• Fixed null reference exception on excluded URL check.
• Fixed multiple instance knowledge base render problem.
• Fixed reporting style issues.
• Fixed relativity of the charts in the Comparison Report.
• Fixed grid showing on the logout detection screen.
• Fixed scan resuming problem on unavailable host.
• Fixed pop-up problem on the DOM simulation for better performance.
• Fixed the logo at the Knowledge Base render error page.
• Fixed an issue which causes unhandled exception when the link clicked multiple times on authentication verify dialog when interactive login is enabled
• Fixed internet connection problem at test site configuration dialog.
• Added information label to the Azure Configuration wizard.
• Fixed request and response results in out-of-band vulnerabilities.
• Fixed Blind SQL Injection cache issue.
• Fixed wrong expiry time for cookie which occurs at DOM simulation.
• Fixed the null reference exception while checking the source type.
• Fixed the Basic Authentication header problem for chromium requests.
• Fixed the null reference exception while getting authorization tokens.
• Fixed an issue where XSLT requests are not intercepted.
• Fixed Netsparker Helper Service dll not found issue.
• Fixed the client certificate selection issue while logging in to the target website.
• Fixed session storage problem at DOM simulation.
• Fixed upload request problem that creates false positive at LFI engine.
• Fixed chromium errors at authentication
• Fixed the unhandled multiple choices redirect status code at requester.
• Fixed the keyword-based logout detection stuck when the pop-up opened at chromium browsers.
• Fixed the Generate Exploit button label in the ribbon menu and vulnerability pop-up menu.
• Fixed an issue where the form value parser was not working.
• Fixed unauthorized request handling in the license view.
• Fixed an issue that causes invalid parent issue selection if Check Inverse is used at Security Checks
• Fixed maximum logout detection issue.
• Fixed the typo in the Pre-request Scripts menu.
• Fixed a few typos in the Impact descriptions.
• Fixed the issue that email disclosure was reported without identified email addresses.
• Fixed an issue in the scan policy optimizer where the DOM preset was set wrong.
• Removed URL signature field from the phpinfo detection pattern.
• Fixed Perl version disclosure pattern.
• Fixed the issue that movable type cannot be detected because the app name contained whitespace.
• Removed the Fiddler core dependency from Fiddler Importer that caused issues in Linux agents.
• Fixed the custom script dialog title.
• Fixed the signature of Python version disclosure pattern.
• Fixed the issue that charset error was repeated many times in the logs.
• Fixed the issue that the attack parameter name was not displayed on error based SQL injection vulnerabilities.
• Fixed an ArgumentNullException that was thrown when the proxy bypass list is null.
• Fixed the request parsing error in TCP Requester.
• Fixed the issue that header and footer were mixed up in the reports.
• Fixed info icons position in the Knowledge Base reports.
• Fixed the issue XSS payload was not highlighted correctly.
• Fixed the typo in the base scan CLI argument.
• Fixed the issue that the confirmation dialog was not displayed when the delete rows button in the context menu is used.
• Fixed the inconsistencies in the summary page of Asana configuration wizard.
• Fixed tooltip enabled/disabled states in Form Authentication, Client Certificate, and Smart Card Authentication settings.
• Fixed the issue that search results were not highlighted correctly.
• Fixed the issue that URL was not correctly encoded in Send To Action templates.
• Fixed the issue request.Headers was empty in custom script API.
• Fixed the issue Mithril version could not be detected.
• Fixed the issue that SSTI could not be detected consistently because the code execution patterns were not loaded correctly.
• Fixed the issue that version disclosure vulnerabilities were always fixed in retest.
• Fixed the issue that causes FP Open Redirection because of the improper decoding of location header
• Fixed Swagger parser that caused importing object with a parent node while the object is inside an array

NEW SECURITY CHECKS

• Added Oracle WebLogic Server Remote Code Execution (CVE-2020-14882)
• Added Oracle WebLogic Server Authentication Bypass (CVE-2020-14883)

NEW FEATURES

• Added a new signature limit for URL Rewrite matched links
• Added a crawling limit for Not found (404) links
• Added a WASC Classification Report template
• Added an option to exclude authentication pages and removed authentication related regexes from the default settings

NEW SECURITY CHECKS

• Added Out-of-date security checks for the Liferay portal
• Added Version Disclosure and Out-of-date security checks for Jolokia
• Added Nested XSS security checks
• Added an ASP.NET Razor SSTI security check
• Added a Java Pebble SSTI security check
• Added a Theymeleaf SSTI security check
• Added Version Disclosure and Out-of-date security checks for Grafana

IMPROVEMENTS

• Improved custom scripting to send raw requests
• Improved the authenticator to hide passwords in request data in order to prevent exposing them in reports
• Added an Auto Follow Redirect setting to the Advanced settings
• Added request and response details to Out of Band vulnerabilities
• Improved logging for timed out regexes in the Javascript Library Checker
• Updated signature of Stack Trace/Custom Stack Trace (Python)
• Improved the memory consumption on long running scans

FIXES

• Fixed an error that was caused when parsing duplicate response content-type headers
• Updated Invicti logos, splash screen and icons
• Fixed reporting of Crawl Performance for crawl-only scans
• Fixed an issue where Form Value Errors were occurring after simulation was finished
• Fixed the Maximum Body Length exceeded log message
• Fixed the log level of the Dom Parser's ignored link message
• Fixed the Jira Send To application description
• Fixed an issue that occured when the content-type and accept header was used in a parameter in the Open API (Swagger) file
• Fixed an issue where the custom Comparison Report was not generated
• Fixed an ArgumentNullException that was occuring in the TestSiteConfiguration dialog
• Disabled the LFI button for possible xxe
• Fixed a certificate error problem on the new ssl checker
• Fixed the timezone problem on reports
• Fixed the Executive Summary Report title
• Fixed an ArgumentException that was thrown when the URI was empty
• Fixed HIPAA classification links
• Fixed the issue where the Invicti session importer did not import all links from the session
• Fixed the bug where the URL was split incorrectly when a segment contained the file extension
• Fixed the issue responses that were not being analyzed in the Signatures engine during the re-crawl phase
• Fixed the HIPAA classification link when there are multiple classifications
• Removed plugin functions that are used to detect bootstrap to prevent false positive versions from being reported
• Fixed NRE in the static detection engine
• Fixed the Swagger parser that caused an object to be imported with a parent node while the object was inside an array

IMPROVEMENTS

• Added a highlight icon to the attack parameters on the vulnerability reports
• Added a report URL to the scheduled reports

FIXES

• Fixed a ObjectDisposedException that was occasionally thrown when the attacker started in manual proxy mode
• Fixed a NRE that occurred when exporting a report from a scheduled scan
• Fixed an issue caused when the login page identifier was disabled in the Scan Policy
• Fixed an issue where the Jira Send To Action failed to create an issue when the components field did not exist in the project
• Fixed the issue where the content type was not parsed correctly when there were multiple Content-type headers
• Fixed the issue where responses were not being analyzed in signature detection in the re-crawl phase.
• Fixed the list of enabled security checks on reports
• Changed the Sans Top 25 classification name to CWE on reports

NEW SECURITY CHECKS

• Added an F5 Big IP LFI (CVE-2020-5902) attack pattern
• Added out of date checks for Apache Traffic Server
• Added version disclosure for Undertow Server
• Added out of date checks for Undertow Server
• Added version disclosure for Jenkins
• Added out of date checks for Jenkins
• Added signature detection for Kestrel
• Added detection for Tableau Server
• Added detection for Bomgar Remote Support Software
• Added version disclosure for Apache Traffic Server

IMPROVEMENTS

• Added Request API to Form Authentication's Custom Script
• Added ability to add, edit and remove HTTP parameters and headers from Custom Security Check requests
• Improved the Jira Send To Action to include a new Components field
• Improved the SSL security check implementation
• Improved the design of default Report Templates

FIXES

• Fixed a memory leak in the Attacking phase
• Fixed a CSS Parser issue that caused infinite loops while parsing invalid css files
• Fixed an Attacker issue that caused a memory leak
• Fixed a Null Reference Exception that occurred during crawling
• Fixed the parsing of duplicate content-type headers

NEW FEATURES

• Added Pivotal Tracker Send To integration
• Added test website (Target URL) configuration to enable the scanning of REST websites with selected XML and JSON mime type(s)
• Added ability to add, remove or edit request parameters, headers and edit the request body in pre-request scripts
• Added a Fragment Parsing checkbox to the Crawling tab of the Scan Policy Editor dialog

NEW SECURITY CHECKS

• Added a new vulnerability for Same Site Cookies that are set to None and not marked as secure

IMPROVEMENTS

• Improved the Webhook Send To Action to enable it to send data from the query string when the POST or PUT method is selected
• Improved the Jira Send To Action to include Epic Key and Epic Name fields
• Updated the default value for Allow Out-of-scope XHR requests from False to True, to improve the simulation process
• Improved Form Authentication to capture All Authorization Headers instead of just Bearer Authentication Tokens
• Improved the scan performance with memoization of Passive Security Checks
• Optimized Stored XSS checks to eliminate unnecessary DOM simulations in PermanentXssSignature
• Optimized signature detection to avoid executing unnecessary Regex checks
• Improved the attack payload of the Open - Integer (MySQL) pattern

FIXES

• Fixed the problem where the authentication header was parsing if an empty OAuth2 token type was provided
• Fixed a typo in the XSS vulnerability template
• Fixed a typo in Expect-CT engine error message
• The WAF Identified dialog is no longer displayed when Invicti is started from the command line in Silent Mode
• Fixed an issue that meant the Target URL was not crawled when the Override Target URL with authenticated page checkbox was enabled in the Form Authentication tab of the Start a New Website or Web Service Scan dialog
• Fixed the visibility of the scan search bar
• Fixed the Regex Pattern of the BREACH Engine's sensitive keywords
• Fixed an issue where the Possible OOB Command Injection Vulnerability was reported as confirmed
• Fixed the exception that was thrown if the script file name was empty when the Execute button was clicked in the Custom Scripts panel
• Fixed the problem where the XXE engine was reporting a false positive on possible XXEs
• Data Type Mismatch errors are now ignored while importing OpenAPI (Swagger) documents
• Fixed an issue where Authentication Verification was failing to complete in Silent Mode when the Target URL was unreachable
• Fixed an issue that caused the crawler to be exited abnormally and stopping the scan when Invicti Assistant changed the Scan Settings
• Fixed a NullReferenceException in the Custom Scripts panel
• Fixed an issue that caused the link to get stuck in Crawling causing the scan to take too long
• Fixed a NRE that occurred when a Retest was performed on an imported scan
• Fixed an issue that occasionally caused scans to hang when the Target URL timed out on requests
• Removed an extra semicolon from the Actions to Take section of the Insecure Transportation Security Protocol Supported vulnerability templates

IMPROVEMENTS

• Added an image injection pattern to the Blind Cross-site Scripting security check
• Added Script Type information to the comment section of the Custom Security Check scripts
• Added the ability to show the Custom Scripts Panel without opening a scan

FIXES

• Fixed an issue so that the JavaScript configuration in the Scan Policy is saved when it is updated by Invicti Assistant
• Fixed an issue where the web proxy was not being used while connecting to Invicti Enterprise
• Fixed an issue where the Custom Scripts were not executing inside pop-up dialogs that open during Form Authentication
• Fixed an issue wherelogouts was not detected with single page applications that used Form Authentication

FIXES

• Fixed a case sensitivity issue in Imported Links which caused Content-Type headers to be sent without requests
• Fixed an issue where the WAF Identification notification dialog was occasionally unclickable
• Fixed issue links for the Azure Send To Action to match Azure's new link scheme
• Fixed an issue that caused the computer to go into Sleep mode even when the advanced PreventSleepModeDuringScan setting was enabled

NEW FEATURES

• Added a new Form Validation Errors node to the Knowledge Base panel, and to scan reports, to show Form Validation errors
• Added the capability to abort requests from the Pre-Request Scripts tab of the Start a New Website or Web Service URL dialog
• Added CVSS 3.1 support, to help with vulnerability scores
• Added a new Query Parameters checkbox to the Parameter-Based Navigation section of the Crawling tab in the Scan Policy Editor

NEW SECURITY CHECKS

• Added a Login Page Identified security check
• Added a Content Delivery Networks (CDN) security check
• Added a Reverse Proxies security check

IMPROVEMENTS

• Added two new settings to the list available in the Advanced tab of the Options dialog, including DisableRequestParametersReordering (to disable the reordering of query parameters) and DisableIriParsing (to change the IRI parsing configuration of the .NET framework)
• Improved the ability to crawl URLs with fragments
• Added reflected parameter names and sensitive keywords to the BREACH Attack's report template
• Added a metadata section to the Custom Security Check scripting templates in the Custom Script Checks section of the Security Checks tab in the Scan Policy Editor
• Added extra information to error reports
• Added a check for the vulnerability GUIDs used to create vulnerabilities in Custom Security Check scripts

FIXES

• Fixed the tab order in the Scan Profile settings in the Start a New Website or Web Service Scan dialog
• Resized the Type column in the Logs panel
• Added a scrollbar to the Get Shell panel
• Fixed an issue that prevented a backspace key from working in Save Profile As dialog's name editor
• Fixed the issue where vulnerabilities' Fixed states were not updated following a Controlled scan
• Fixed an issue that prevented custom fields from being rendered for the YouTrack Send To Action
• Added missing tooltips to the Enabled check box of the Script Settings and Manual Authentication settings panels
• Added a Frame Injection XSS pattern
• Fixed a typo in the Copy to Clipboard tooltip
• Fixed the issue where POST parameters were not parsed correctly in the HAR importer
• Fixed the location of the Override Version vulnerability severities ch
• Fixed the typo in the description of the NotifiedExpiringLicenses setting
• Fixed an issue in the JSON Response panel that caused the Address textbox to be editable instead of read-only
• Fixed an localization issue that occurred while displaying severities in the Vulnerability Editor dialog in the Report Policy Editor
• Fixed escaping Form Authentication's Custom Script username and password.
• Fixed the problem where day-long scan durations were not displaying correctly in the Knowledge Base reports and screens
• Fixed a couple of design problems in reports
• Fixed the usage of the '/v' command line parameter
• Updated the default User-Agent
• Fixed the scheduling of Incremental Scans to be consistent with the regular Incremental Scan, so that the system checks for the current session and offers the option to use it as the base scan before trying to open a scan file
• Fixed typos in the tooltips in URL Rewrite tab of the Start a New Website or Web Service Scan dialog
• Fixed problem caused by a missing obfuscation exclusion in the License validation process
• Fixed the issue where the wrong engine was selected in Controlled Scans when a vulnerability was detected by a Custom Script
• Fixed the issue where localized values were not displayed for some custom fields
• Fixed the issue where duplicate notifications were displayed following the import and export of scans
• Fixed a Null Reference Exception that was caused when Basic, NTLM/Kerberos Authentication settings were null in old profile files
• Fixed an issue where the default values were not set for the Scan Policy Optimizer options' properties while deserializing a Scan Policy
• Fixed an issue that caused the same Authentication method to be added twice in the Basic, NTLM/Kerberos Authentication settings
• Updated OpenAPI.NET to 1.1.4 version to support the latest Swagger files
• Fixed the issue where single engines were not working in the Import Only scan mode
• Fixed an issue where the Request body was encoded improperly, caused an error following the sending of requests
• Fixed some typos in the WAF Identified dialog, along with some refactorings
• Fixed the issue where Incremental Scan caused unnecessary DOM simulations

IMPROVEMENT

• Null values have been changed to an empty string on text-based reports to avoid integration problems

FIXES

• Updated the Singular Scripting Check's script template
• Fixed an issue where migrating old Scan Profiles files failed to produce authentication information
• Fixed an issue where cookie domains were not set for cookies that were set in a JavaScript context and captured during DOM simulation
• Fixed an Out of Memory exception that was caused when the target web application had HTML attributes with long string values
• Fixed the issue where the text was trimmed when it contained null bytes when copied from the Raw Request/Response panels to the clipboard
• Fixed an issue where the value of the cookie source custom field was incorrect
• Cookies are no longer analyzed if the Cookie checks are disabled in the Scan Policy
• Fixed an issue where an error message was not shown for empty fields while using the Create Samples Issue feature in the TFS Send To Actions panel
• Fixed a NullReferenceException that was thrown during Manual Proxy scans when the 'Do not expect challenge' option was enabled in the Basic, NTLM/Kerberos Authentication tab
• Fixed an incorrect 'Login confirmation has failed' log
• Fixed a NullReferenceException that was thrown in the Keyword Based logout detection

IMPROVEMENTS

• Added a new field to the Out-of-date Vulnerabilities that specifies end of life date for abandoned branches
• Added missing tooltips to the Enabled check box of Script Settings and Manual Authentication Settings panels
• Added missing XML documentations to the Custom Scripting templates

FIXES

• Updated Youtrack Send To action to render custom fields
• Fixed an issue where dock panels were not properly initialized when a command line argument was provided and autopilot mod was off
• Fixed an issue that caused a rendering problem in the login/logout detection and the custom script panels
• Fixed duplicate listing of authentication types in OAuth2 settings panel
• Fixed an issue where the Sitemap sorting method was not being applied when None method was selected

IMPROVEMENTS

• Added Reflected Parameter and matched sensitive keyword names to the Breach Attack vulnerability report
• Additional websites information will now display 'None' in reports when there are no additional websites set for a scan

FIXES

• Fixed the JSON Metadata Regex check to match the whole JSON object instead of each part separately
• Fixed responses with a '201' status code so that they are ignored by the OAuth2 authentication flow
• Fixed an issue where ignored parameters were displayed as attack parameters in reports
• Fixed an issue where reporting options were not being applied in scheduled scans
• Fixed a memory and GDI object leak in the Imported Links dialog
• Fixed an OutOfMemoryException that was thrown while generating reports
• Fixed an ArgumentOutOfRangeException in CsrfEngine that was thrown when form instance contained a negative start index
• Fixed an issue where incorrect links were being captured from JavaScript contexts

NEW FEATURES

• Added Invicti Enterprise Integration to the license activation dialog which enables the activation of a license using the Invicti Enterprise Information
• Added a WAF Identification feature that detects whether the target website is using a Web Application Firewall that blocks Invicti attacks, and warns the user about it
• Added a SANS Top 25 Scan Policy and report
• Added login confirmation to ensure that Invicti was able to acquire an authentication session after conducting the login sequence, in order to notify users in case of any failure due to changed credentials
• Added an Auto Export feature which enables the automatic export of all old session files not previously uploaded to Invicti Enterprise when connected to its servers
• Added FortiWeb WAF integration
• Added YouTrack Send To integration
• Added Freshservice Send To integration

NEW SECURITY CHECKS

• Added version disclosure and out-of-date checks for Telerik Web UI
• Added detection and out-of-date checks for Java and GlassFish

IMPROVEMENTS

• Improved the Postman importer to generate URL Rewrite rules automatically from the postman file
• Added a new logout confirmation request to the Logout Detection process
• Updated the AttackUsage properties of mXSS patterns to increase scan performance
• Added a text field to the Report Policy Editor for displaying GUID values of custom vulnerabilities
• Added a Copy Rules button to the URL Rewrite tab in the Start a New Website or Web Service Scan dialog
• Added Region information to the new Invicti Enterprise Information section in the Invicti Enterprise tab
• Added search tags and a shortcut key to the Search tab on the ribbon
• Added the ability to sort the Name and Value grid view in the OAuth2 tab
• Added a warning about unsupported settings in the OTP column in the Form authentication tab
• Added a transparency feature to the Scan Search, accessed by pressing CTRL
• Added a URL to provide extra information to help distinguish similar results in the Raw Requests and Responses tabs
• Improved vulnerability summary suggestions to recommend that only confirmed vulnerabilities should be fixed immediately in the Executive Summary Report
• Improved the Report Policy using the CWE and SANS top 25 standards
• Added a new Max Response Headers Length option to the Advanced tab

FIXES

• Fixed an issue where the RedirectBodyTooLarge vulnerability was being falsely reported when the redirect location was triple encoded
• Fixed a NullReferenceException that was thrown in the ReflectedParameterAnalyzer component
• Fixed an issue where Invicti Assistant retains generated optimized Scan Policies even if it has been disabled
• Fixed the Pre-Request Script tab's Presets button's enabled state
• Fixed a visual text wrapping issue that occured when all Resource Finder options were selected in the Scan Policy Optimizer dialog
• Fixed an issue where the Proxy Authentication fields in Proxy tab of the Scan Policy Editor was not being disabled when the Use Current User’s Windows Credentials checkbox was selected
• Fixed an issue that caused Invicti to freeze when the Scan Finished dialog was displayed while another dialog was open
• Fixed the signature of the nginx.conf pattern
• Fixed an issue that caused the Total Vulnerability Count not to be updated when a vulnerability was removed from the Issues panel
• Fixed an issue that caused the wrong information to be copied about the node when Ctrl+C was used in the Issue and Sitemap panels
• Fixed an issue that caused the Context button to overlay the Vulnerability Counts icons in the Local Scans files tab
• Fixed an issue where the Import From File dropdown in the Imported Links tab was not displaying the last opened folder
• Fixed an issue that showed the wrong exception message in the Test Credentials dialog for the authentication tabs, when the website was unreachable
• Fixed WAF button display names in the Vulnerability tab on the ribbon
• Fixed a validation problem that occured in mandatory fields in the WAF settings tab
• Fixed an issue that caused the scrollbar color not to be applied in the request/response panel.
• Fixed an issue that showed the wrong tooltip in the Form Authentication tab's verified settings
• Fixed an issue that caused vulnerability counts to be calculated incorrectly when grouping the Issue panel by URL
• Fixed an issue that caused some 404 nodes to not be visible when a filter was applied using search text
• Fixed a problem that caused the generation of empty Comparison Reports
• Fixed an issue where version vulnerabilities could not be fetched from the database when application names contained space characters
• Fixed an issue that caused inconsistent sorting results for the Sitemap nodes.
• Fixed an issue that caused an ArgumentException in the CORS Checker
• Fixed an issue that caused the Exploit LFI panel to not display its content when the height was set too small
• Fixed the Extracted Version of Java Servlet Version Disclosure vulnerability so that it no longer includes a slash
• Fixed an issue where the WebLogic Server was occasionally being incorrectly reported as the Application server of the target website
• Fixed an issue where the XSS attack file had been overwritten, which caused the wrong injection request to be displayed when reporting Stored XSS vulnerabilities
• Changed the notifications icons, and removed unnecessary extra space from the unread Notifications button
• Fixed a NullReferenceException in the XSS Analyzer
• Fixed a scope issue in the Resource Finders and in the Drupal RCE Engine
• Fixed a subdomain problem in the Phishing by Navigating Tabs vulnerability
• Removed a context menu from the Send To Actions tab
• Fixed an issue that caused the template not to be applied in the Subscriptions context menu
• Fixed a grammatical error in an Invicti Assistant notification
• Fixed issues in the Blind SQL injection confirmation for redirects and timeouts
• Fixed an issue that caused OTP settings to be applied when Persona information was missing in the Form Authentication tab
• Fixed an issue that prevented the Local Scans' file's context buttons from being clicked when the scroll bar was displayed.
• Fixed the issue where Custom Field values were incorrectly displayed in older scans
• Fixed the signature patterns of the ASP.NET and Apache Module version disclosures so that they capture the version correctly
• Fixed the handling of null Responses in Requests made using the Pre-Request Script feature.
• Fixed a problem where a horizontal scrollbar was displayed in the search dialog
• Refactored the JSON Regex to eliminate excessive backtracking
• Fixed an issue where the Internal Proxy was updating headers that already had default values
• Fixed a problem in Report Templates where custom logos were incorrectly aligned
• Fixed a NullReferenceException error that was thrown when a Theme was not selected in the General tab of the Options dialog
• Fixed the Send To Action panel to display default names with normal font instead of bold
• Fixed an issue that caused a crash when an internal server error occurred during the export of a scan to Invicti Enterprise.
• Fixed the width of the grid view in the Report Policy Editor
• Fixed the focus back on the Sitemap and Issues panels after their search boxes are cleared
• Fixed a race condition in the parsing of the Finish Time calculation which caused an exception to be thrown
• Fixed a couple of localization problems in the Knowledge Base Report.
• Fixed URL alignment in reports

IMPROVEMENTS

• Added sort functionality to the grid view of the OAuth2 settings tab in the Start a New Website or Website Service New Scan dialog
• The default selected tab is now the first one in the Manual Authentication settings tab in the Start a New Website or Website Service New Scan dialog

FIXES

• Fixed an issue where empty Comparison Reports were still created even when report generation was canceled
• Fixed several visual defects in generated reports
• Fixed a race condition issue with DOM Simulation
• Fixed an issue where expired cookies were not being removed properly when they were set in a JavaScript context
• Fixed some Azure DevOps error messages
• Fixed an issue with GWT parsing where a request without a body was causing an exception
• Fixed a concurrency issue that was causing several exceptions that slowed down the overall scan performance
• Fixed an issue where the incorrect estimated finish time was shown in the progress panel
• Fixed an issue where DOM XSS attacks were failing on pages that had a POST request on the same page
• Fixed a NullReferenceException error that was thrown in the XSS analyzer
• Fixed an issue with SSL checks by improving the ClientHello structure with additional extensions

IMPROVEMENTS

• Added a QR Code feature to OTP settings that captures the settings from the QR code on the web page
• The Known Vulnerabilities list for Out-of-date Version vulnerability reports can now be expanded
• The Enabled Engines list on scan reports is now sorted alphabetically

FIXES

• Fixed an issue where importing the I/O Docs specifications from a zip file was not working properly
• Fixed a memory leak that was causing several issues with scans
• Fixed an issue where Referer headers were not being sent to DOM simulations

IMPROVEMENTS

• Improved GitHub Send To Action for GitHub Enterprise

FIXES

• Fixed several issues with scan reports
• Fixed an ArgumentException that was thrown when invalid characters were entered in the URL Rewrite tab in the Start a New Website or Web Service Scan dialog
• Fixed an issue in the Database Connection String Detected vulnerability report
• Fixed a NullReferenceException that was thrown during Progress bar updates
• Fixed an issue where the Logout Detection mechanism was occasionally triggered unnecessarily
• Fixed an issue where DOM XSS window.name attacks were not being detected properly
• Fixed the order of URLs in MIME Type node in the Knowledge Base
• Fixed an issue where ignored vulnerabilities were causing the vulnerability counter to increase
• Fixed an issue where the Content Type header was occasionally not sent
• Fixed an ArgumentNullException that was thrown while deserializing issues in Jira

IMPROVEMENTS

• Added Kenna Send To Action integration
• Added a database error signature pattern for Apache Derby databases
• Updated missing WASC and CWE values for vulnerabilities in the Default Report Policy
• Improved XXE vulnerability templates to provide more detailed information

FIXES

• Fixed an issue with the HTTP Request Builder where attack headers were being duplicated
• Fixed an issue where invalid version numbers were being added to the Site Profile node in the Knowledge Base
• Removed unnecessary customization and picture edit context menus from the What's New panel
• Fixed an issue where JavaScript cookies set in the context of popup windows that open during the login sequences of some websites were not being captured during Form Authentication
• Fixed an issue where recurring parameter optimization was causing non-recurring parameters to be marked as recurring

NEW FEATURES

• Added a scan search feature which is accessible from the CTRL+K shortcut that allows searching for anything in the scan
• Added a configuration wizard for GitLab Send To Action
• Added a Web Application Firewall tab to the Options dialog
• Added AWS WAF integration
• Added Cloudflare WAF integration
• Added SecureSphere WAF integration
• Added an Auto WAF Rule tab to the Scan Policy Editor dialog
• Added a Send To Tasks dialog to display the Send To Action and WAF Rule task's status
• Added a configuration wizard for "rest.testsparker.com" into the Start a New Website or Web Service Scan dialog
• Added a What's New panel to the right hand side of the Welcome Dashboard, which shows the latest blog posts
• Added OTP support to the Form Authentication tab in the Start a New Website or Web Services Scan dialog
• Added "localhost.invicti" host resolution support to allow remote connections to localhost

NEW SECURITY CHECKS

• Added a new Security Check – HTTP Parameter Pollution (HPP)
• Added a new Security Check – BREACH Attack Detection
• Added Out-of-Date checks for Ext JS
• Added Oracle Cloud and Packet Cloud SSRF attack patterns

IMPROVEMENTS

• Improved progress bar estimation by populating engine runtimes instead of request count
• Improved the Scan Performance node by including engine runtimes in the Knowledge Base
• The Download buttons in the Local File Inclusion Exploitation panel are renamed to Get
• Improved statistical information in the scan reports
• Improved Custom 404 settings in the Knowledge ase report
• Improved the Knowledge Base check icon
• Improved the display of OAuth2 Authentication information on reports
• Added Culture Info to error reporting information
• Renamed the F5 Big-IP ASM WAF Rules button in the Reporting tab
• Added an Apply button to the Options window, so the dialog stays open until the Save button is clicked
• Improved the Custom Field Editor dialog to validate custom field values before saving them
• Improved the I/O Docs Importer to support the latest version
• Improved the Jira Send To Action to support a new Security Level field
• Updated Trello Send To Action wizard to hide inactive boards
• Improved the Crawler and Attacker to identify links separately according to their Accept header. (application/json and application/xml are commonly used in Rest APIs. Invicti can identify and attack for both mime types.)
• Improved the OpenAPI (Swagger) parser to import links more than once according to their Accept header
• Updated the AdNetworks file which is used by Invicti to block ad networks
• Improved the Update Available dialog UI
• Improved the Report Policy Editor UI.
• Improved Apache Struts attack patterns by randomizing the attack payloads
• Improved the Custom Scripting API docs
• Improved parsing the JavaScript code written inside HTML element attributes
• Improved the Crawler to detect links with application/xml and application/json headers commonly used in REST APIs, so Invicti can attack each link separately
• Improved Progress panel's Request per Second setting, to that its value can be viewed by clicking its label
• Added the ability to parse OAuth2 access token response headers to get the access token value

FIXES

• Fixed an issue that caused very long URLs to become invisible in the vulnerability report
• Fixed an issue that caused the Target Website or Web Service URL dropdown list's delete button to become invisible in the Start a New Website or Web Service Scan dialog
• Fixed a false-positive report of a Windows Username Disclosure in the vulnerability report issue
• Fixed the problem where the Windows Username Disclosure attack pattern did not match invalid file characters
• Fixed the problem where a null Scan Profile name was displaying when opening a scan file
• Fixed an issue where headers were duplicating when imported from a Swagger file.
• Fixed the license expiration to occur a day after the license Expiration date
• Fixed an issue that caused a Collection Modified exception when restarting Invicti after changing the storage directory
• Fixed an issue where the HTTP Request / Response panel did not open when the Sitemap root node was selected
• Fixed an issue in the Request Builder where the changes in the Raw request tab were not being saved
• Fixed an issue that caused the name of the vulnerability to be blank in the Report Policy Editor dialog
• Fixed a High dpi issue in the Update Available dialog
• Fixed an issue that caused the Context button to overlay information counts in the File menu
• Fixed the URI format exception that occured on the SSRF configuration screen
• Fixed an issue that caused the tab key not to work in the Request Builder
• Fixed an issue where encoded characters and new line characters appeared in the exploit responses in JSON format
• Fixed an issue where the application name was captured as the version in the Java Servlet Version Disclosure pattern
• Fixed an issue where some console commands were reported as proofs of exploit even though they had not been executed in the code evaluation
• Fixed an issue where the Report Policy Editor dialog was showing html encoded values in the grid view and in the Edit dialog
• Fixed an issue where report template changes were lost when the Cancel button clicked while searching in the Report Policy Editor dialog
• Fixed an issue where the Dom Parser occasionally made requests to excluded or out of scope URLs
• Fixed an issue where relative links found during a DOM simulation were sometimes not added to the link pool
• Fixed a request timeout default value tooltip that was displaying in the HTTP Request settings
• Fixed property names in the Redmine Send To Actions fields
• Fixed an issue that caused the vulnerability URL to change when running a custom script on a vulnerability originally detected also by using a custom script
• Fixed an issue that caused the UI to freeze when activating or deactivating licenses
• Fixed an issue that caused the UI to freeze when verifying OAUTH settings
• Disabled layout customization in the Manual Authentication and Test Credential screens
• Fixed an issue that caused the scan manager to request a login URL in the OAuth2 Authentication settings when the Web Cache Deception security check group was disabled
• Fixed an issue that caused late UI loading when the Scan Profile contained too many Imported Links
• Fixed JSON and XML request identifiers to detect the type properly when content contains whitespace characters
• Handled communication errors that occured while testing credentials
• Fixed the log for corrupted variation information
• Fixed a NullReferenceException that was occasionally thrown in the Additional Websites tab in the Start a New Website or Web Service Scan dialog
• Fixed a performance issue caused when the number of the Sitemap nodes increases
• Fixed the Regex Pattern of SQLite error message patterns
• Updated the Remedy sections of some vulnerability report templates.
• Fixed the internal proxy localhost's handling when adding the loopback override to the system's {roxy settings
• Fixed misleading logout detection warnings shown during the retest of cookie vulnerabilities
• Fixed an issue that caused the system to crash when sorting the Sitemap
• Improved ApacheStruts to report where it would be possible for the attack to succeed at least one time
• Fixed a NRE in the Signature Detection
• Fixed the issue where some proofs were duplicated in the Knowledge Base
• Fixed extensive CPU usage on cloud instances and virtual machines
• Fixed a Set-Cookie response header parsing issue that occured where empty name/value pairs were skipped and cookie attributes were incorrectly parsed as name/value pairs
• Fixed the ArgumentNullException error that occured when a null parameter value was sent to the Request Builder
• Fixed the Knowledge ase's Out of Scope Links resource problem
• Fixed I1 item's title in the Vulnerability Editor dialog, available from the Report Policy dialog to display as 'No Message'
• Fixed the Asana Send To Action field, as an identifier field has changed in the Asana API
• Fixed the issue where Raw and Builder tabs were not synchronized in the HTTP Request Builder
• Fixed an incorrect localization issue that occurred while displaying custom field values of vulnerabilities
• Fixed an issue that caused the Issues and Sitemap panels to open before opening a scan session
• Fixed a problem where the Search box background color changed when there were no results
• Users are now allowed to enter custom HTTP methods in the Request Builder panel when the Raw request body is enabled
• Fixed an ArgumentNullException that was thrown when trying to refresh the OAuth2 access token after resuming an imported scan
• Fixed a couple of alignment problems in reports
• Fixed the last file name cache problem
• Fixed the Request response word wrap and border problem solved.
• Removed capitalization from titles in reports
• Fixed an issue where the AutoComplete Enabled Vulnerability was being falsely reported if input fields included a new password option
• Fixed a NullReferenceException that was thrown when the headers were null in the Webhook Send To Action

FIXES

• Fixed a NullReferenceException that was occasionally thrown during authentication verification
• Fixed a NullReferenceException that was occasionally thrown when a sitemap link was selected
• Fixed wrong tooltips that were shown on footer severity icons
• Fixed an application lock when the UI language was changed during a scan
• Fixed chunked encoding handling in the internal proxy
• Fixed a deadlock that was occasionally happening during policy optimization

FIXES

• Fixed an issue where the number of authentications was miscalculated in the Performance Report
• Fixed an ObjectDisposedException that was occasionally thrown during passive analysis
• Fixed an issue where passive analysis of XHR requests was causing a negative effect on scan times
• Fixed an issue where the Dom Parser was occasionally making requests to excluded or out of scope URLs.
• Fixed an issue where relative links found during DOM simulation were sometimes not added to the link pool
• Fixed a NullReferenceException that was occasionally thrown by the Request Builder
• Fixed a design problem that was causing empty areas in PDF reports
• Fixed an issue where a wrong update button image was shown when Invicti was run for the first time after an update
• Fixed a NullReferenceException that was thrown during Bulk Export operations
• Fixed an issue where the tooltips of Advanced Settings were not properly displayed
• Fixed the date controls in the Schedule Scan Dialog for high DPI screens
• Fixed an issue where the Known Vulnerabilities section in the Out-of-Date Version vulnerabilities was being duplicated
• Fixed a NullReferenceException that was thrown when the Target Url and the Basic Authentication Authority were different

IMPROVEMENTS

• Added support for parsing Swagger files with comments
• Added crawling support for hash based, routed websites
• Added deprecated usage report for TLS 1.1
• The size of the HTML reports has been significantly decreased

FIXES

• Authentication tokens are now shared among the hosts of the scan target and the additional websites
• Fixed an issue where the vulnerabilities from the previous scan were sometimes added into the new scan when Custom Scripts were used
• Fixed the logical operation stack field duplication that was occurring in log files
• Fixed a formatting issue in the vulnerability report templates
• Fixed an issue in the SQL Injection (Out of Band) engine where vulnerabilities were occasionally missed due to request timeouts
• Fixed an issue where discovered application or database versions were not shown in the Site Profile if a Version Disclosure vulnerability had already been reported
• Fixed a NullReferenceException that was thrown when the response was null in the Web Cache Deception engine

IMPROVEMENTS

• Added Authentication mode and Scheduled Scan information to new reports
• Added Include and Exclude pattern difference information to new reports

FIXES

• Fixed an issue where local scans got lost when the Invicti root directory was changed
• Fixed an issue where the Dark theme was not applied in the Comparison Report dialog
• Fixed an issue where true responses could not be processed correctly because of the '00' suffix
• Fixed the cookie parser by removing the whitespace and disallowed character checks for cookie names
• Fixed typos in the HSTS warning and error template
• Fixed a NullReferenceException that was thrown during Authentication verification
• Fixed a NullReferenceException that was thrown while the scan is moving from one phase to the next
• Fixed a NullReferenceException that was thrown when a new root node was being added to the Sitemap
• Fixed an issue where headers were duplicated in the Swagger importer
• Fixed an issue where 201 (Created) responses occasionally caused incorrect redirects during Form Authentication and DOM simulation
• Fixed an issue where the Update button icon was not changing when the download started
• Fixed the problem where PDF reports did not generate when exporting reports on a network share path
• Fixed the problem where it was not possible to change the default logo to a custom logo on new reports
• Fixed the Summary information alignment on PDF reports
• Fixed the problem of empty response information in XML reports
• Fixed various localization problems in reports

NEW FEATURES

• Added the ability to create custom Security Checks via a Scripting feature
• Added a new authentication, Manual Authentication, which allows you to import and replay your pre-recorded requests
• Added custom Vulnerability creation support to the Report Policy Editor
• Added a new 3-Legged Token flow type for OAuth2 authentication
• Added Microsoft Teams Send To integration
• Added Webhook Send To Integration
• Added Clubhouse Send To Integration
• Added Trello Send To Integration and configuration wizard
• Added Asana Send To Integration and configuration wizard
• Added a configuration wizard to the Jira Send To Action
• Added a Configuration Wizard to the Redmine Send To Action
• Added an option to the Save Report dialog for including and excluding Unconfirmed vulnerabilities
• Added an option to configure the file upload folder that the File Upload Engine attacks to find uploaded files
• Added information about SSL implementation in the Target Website to the Site Profile node in the Knowledge Base
• Added support for importing authentication settings from Postman files
• Added support for importing pre-request scripts from Postman files
• Added an 'Enable or Disable logging recurring parameter detection' option to the Advanced tab in the Options dialog
• Added a Delete button to the 'Start a New Website or Web Service Scan' dialog to enable the deletion of the current profile
• Added support for importing multiple IO/docs files from a zip file

NEW SECURITY CHECKS

• Added Web Cache Deception engine to the list of Security Checks
• Added a new XXE pattern for detecting the Axway SecureTransport 5.x XXE vulnerability
• Added new attack patterns for DOM based XSS
• Added new attack patterns for Remote Code Execution in Ruby
• Added new attack patterns for Out-of-band Remote Code Execution in Ruby
• Added new attack patterns for Remote Code Execution in Python
• Added new attack patterns for Open Redirect security check
• Added an email validation bypass payload for XSS
• Added a header injection XSS pattern
• Added a security check to determine whether an http website has implemented SSL/TLS
• Added a security check for File Content Disclosure in Ruby on Rails via exploiting Accept header
• Added mutation XSS patterns
• Fixed the SSRF confirmation problem
• Added Apple’s App-Site Association file detection
• Added exploitation support for File Content Disclosure in Ruby On Rails, CVE-2019-5418
• Added new LFI attack patterns for the access.log file
• Added support for exploiting JSONP endpoints with the format parameter in Ruby On Rails
• Added support for detecting Python remote code execution
• Added RFC compatible SSRF IPv6 patterns
• Improved the Apache Struts (CVE-2013-2251) attack pattern
• Added PHP Injection fixed one time Referrer attack
• Updated the attack value of the PHP Injection fixed one time attack pattern to use short notation instead of the print function
• Improved the regex pattern of the WebLogic version disclosure pattern
• Added a PoC pattern for Apache Struts (CVE-2013-2251)
• Added out-of-date checks for the Slick JavaScript library
• Added out-of-date checks for the ScrollReveal JavaScript library
• Added out-of-date checks for the MathJax JavaScript library.
• Added out-of-date checks for the Rickshaw JavaScript library
• Added out-of-date checks for the Highcharts JavaScript library
• Added out-of-date checks for the Snap.svg JavaScript library
• Added out-of-date checks for the Flickity JavaScript library
• Added out-of-date checks for the D3.js JavaScript library
• Added out-of-date checks for the Google Charts JavaScript library
• Added out-of-date checks for the Hiawatha and Cherokee server
• Added out-of-date checks for the Oracle WebLogic server
• Added out-of-date check for IIS
• Added version disclosure detection for the Hiawatha Server
• Added version disclosure detection for the Cherokee Server
• Added source code disclosure checks for Java Servlets
• Added source code disclosure checks for Java Server Pages
• Added new source code disclosure patterns for Java
• Added detection for .htaccess file Identified
• Added detection for Opensearch.xml files
• Added detection for SQLite error messages
• Added detection for security.txt files
• Added detection for swagger.json files
• Added detection for OpenSearch files

IMPROVEMENTS

• Redesigned all HTML reports
• Updated browser engine to Chromium v70
• Added support for array parameters in GET and POST requests
• Security Check Groups are now arranged into sub-groups in the Scan Policy Editor dialog
• Moved the vulnerability severity level, Best Practice, so that it takes precedence over the Information level
• Implemented scrolling to the bottom of the page after each DOM simulation completes
• Added support for generating HTML element code from select elements in the Form Authentication Custom Script Editor dialog
• Added the ability to search for Invicti Enterprise scans using the Target URL
• Changed the Password field to Token in the Jira Send To Actions integration
• Added scrollbar annotations to the Sitemap to indicate vulnerability locations
• Added Vulnerability Export Options to the Schedule Scan dialog
• Improved the accuracy of the scan progress calculation displayed in the Progress panel
• Added Postman variable support to the Postman Importer
• Added an option to the Advanced tab of the Options dialog to configure the maximum number of variations that will be reported
• Improved the Site Profile node in the Knowledge Base to display Database name and username information
• Improved the Site Profile node in the Knowledge Base to information about whether the exploited Database user has admin privileges
• Moved the Accept header's related options to the Custom Headers panel
• Improved the error message displayed when an invalid Swagger file is imported
• Added an improvement to the application's 'remember last opened folders' feature
• Optimized the size of late confirmation files to improve disk space consumption
• Added a new Invicti Assistant check to handle an excessive amount of application logs
• Added an application level notification to remind the user to restart the scan after profile or policy switch operations
• Updated the Ruby on Rails File Content Disclosure (CVE-2019-5418) vulnerability template
• Added generated proof data to the RoR File Content Disclosure report
• Improved the Proof list in the Knowledge Base to display multiple proofs with different values for the same website
• Improved the MimeType list to display request mime types
• Improved the display format of the redirect URL in the Open Redirect (DOM based) vulnerability
• Improved the Weak Ciphers Enabled vulnerability description
• Added zone.js support to the DOM simulation
• Removed Jira (Legacy) Send To Actions integration
• Changed the Unfuddle Send To Action's create issue method's request body data format from XML to JSON
• Updated the progress message displayed when multiple vulnerabilities are being sent via the Send To Action
• Improved TFS and Azure Send To Action to send issue details according to the Work Item type, and the Repro Steps field is set for bugs, while the Description field is set for issues or features
• Added a code block view to the Report Template viewer
• Added an information message to be displayed when closing Invicti if a Send To Action task is still executing
• Added custom field support to the ServiceNow Send To Action
• Added a message to be displayed if the Send To Actions settings have been configured incorrectly
• Updated the Remedy section of the Insecure Transportation Security Protocol Supported (SSLv2) vulnerability template
• Added a RAML option to the Enter Links/HTTP Requests dialog
• Optimized attack patterns environments to enable the Scan Policy Optimizer to produce more optimized policies
• Added a log to display when a vulnerability is discarded due to the Vulnerability Families feature
• Added an update to the progress warning on application closing
• Improved the calculation of attack possibilities of DNS-based SSRF attacks to prevent unnecessary attacks
• Included Ruby and Python RCE vulnerabilities in the vulnerability family
• Added a web server field to the access.log patterns for optimization
• Included SSRF vulnerabilities in the vulnerability family
• Improved the XSS vulnerability report to be more explicit about the data shown
• Added 'Do not expect challenge (Basic Authentication)' option to Form Authentication logout detection
• Updated the Impact sections of all Cross-site Scripting vulnerability templates
• Added ISO27001 information to the Vulnerabilities List (Detailed) XML report
• Added an injection prefix to the attack parameter and value name in the vulnerability templates when the vulnerability has an injection request and response
• Moved Code Execution via SSTI vulnerabilities to the Code Evaluation family
• Added highlighting to Stored XSS
• Improved User Agent settings in the Scan Policy editor
• Added missing environment information for attack patterns
• Increased the Start New Scan dialog's default height to prevent showing the inner scroll bars
• Added logs for URL Rewrite settings
• Added logs for Form Authentication settings
• Added a warning message to be displayed a used Scan Policy is deleted
• Added the attack pattern name to the debug header information
• Updated the Remedy sections of all Cross-site Scripting vulnerability templates
• Added command search capability to the application's main menu
• Improved the Update Available dialog
• Improved the X-Frame-Options header check to report misconfiguration when two different settings are used at the same time
• Improved parsing in nested JSON OAuth2 token responses
• Added missing HIPAA classifications to Out-of-Date vulnerability templates.
• Added an explanation to the Controlled Scan Summary popup about vulnerability families
• Improved the Swagger parser to read multipart/form-data mime types
• Improved system registry related Remedy sections in the vulnerability templates
• Added drag and drop capability to URL Rewrite settings
• Added verification to Authentication settings
• Added an additional External Reference to the IIS Out of Date vulnerability template
• Added a default initial directory to Imported Links and the scan Import dialog box
• Updated the Save Report dialog UI
• Updated broken reference links in the Report Policy
• Added validation that checks empty Header Authentication settings
• Set the default folder of the Open File dialog to Invicti Scans during the importing of a scan

FIXES

• Fixed an ObjectDisposedException that was thrown when activities were cancelled in the Activity Panel
• Fixed the capitalization of server-side applications in the Site Profile
• Fixed an issue where all Proofs were not listed in the Knowledge Base node
• Fixed an exception that occurred when updating the Proof data in the Site Profile
• Fixed an issue in the exploitation of the Code Evaluation vulnerability where a wrong proof was generated.
• Fixed an issue where the Proof Of Exploit title was displayed on the vulnerability template when there was no proof
• Fixed a double encoding issue in the Generate Exploit template for XSS
• Fixed an encoding issue in the confirmation phase of PHP wrapper-based LFI attacks
• Fixed incorrect behavior in the Internal Proxy
• Fixed VDB update requests that don't use the upstream proxy issue
• Fixed a Code Evaluation pattern that attacks URL Rewrite parameters
• Fixed an issue where similar kinds of SQL Injection vulnerabilities were being reported in the same URL Rewrite parameter
• Fixed an issue where the value of the Accept-Language header of the Imported Links were overwritten during a scan
• Fixed an issue where the Cache-Control header was added by default to Imported Links
• Fixed an issue causing Report Policy Editor to fail while saving new template references.
• Fixed duplicate template references in the Default Report Policy
• Fixed the problem of the Progress dialog not displaying while importing links from CSV files
• Fixed an issue that occured when the re-crawling phase was skipped
• Fixed the Suggested Action for the Best Practice severity in the report templates
• Fixed the problem of the progress not being updated in the Link Importer
• Fixed the problem of the progress not being displayed correctly while importing links from an Invicti session file
• Fixed the Remedy and External References links in the Vulnerability Viewer so that they open in the default browser
• Fixed a problem where the value of the User-Agent header was overwritten for imported link requests
• Fixed an issue where Invicti was attacking the HTTP endpoint of a URL instead of attacking the HTTPS protocol
• Fixed various typos in the vulnerability templates
• Fixed several Cookie related issues by updating Cookie parsing and storage according to the latest RFC 6265
• Fixed an issue in the Sitemap where it was displaying 404 pages
• Fixed the attack payload of the Function - End Comment - Double Quote - Encoded pattern
• Fixed the issue where the header values of the Imported Links were not prioritized over header policy settings
• Fixed an issue where the Base64 payload was not being encoded properly during the confirmation of PHP wrapper-based attacks
• Fixed a CVSS scores rendering issue in the Vulnerability panel
• Fixed the issue where the plus character was not encoded in PHP cookie attacks
• Fixed the Double Encoding problem in the Static Resource Finder attacks
• Fixed the URL Encode problem in the Static Resource Finder attacks
• Fixed an issue where variations were not shown in the report when a vulnerability was ignored
• Prevented the attacker from attacking the Sitemap.xml file
• Fixed an issue where Resource Finder requests were not carried out when the server returned a 403 Forbidden error
• Fixed a NullReferenceException that was thrown during the execution of the late confirmation phase
• Fixed the Double Encoding problem in PHP Wrapper Confirmation attacks
• Fixed the problem where the request was loaded to the request builder following injection and identification requests
• Fixed a problem in the filtered Issues panel that prevented vulnerabilities from being ignored
• Fixed an issue where the Force Pause button icon and label were overlying each other
• Fixed the custom field names in the Version Disclosure templates
• Fixed the problem where an AppDomainUnloadedException was sometimes thrown when the Custom dialog was closing
• Fixed an ObjectDisposedException that was sometimes thrown when Invicti was closing
• Fixed the escaping of forward slashes in custom scripts
• Fixed the Not operand issue in the Sitemap filter function
• Fixed an issue where the favicon of the scanned website was not updated in the Sitemap
• Fixed the problem where the attack payload was not properly encoded during the Code Execution check
• Fixed an issue where a vulnerability that was found in a different parameter on the same link was discarded due to Vulnerability Families
• Fixed an issue that caused vulnerabilities that came from static resources to be added to the wrong parent in the Sitemap
• Fixed the Proof generation for the Ruby Remote Code Execution vulnerability
• Fixed a bug in the XSS vulnerability confirmation
• Fixed the empty message displayed in the Sitemap where the filtered view did not display any data on loading
• Fixed the localization issue on scans that occured when the application language was modified
• Fixed inconsistent reporting of DNS-based SSRF
• Fixed the format of the confirmation attack payload in XSS to be hex-based
• Fixed the XSS exploitation template to handle injection request
• Fixed the CSS selector generation inside iframes in the Custom Script dialog
• Fixed the XSS confirmation that failing with a Base64 payload
• Fixed an exception that was thrown by displaying a warning message when a read-only Scan Policy file is used
• Fixed the issue where the responses of Full URL attacks were not parsed for links
• Fixed an issue where the Too Many Logouts error messages were displayed even when Form Authentication was disabled
• Fixed the problem where invalid Send To Action settings were removed from the Options dialog
• Fixed the problem where the Hawk test results were cleared during Scan Policy optimization
• Fixed an issue where Invicti was mistakenly making requests to Excluded URLs even when they were JS or CSS files
• Fixed an issue where Ignored Parameters were not ignored while analyzing recurring parameters
• Fixed the incorrect Sitemap root node size for high DPI screens
• Fixed a bug in the XSS vulnerability confirmation where the name of the triggered JS function was incorrect
• Fixed an issue with code generation in the Custom Script dialog while the IDs of input elements contained username or password literals
• Fixed a NullReferenceException that was thrown from the Internal Proxy
• Fixed the problem of light toolbars displayed when the Dark Theme was configured
• Fixed the argument exception in the File menu
• Fixed the grammar error in the Trial License error message
• Fixed auto start problem that occurred following installation
• Fixed the inconsistent state of the Start a New Website or Web Service Scan dialog where an unauthorized Scan Policy file exists
• Removed the 'ps aux' command from exploitation process
• Fixed an issue where the Invicti UI tabs were occasionally throwing exceptions
• Fixed a NullReferenceException that was caused during the handling of XHR requests in DOM simulation
• Fixed a comparison error that occured when the Sitemap panel attempted to order its nodes
• Fixed an issue that occurred with the Exclude This Branch From Attack option that caused missing operations during authenticated scans
• Fixed the problem where previous session data was cleared during Form Authentication
• Fixed the problem of an empty file name in the LFI proof data
• Fixed the issue where the cloud settings dialog was displayed repeatedly on the Scan Import screen
• Fixed the Sitemap and Issues panel's button paddings
• Fixed an issue where the error logs in the Swagger importer were displayed twice
• Fixed an issue in the Request Builder where the request method changed to POST while a PATH request was being edited
• Fixed an issue where cookies that were set in a JavaScript context were not being captured properly
• Fixed an issue where Invicti was occasionally conducting requests with stale cookie values
• Fixed the resetting of the Activity Viewer's column sizes layout reset
• Fixed a persistence issue in the Invicti Assistant notifications
• Fixed the customization menu displayed in the Auto Send to Settings panel.
• Fixed an issue where the attack payload was not carried out for some URL Rewrite attacks
• Fixed an Insecure HTTP use reported on a redirected response
• Fixed the activation of the Progress Panel displayed after the resumption of a scan
• Fixed an issue where the Authorization header was duplicated when it was provided via Imported Links
• Fixed the column sizes in the Request Builder
• Fixed a bug that occurred while parsing the favicon image source of the Target Website.
• Fixed the issue where the default Content-Type was treated as text/html when no Content-Type was specified
• Fixed an issue that caused the Exclude by CSS Selector field to be cleared in the JavaScript section of the Scan Policy Editor dialog when loading preset values
• Fixed the grouped node's count in the Sitemap panel
• Fix the attack value that was not implemented correctly in RFI confirmation attacks
• Fixed the issue where the request identifier could not be detected due to invalid characters in the JSON value
• Fixed the GET icon that was displayed for POST requests in the Issues panel
• Fixed an issue where a confirmed vulnerability was removed because of Vulnerability Family checks
• Fixed an issue where an eval block was treated as a non-executable block in XSS confirmation
• Fixed an issue where some links were treated as the same when parameter-based navigation was configured
• Made the Progress panel's percentage label more precise
• Fixed some character encoding problems in the Request Builder
• Fixed an exception that occurred when updating the Site Profile node in the Knowledge Base panel
• Updated the Send To Action template files in order to render vulnerability fields properly
• Fixed the grouped node filter issue in the Sitemap panel
• Fixed several stability issues with the browser engine
• Fixed a NullReferenceException in the Content Security Policy engine
• Fixed some Korean text
• Fixed the problem where the JavaScript settings tab scrollbar was not displaying properly in the Scan Policy Editor
• Fixed an issue where the Content-Type header was not always set properly for POST requests
• Fixed the Knowledge Base Viewer search issue where adding a space and clearing caused a loss of styles in the report
• Fixed a validation error in the Swagger Importer
• Fixed the bug where the XXE engine made a confirmation attack using the same payload
• Fixed an issue that caused a NullReferenceException to be thrown when a filter was applied on the Sitemap
• Fixed the problem where an obsolete column was deleted during migration of an old Report policy
• Fixed a typo in the WASC classification link
• Fixed the issue where the database username was being added incompletely to the Site Profile node of the Knowledge Base
• Fixed an issue where obsolete vulnerability types were listed in the Report Policy Editor
• Fixed setting OAuth2 label to unmodified state while using the default Scan Profile
• Fixed the problem where the user-agent was not set for requests when the user agent was forced in the Scan Policy Editor
• Fixed the issue where Request Builder columns were not resized correctly in high DPI environments
• Fixed the default height of the Browser View panel which caused inconsistent scrollbar behaviour
• Fixed the digit color in the HTTP Request/Response panel
• Fixed an issue that caused a NullReferenceException to be thrown when accessing the Identification node in the sSitemap
• Fixed an issue that prevented the Cookie Analyzer Engine settings from being reset
• Fixed a JavaScript exception from being thrown during the simulation of React websites
• Fixed an issue that caused the Target URL to also be scanned when a scan was configured for Imported Links only
• Fixed an issue that allowed duplicate headers in the Scan Policy Editor
• Fixed an issue where removed vulnerability types were still listed in the Vulnerability ProfileEditor dialog
• Fixed the precedence values of Possible SSRF vulnerabilities
• Fixed the signature pattern of the IIS Version Disclosure template
• Fixed the culture-specific date format used in the Vulnerability List Report templates
• Fixed the custom report's duplicate name extension problem
• Fixed an issue that caused vulnerabilities to be reported on 404 pages
• Fixed an issue that allowed invalid characters to be entered in the Target Website or Web Service URL field
• Fixed a KeyNotFoundException that was sometimes thrown when a request's Content-Type was not set
• Fixed an issue concerning the auto-complete behaviour of the SQL Injection panel
• Fixed the issue where proof generation did not work correctly for redirected URLs in Boolean SQL Injection engine
• Fixed an issue where the SSL Checker engine stopped working when. the user unchecked the 'Do not differentiate HTTP and HTTPS protocols' option in the Scope settings
• Fixed the problem where the SQL injection exploitation continued indefinitely
• Fixed the padding of dialogs where users are using the application within high DPI screens
• Fixed the default width of the Activity Viewer's columns
• Fixed an issue where some engines were not working in Controlled Scan because some attacks are skipped due to Vulnerability Families
• Fixed an issue that prevented the Custom 404 Analyzer from detecting 404 pages
• Fixed an issue where the Invicti Assistant-generated Scan Policy file name was exceeding the length limit
• Fixed an Internal Proxy error caused by the PATCH method
• Fixed a NullReferenceException that was causing the Controlled Scan to continue indefinitely
• Fixed a confirmation bug in the SQL engine
• Fixed the problem caused when users were importing links with the authentication header by overriding the existing OAuth2 token
• Fixed an issue that caused an update error when multiple Invicti Standard instances were opened
• Fixed an issue where the selected policy showed Default Security Checks after restarting the scan via the Invicti Assistant
• Fixed an issue in the CSRF engine where non-hidden inputs could be treated as anti CSRF tokens
• Fixed a duplicate link creation issue in the Report Policy editor when you update and save the remedy section
• Fixed the problem that occured while sending hidden vulnerabilities via the Auto Send To feature
• Fixed the failure of the Auto Send To feature that occured when the Send To Action values had been changed
• Fixed the width of Activity Viewer columns for high DPI screens
• Fixed the setting of the OAuth2 token name while using a fixed token type
• Fixed the setting of the OAuth2 token to override empty authentication headers while importing links
• Fixed an issue where empty headers were added to requests imported from Postman
• Fixed the problem of the hanging progress bar that occurred during scanning
• Fixed an issue where a request with an empty body was treated as a JSON request
• Fixed an issue where an XSS vulnerability was reported inside of non-executable HTML tags
• Fixed an issue where the scan folder was deleted after deleting a scan from the Local Scans folder
• Fixed a NullReferenceException that was thrown when running a Controlled Scan after importing a scan file
• Fixed a bug where a Link not Selected error was shown, even though it was selected in the Controlled Scan panel
• Fixed an issue where Invicti was missing passive vulnerability checks for endpoints that occured as XmlHttpRequests
• Fixed a bug where Controlled Scans could not be started for the selected nodes
• Fixed an issue that caused an ArgumentException to be thrown when activating a license
• Fixed the button height in the Controlled Scan panel to remove an empty area
• Fixed the problem where the OAuth2 refresh token timer stopped after a scan was finished
• Fixed an issue that caused the PathTooLongException when checking effective scope at start new scan dialog.
• Fixed the newline in the Regex Pattern of SVN disclosures
• Fixed an issue where the URL Rewrite settings panel was not highlighted when a setting had been changed
• Fixed the issue where the Controlled Scan was stuck when the scan state had been paused
• Fixed the status of the taskbar icon following the end of a Retest scan
• Resource Finder activities will now be stopped faster when the scan is paused
• Fixed a bug that occurred during the parsing of the refresh token of Implicit OAuth2 flow's response
• Fixed the problem where it was impossible to get a new OAuth2 token if refresh token was not set
• Fixed the problem that occurred when navigating the Sitemap and Knowledge Base nodes with the keyboard
• Disabled the Save option in the Default profile in the Start New Website or Web Service Scan dialog
• Fixed a bug that occurred when setting the Scan Profile before testing OAuth2 credentials
• Fixed an issue where no warnings were displayed when Basic/NTLM authentication settings were left empty
• Fixed the Vulnerability Severity Level order in the Report Policy Editor's context menu
• Fixed the Best Practice severity level's caption in the Report Policy Editor's context menu
• Fixed the Vulnerability Severity Level's order in the profile list in the Report Policy Editor dialog
• Fixed an ArgumentNullException that was thrown when the F9 key was pressed
• Fixed an issue that caused an invalid file name error in the ave Report dialog
• Fixed the issue where a Base64 value could not be decoded due to an invalid length in the Encoder panel
• Fixed the proxy authentication problem in manual crawling when a custom proxy is configured
• Fixed an issue to prevent the ampersand character from being encoded in an XML attack
• Fixed the Azure DevOps Send To Action to enable it to send vulnerabilities to the TFS
• Fixed an issue where the attack parameter was not shown for some vulnerabilities in the Detailed Scan Report
• Fixed an issue where redundant logs were written for enforced Basic Authentication setting
• Fixed the issue where auto-complete enabled was not reported when there was only one password input
• Fixed the issue where auto-complete was treated as enabled when the attribute value was 'new-password'
• Fixed the problem where multiple OAuth2 refresh token requests were sent while refreshing tokens
• Fixed the stale activities still remaining on the list at the end of the scan
• Fixed the broken order function of External References in the Report Policy Editor
• Fixed an unhandled UnauthorizedAccessException that was occasionally thrown while closing the Form Authentication Custom Script dialog
• Fixed the issue where some special XML chars were encoded when the parameter was already encoded

FIXES

• Fixed duplicate report templates when updated from an older version
• Fixed Axway XXE payload injected to the wrong position
• Fixed the incorrect Edition displayed on About dialog
• Fixed several dark theme issues for messages displayed when an invalid value set to an option
• Fixed IIS capitalization problem in the Site Profile Knowledge Base

FIXES

• Fixed a bug where HTTPS endpoints might not be crawled properly upon a navigation action during DOM simulation
• Fixed a bug with Manual Crawl mode where the execution might stop after the initial crawling phase ends
• Fixed an issue where form authentication might fail to execute in some React websites
• Fixed an issue where the process may crash due to a NullReferenceException

IMPROVEMENT

• Improved stability of scan by dynamically adjusting the thread count according to system resources

FIXES

• Fixed high CPU usage caused by connectivity issues that were occurring during a scan
• Fixed the issue where Referrer Policy Not Implemented was being reported for redirect responses
• Fixed the issue where CSP Not Implemented was being reported for redirect responses
• Fixed the issue where Missing X-XSS Protection was being reported for redirect responses
• Fixed the issue where Missing X-Frame-Options Header was being reported for redirect responses
• Fixed a bug where cookies were reported as not secure in authenticated scans
• Fixed an automatic Logout Detection issue during form authentication verification, where the login required URL was requested with an HTTP POST method
• Fixed clearing internal web browser's cache while executing authentication process
• Fixed the broken Crawled and Scanned URLs List (JSON) Report Templates
• Fixed the incorrect error message that was displayed while generating a Comparison Report with no selected scan files
• Fixed the Browser View that stayed open when a non-HTML response was selected
• Fixed the incorrect severity colors on Comparison Reports
• Fixed an issue where some of the toolbar items were not displayed on the Sitemap and Issues panels
• Fixed the broken ModSecurity WAF Rules Report Template
• Fixed a time based security check issue occurs when the target web server is not accessible
• Fixed the bug on issues panel where the number of vulnerabilities displayed next to severity group node was incorrect
• Fixed the incorrect send to icon size on high DPI screens
• Fixed an issue where browser viewer could not show content when content type of request was text/html
• Fixed an issue where React controlled fields may not be updated during Form Authentication
• Fixed an issue where Invicti Enterprise options are displayed while trying to import a scan file on back stage view
• Fixed a bug on issue panel where group node was shown as ignored when child node is ignored
• Fixed an issue on sitemap tree where number of nodes are reported incorrect when it is grouped
• Fixed an InvalidCastException thrown while browsing a response

IMPROVEMENT

• Improved Source Code Disclosure (ColdFusion) attack pattern

FIXES

• Fixed multiple logout detection popups being unnecessarily shown
• Fixed an issue that was causing Scheduled Scans to run slower than regular scans
• Fixed an issue where redundant scan folders are created when scans are auto saved
• Fixed a performance issue caused in scans with excessive amount captured links
• Fixed a NullReferenceException thrown by Expect CT security checks
• Fixed an ArgumentNullException thrown by Expect CT security checks
• Fixed a NullReferenceException thrown by Sitemap tree
• Fixed the broken paddings on RFI knowledgebase proof representation of tasklist command

FIX

• Fixed a NullReferenceException thrown when a vulnerability variation is ignored from Issues tree

FIXES

• Fixed an InvalidOperationException thrown from several operations during scan
• Fixed the incorrect favicon rendered on Sitemap tree

NEW FEATURES

• Added "Do not differentiate HTTP and HTTPS protocols" option to scope settings
• Added 3-Legged Token flow for OAuth2 authentication
• Added an option to be able to use a fixed OAuth2 token type

NEW SECURITY CHECK

• Added new XSS pattern that injects attack payload to HREF attribute

IMPROVEMENTS

• Added reporter account id to JIRA Send To
• Updated SSRF ipv6 pattern names
• Improved the visibility of Resume button while performing a Manual Crawling
• Improved the error message displayed while importing Swagger links

FIXES

• Fixed retrying getting OAuth2 token
• Fixed a NullReferenceException thrown when OAuth2 enabled scan is loaded
• Fixed an UnhandledException thrown during DOM Simulation in some rare cases
• Fixed pausing scan when OAuth2 authentication failed
• Fixed logging OAuth2 error messages
• Fixed showing context menu for activity viewer's group rows
• Fixed a NullReferenceException thrown when mouse is moved over sitemap
• Fixed the missing space character on Best Practice severity text on issues panel
• Fixed the incorrect position of Force Pause button on high DPI screens
• Fixed the white screen flashed on dark theme while navigating between KB screens
• Fixed the tiny progress animation on license popup dialog
• Fixed the dark theme issues on Advanced Settings screen
• Fixed a KeyNotFoundException thrown when the scan has finished
• Fixed the issue where ignoring first vulnerability variation ignores all variations
• Fixed a NullReferenceException thrown while Security Checklist panel is being activated if Scan Policy Editor dialog is opened by Assistant
• Fixed an issue where DOM simulation might conflict with some JS frameworks
• Fixed the broken Ignore From this Scan context menu action on Sitemap panel
• Fixed a NullReferenceException thrown from Invicti Assistant
• Fixed the NullReferenceException thrown when a Manual Crawling scan is imported and then resumed
• Fixed the issue where recently optimized scan policy is not selected when the Start a New Scan window is opened again
• Fixed an issue where multiple persona could be selected on Form Authentication settings
• Fixed the garbled configuration sample in Remedy section of HSTS Policy Not Enabled vulnerability
• Fixed the incorrect behavior on Notifications panel when it is scrolled to the end
• Fixed a NullReferenceException thrown while generating a report from a scan that contains a File Upload Vulnerability
• Fixed an issue where an extra ampersand is appended to query string while generating URL of a Swagger imported link
• Fixed an XmlException while trying to parse a sitemap.xml response that is not found
• Fixed a GZip decoding issue while trying to decode a compressed sitmeap.xml
• Fixed an unhandled NullReferenceException thrown from Sitemap
• Fixed parsing OAuth2 response regardless of the response content type
• Fix parsing JSON content type in Swagger parser to handle unexpected content types instead of creating a request for them
• Fixed performance issues caused by excessive logging when Activity Tracking is enabled
• Fixed a stuck scan issue on web sites using React JavaScript framework
• Fixed a Postman file importing issue where the response is not base64 encoded
• Fixed a NullReferenceException thrown while checking mutations on DOM
• Fixed an unhandled "InvalidOperationException: Object is currently in use elsewhere" error
• Fixed an error where XML and JSON responses could not be rendered on response viewers
• Fixed an unhandled NullReferenceException thrown from Assistant
• Fixed several NullReferenceException errors thrown while viewing knowledgebase items
• Fixed an issue where the current ongoing scan could be deleted from Local Scans section
• Fixed an InvalidOperationException "Database is not open" error

NEW FEATURES

• Added Invicti Assistant, a smart scan assistant that will guide you through a Scan
• Added OAuth2 Authentication support
• Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical
• Added Azure DevOps Send To integration
• Added an option to report only Confirmed vulnerabilities while generating reports
• Added Redmine Send To integration
• Added Bugzilla Send To integration
• Added F5 WAF rule generation
• Added Dark UI theme
• Added RESTful API Modeling Language (RAML) link import support
• Added facility to exclude certain URLs from URL Rewrite Detection
• Added support for importing links from WordPress REST API files
• Added a Scan Policy for OWASP Top 10 vulnerabilities
• Added a Scan Policy for PCI vulnerabilities
• Added support for deleting a Scan from Local Scan files

NEW SECURITY CHECKS

• Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340)
• Added Unicode Transformation (Best-Fit Mapping) security check
• Added detection for possible Header Injection
• Added out-of-date detection for Oracle Database Server
• Added out-of-date detection for Mithril
• Added out-of-date detection for ef.js
• Added out-of-date detection for Match.js
• Added out-of-date detection for List.js
• Added out-of-date detection for RequireJS
• Added out-of-date detection for Riot.js
• Added out-of-date detection for Inferno
• Added out-of-date detection for Marionette.js
• Added out-of-date detection for GSAP
• Added config.json check to Resource Finder
• Added detection support for TS Web access
• Added detection support for .travis.yml

IMPROVEMENTS

• Improved Scan performance by allocating computer resources better
• Included XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families
• Out-of-date server-side apps are highlighted in the Site Profile
• Clicking on links displayed in Knowledge Base items will navigate to the related node
• Added URL to the Email List Knowledge Base
• Added URL to the request which cookie is set on Cookies Knowledge Base
• Custom URL Rewrite Rules can be sorted by clicking the column header
• Added a description that tells why only 10 pages are reported on Slowest Pages Knowledge Base
• The URL Rewrite Rules that are found automatically during the scan are sorted alphabetically in the Knowledge Base
• Added an option to prevent the operating system from going to sleep while there is a scan in progress
• Added an Exploit context menu item to the Sitemap and Issues nodes
• Vulnerable parameters are now highlighted in the Sitemap and Issues nodes
• Updated Code Evaluation (PHP) attack patterns
• Due Date setting has been replaced with Due Days on some of the Send To integrations
• Improved the icons used in the Sitemap and Issues nodes
• Removed deleted scan files from the File Import list
• Improved DOM Simulation performance and fixed several issues
• Improved react JavaScript framework support on Form Authentication
• HTML Select elements without event listeners are simulated in DOM Simulation
• Improved the performance of the Activity pane's viewer
• Added a Copy URL context menu item to the Activity viewer
• The File Upload engine searches newly discovered file names in the upload response and in the upload folders
• Improved operating system detection by the Site Profile node in the Knowledge Base
• Added Activity Status information to the Sitemap nodes
• Added support for attacking the name of POST parameters
• Improved the layout for Reports on scans that detected zero vulnerabilities
• Improved the External References for several vulnerabilities
• Added ISO 27001 information to the Executive Summary Report
• CSP vulnerabilities will no longer display a 'certainty' value if they are already marked as Confirmed
• Fixed an issues in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework
• Added support for exploiting XSS on text and XML content types
• Users can now resize the Activity Viewer columns
• Out of Date SQL vulnerabilities are reported as Confirmed
• Added clarification for branch logic in the latest versions of the Report Template for Out of Date vulnerabilities
• Added hyperlinks for Folders.txt in the Common Directories engine and GenericEmails.txt to Ignored Email Address settings for easy access
• All security engines are checked when the Controlled Scan panel is manually opened
• Added Cookie Whitepaper reference to cookie vulnerability templates
• Added External References to ExpressJS, CakePHP and Possible Stored XSS templates
• Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details
• Added support for highlighting input elements that are used to send passwords over query strings
• Improved rendering performance of the Knowledge Base's Comments page when there are too many comments
• More commands are executed in the Code Evaluation exploitation to generate proofs
• Improved Out of Band SSTI attack payloads
• Added automatic selection in the Form Authentication dialog when all fields are filled up
• Added case sensitive search for Raw Response viewer
• Added an overlay to display longer scans are being imported, to block user activity and show progress
• Added Show/Hide Password button in Form Authentication settings
• Added an information dialog displayed when a scan is finished and Invicti window is in the background
• Improved highlight function for detected JavaScript libraries
• Improved reports to display the product version on which the Scan is performed
• Improved the HTTP Request Builder panel to display generic headers
• Manuscript has been renamed FogBugz
• Scan Profile, Scan Policy and Report Policy comboboxes are disabled when the Scan is finished
• Improved RFI confirmation for URL Rewrite parameters
• Improved adding Out of Date Information Database information to the Site Profile
• Improved signatures of Nginx Version Disclosure patterns
• Optimized the attack speed of XSS and LFI engines
• The Concurrent Connection slider in the Scan Policy Editor has been changed to Request Per Second to comply with new scan performance improvements
• Added a piece of extra information to Out-of-date vulnerability templates to explain the vulnerability reason
• Security Checks search has been improved in the Scan Policy Editor by tagging the SSL/TLS related security checks
• Cookie checks will analyze session cookie names to detect platform-specific default session names
• Missing HIPAA classifications in Insecure Transportation Security Protocol Supported Default Report Policy templates have been added
• Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved
• Phishing by Navigating Browser Tabs Default Report Policy vulnerability description have been improved
• Added Jira Account ID field for Jira Send To Action to assign issues to a user as JIRA Api will not accept username after 29 April 2019

FIXES

• Fixed failing VDB update when multiple instances were running
• Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes
• Fixed the issues where extra vulnerabilities were added to the Sitemap during a Retest All
• Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes
• Fixed an issue where JavaScript file parsing was taking longer than expected in some occasions
• Fixed an issue where copied URL Rewrite Rules from Knowledge Base cannot be pasted in URL Rewrite settings
• Fixed an issue where JavaScript file parsing might take longer than expected in some occasions
• Fixed a NullReferenceException that was thrown while saving the layout of panes
• Fixed an ObjectDisposedException that was thrown when cancelling a Retest
• Fixed the Listening Port so that it is no longer set for the next Manual Crawl
• Fixed the issue where Finished Scans were displayed a Paused Scan icon
• Fixed the issue where the Fixed notice text was missing for fixed vulnerabilities
• Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie
• Fixed the incorrect order of the vulnerabilities in the Issues panel
• Fixed the Trial Licence dialog that was popping up twice
• Fixed the issue where data from a previous scan was displaying in the Activity panel
• Fixed HTTP 400 errors raised by the ServiceNow Send To integration
• Fixed the ObjectDisposedExceptions error that was thrown during Blind SQL Injection checks
• Fixed an issue where the SSL client handshake code was having issues while trying to communicate with a specific server with different configuration
• Fixed the issue where the status bar displayed the incorrect number of remaining trial days
• Fixed the oversized icons displayed in the Logs panel caused when the screen DPI was set too high
• Fixed the filtering issue in the Issues panel which caused new vulnerabilities discovered to be displayed even though they did not match the filter
• Fixed the incorrect vulnerability count, caused by variations, that was displayed in the Status Bar
• Fixed an UnauthorizedAccessException that was thrown while attempting to select restricted folders during the Export to Cloud process
• Fixed an issue in the CSP engine where the 'strict-dynamic' directive was reported as an unsupported hash
• Fixed the problem where the application was hanging on shutdown
• Fixed missing Authentication cookies in the Knowledge Base
• Fixed incorrect nonce detected without matching script block vulnerability
• Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored
• Fixed a Retest issue where Out-of-Band SSTI vulnerabilities were marked as retestable
• Fixed the issue where the tiny Validation Error icon was displaying in screens when the screen DPI was set too high
• Fixed the issue where cookies were sent during the request for the Favicon image of the target URL
• Fixed the handling of newline characters while rendering the Proof of Concept section of the Vulnerability details
• Fixed the high DPI issues in the Bulk Export to Enterprise panel
• Fixed the issue where the uninstall process was interrupted if an Invicti instance was still running
• Fixed high DPI issues in the Local Scans panel during Import
• Fixed a NullReferenceException that occurred while rendering Vulnerability Details
• Fixed the issue where the Activity Viewer automatically scrolled to the top following updates to activities
• Fixed the Knowledge Base Report's header, where the image, title and severity level were overlapping
• Fixed the issue where Internal Path Disclosure was reported on script and stylesheet files
• Fixed an issue that caused FP Insecure Reflected Content to be reported
• Fixed the issue where the CSRF engine did not highlight the vulnerable HTML form when the name and action were not specified
• Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type
• Fixed an issue in the Request Builder where the POST parameters were removed after switching tabs
• Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server
• Fixed an issue in the Response Viewer tab where the selected text remained highlighted even after the search was cleared
• Fixed the issue where vulnerability fields were not updated after a Retest
• Fixed the value of double encoded null byte in LFI, XSS attack patterns
• Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized
• Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload
• Fixed an issue in the Request Builder where duplicate headers could be added because header names were treated as Case Sensitive
• Fixed the problem where the wrong error message was displayed when a file parameter was selected in the Request Builder
• Fixed an unnecessary Header Warning dialog that popped up when the Edit Link button was clicked in the Request Builder
• Fixed an issue where an imported link could be saved without correcting the errors in the Request form
• Fixed an issue where links generated in Invicti attacks were added to the Sitemap
• Fixed the value of the double encoded null byte in the Header Injection pattern
• Fixed the encoding of the % sign in the base64 payload in XSS attacks
• Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern
• Fixed an issue where version numbers were not correctly displayed in the Affected Versions section of VDB vulnerabilities
• Fixed an issue where the wrong importer format was selected by default in the Enter Links dialog
• Fixed the selection issue in the filtered Security Checks of the Scan Policy panel
• Fixed the encoding issue in the SQL Injection confirmation attack
• Fixed the validation issue of the Send to Action configuration
• Fixed the unnecessary node selection when the Expand/Collapse button was clicked on the Sitemap tree
• Fixed the grouping issue on vulnerability variations and instances
• Fixed HTTP method icons in the Sitemap
• Fixed issues caused by language changes
• Fixed the scrolling problem in the Vulnerability viewer
• Fixed the confusion over which persona was used during Form Authentication verification
• Fixed an order issue in the Sitemap tree
• Fixed the incorrect variation count presentation issue in the Issues tree
• Fixed the broken tab key in the Request Builder panel
• Fixed the incorrect Remaining Day presentation in the License reminder
• Fixed the issue where the Back button was clickable during the Bulk Export to Invicti Enterprise, causing the export to fail
• Fixed the issue where an error was displayed instead of the Proof in Blind SQL injection attacks
• Fixed the wrong proxy display after resetting settings to the default
• Fixed a performance issue that occurred while exporting a large Scan to Invicti Enterprise
• Fixed duplicate cookie names that were reported on a Cookie vulnerability
• Fixed a high DPI issue in the message box
• Fixed visual issues in the binary Response viewer
• Fixed an issue where the DOM engine failed to restart on some occasions
• Fixed an issue where Local/SessionStorage values were not persisting throughout the scan
• Fixed an issue where Form Authentication sometimes failed while trying to login to some websites that are built with React.JS
• Fixed a NullReferenceException that was sometimes thrown while saving Scan data
• Fixed HTML form simulation for cases where the form did not have an element with the Submit type
• Fixed HTML form simulation to take the Exclude by CSS Selector option into account to ignore required form elements
• Fixed an issue where overriding the Unicode Replacement characters in binary and JavaScript files sometimes broke the files and did not execute
• Fixed an issue where Invicti sometimes prevented Windows from shutting down while a Scan was running
• Fixed an issue where NTLM Authentication was being ignored during Logout Detection
• Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured
• Fixed an issue where the Max Simulated Elements option was causing the simulation to hang
• Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang
• Fixed an issue where Signature checks were adding false-positive Site Profile information to the Knowledge Base issue
• Fixed an issue where ignored vulnerabilities were retested while performing an Incremental Scan
• Fixed an issue where an incorrect "Subresource Integrity (SRI) Hash Invalid" vulnerability was reported because of hash miscalculation

FIXES

• Fixed an InvalidOperationException thrown when application is forced to close during computer shutdown
• Fixed the clipboard format of Knowledgebase URL Rewrite List item
• Fixed a race condition that causes an ArgumentOutOfRangeException when rate limiting option is used

IMPROVEMENTS

• Added proof generation and Get Shell support for Code Evaluation (ASP) vulnerability
• Added Retest support for several cookie vulnerabilities
• Moved the target URL to the first position on Site Profile Knowledgebase

FIXES

• Fixed the Retest All button also retests the issues on additional web sites too
• Fixed the popup hide issue on custom form authentication script dialog
• Fixed a few unexpected NullReferenceException issues
• Fixed the broken arrow key navigation on Sitemap and Issues panels
• Fixed the incorrect vulnerability count reported on Issues panel tree groups
• Fixed the representation of fixed vulnerability on Issues panel
• Fixed the incorrect duplicate export dialog shown when trying to import a scan from cloud
• Fixed the issue where Issues panel were not being refreshed when retest is finished
• Fixed the initial panel shown by changing it from Progress panel to Activity panel
• Fixed the process cannot access the file issue while updating VDB
• Fixed a bug in cookie handling code during form authentication
• Fixed the incorrect severity reported for Cookie not Marked as Secure vulnerability on some scans
• Fixed an ArgumentOutOfRangeException thrown on some long scans
• Fixed an InvalidOperationException thrown while closing the application
• Fixed the incorrect Filter menu state on Sitemap panel

NEW FEATURES

• Rewrote Sitemap and Issues trees which improves the performance and adds features like filtering, grouping, sorting and searching.
• Added vulnerability families feature where similar types of vulnerabilities are not reported separately
• Added support for Swagger 3 / OpenAPI link import
• Added support for 64-bit smart card drivers for authentication
• Added GitLab Send To integration
• Added Bitbucket Send To integration
• Added Unfuddle Send To integration
• Added Zapier Send To integration
• Added Azure DevOps Send To integration
• Added support for importing links from IOdocs file format
• Added automatic upload to Invicti Enterprise option
• Added copy to clipboard buttons to request and response viewers
• Added a new Knowledge Base item for Not Found pages
• Added a hex view for binary responses in reports
• Added options to switch Scan Profile, Scan Policy and Report Policy for the current scan
• Added Uncheck by Severity context menu item to the Report Policy editor
• Added ISO 27001 vulnerability classifications and report template
• Added raw value support for Send To custom fields
• Added option to report variations of vulnerabilities

NEW SECURITY CHECKS

• Added a new pattern for CherryPy Version Disclosure
• Added an LFI attack pattern for WEB-INF/web.xml
• Added Ruby Error Disclosure detection
• Added WP Engine Configuration File detection
• Added CherryPy Stack Trace Disclosure detection
• Added Intro.js out-of-date version detection
• Added Axios out-of-date version detection
• Added Fingerprintjs2 out-of-date version detection
• Added XRegExp out-of-date version detection
• Added DataTables out-of-date version detection
• Added Lazy.js out-of-date version detection
• Added FancyBox out-of-date version detection
• Added Underscore.js out-of-date version detection
• Added Lightbox out-of-date version detection
• Added JBoss application server out-of-date version detection
• Added SweetAlert2 out-of-date version detection
• Added Lodash out-of-date version detection
• Added Bluebird out-of-date version detection
• Added Polymer out-of-date version detection

IMPROVEMENT

• Separated the Scan Activity panel and Progress chart into their own dock panels below
• Added a button to the Reporting tab for creating new Custom Report Templates
• Improved Knowledge Base item updates to prevent unexpected scrolling to the top of the screen
• Ordered several Knowledge Base items alphabetically
• Concurrent Connection count of imported scans can be modified
• Changed default Issue type to Story in JIRA Send To integration
• Changed CallerId field to optional in ServiceNow Send To integration
• Added PHP extension attack for Nginx vulnerability to File Upload engine
• Added File Upload patterns for Nginx parsing vulnerability
• Added settings to File Upload engine for configuring upload folders
• Added errorlog.axd detection support
• Improved elmah.axd detection
• The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
• Improved SSTI PHP Smarty attack detection
• Retest All can now be started when the scan is paused
• Improved the Swagger link importer to handle additional properties with integer and string value types
• Improved the Expect-CT engine by only reporting a vulnerability once for each host
• Improved RSA key confirmation by handling OpenPGP format
• Added a Statistics tab to the HTTP response viewer
• Increased the HSTS Not Enabled vulnerability severity from Information to Low
• Improved HTTP 407 proxy authentication error handling
• Improved missing license handling for non-interactive Windows sessions
• Controlled scan is now cancelled when a new scan is imported
• Added classifications to the HSTS Not Enabled vulnerability
• Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
• Improved the user experience of suggestions in the Scan Policy Optimizer when navigating back and forward in the wizard
• New certificate imported for Client Certificate Authentication is automatically selected
• Improved JSON request/response viewer performance for large documents
• Spaces in URLs of vulnerabilities are encoded in the vulnerability viewer
• Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
• Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
• Updated HTTP response data of vulnerabilities after retest
• Scan Policy Optimizer now respects the security engine and pattern selections of the base policy
• Improved JSON format detection
• Replaced Unicode replacement characters with question marks in responses
• Added a Scan Policy option to attack cookies
• Improved element click DOM simulation for various element types
• SRI Not Implemented will no longer be reported for localhost URLs
• Improved ASP.NET error message detection
• Added descriptions to PCI categories in the PCI Compliance Report
• Improved Boolean SQL Injection detection
• Improved the Blind Command Injection attack patterns
• Improved the representation of Report Template compilation errors
• Removed the dependency of Object Model Installer for using TFS Send To integration
• Improved the language used in Retest and Controlled Scan results
• Focused policies are now set to the currently used ones in Scan Policy Editor and Report Policy Editor
• Misconfigured X-Frame-Options Header is now reported separately
• Improved source code disclosure checks to prevent reporting JavaScript template pages
• The link to a created Issue is now displayed on the status bar after sending a vulnerability to an integration
• Status code, status description and content length information have been added to the Slowest Pages knowledge base node
• Retest activities are marked on the Scan Activity panel
• Added the list of failed vulnerabilities to retest results dialog
• Improved WADL document parsing by ignoring DTDs
• Improved Open Redirect DOM based confirmation performance
• Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
• Cookie vulnerabilities report where the cookie is set from
• Improved the multi-line representation of LFI Exploitation data
• Removed the redundant scan save confirmation dialog displayed when closing the app
• Improved Swagger Document Format detection
• Options dialog now remembers its location and size
• File upload engine now detects new links in the response after the file is uploaded

FIXES

• Fixed double URL encoding problem in various Report Templates
• Fixed parsing issue that occurs when the upload folder contains a slash
• Fixed the issue where authentication does not work when retesting
• Fixed an exception thrown prior to scan when the language is set to Korean
• Fixed the incorrect license holder name displayed on application title
• Fixed a controlled scan issue where it fails if the connection check response status code is not 200 (OK)
• Fixed Jira send to custom field values by HTML encoding them
• Fixed double HTML encoding problem in TFS Send To template
• Fixed the issue where the connection error is displayed during a controlled scan when the response status code is not 200 (OK)
• Fixed a NullReferenceException thrown when a link label is clicked in a dialog
• Fixed display of Post Scan ribbon group's caption text
• Fixed the issue where the Swagger importer generates an invalid JSON request body
• Fixed the ArgumentException thrown while performing Heartbleed security checks
• Fixed visibility of fixed vulnerabilities in Report Templates
• Fixed the issue where the wrong version was identified for Drupal
• Fixed the UriFormatException thrown during SSRF (Hawk) URI validation
• Fixed a disallowed HTTP method issue where some methods were still being allowed
• Fixed a typo in the CSP Not Implemented vulnerability details
• Fixed the issue where SRI Not Implemented URLs were not properly highlighted in the source code
• Fixed an InvalidCastException thrown while loading the panel layout
• Fixed a Form Authentication issue that occured on some React-based websites
• Fixed the issue where the old scan's activities continued even when another scan was imported while performing a Retest All
• Fixed a NullReferenceException thrown in Retest
• Fixed signature detection for links found via the crawler
• Fixed an issue in CSP engine where it reported an incorrect vulnerability
• Fixed an URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
• Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
• Fixed the incorrect Retest Fail dialog in the InternalServerError vulnerability
• Fixed the URL decoding issue when the URL was copied in the Issues panel
• Fixed the comments that were injected via Invicti attacks reported in the Knowledge Base Comment node
• Fixed duplicate parsing source field values reported for IFrame vulnerabilities
• Fixed a corrupted PDF report
• Fixed an issue where Apache MultiViews could not be detected in the target server
• Fixed the incorrect Cookie Expire Date set during Form Authentication
• Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
• Fixed a Content-Type parsing issue in Form Authentication
• Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
• Fixed the NullReferenceException thrown by the Request Builder if there were no scans open
• Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
• Fixed an Out of Memory issue that occurred while trying to view a large document

IMPROVEMENT

• Improves licensing diagnostics mode

FIXES

• Fixed parsing issue in Swagger Importer that occurs while importing Swagger files in YAML format
• Fixed an issue that causes Invicti to fail to add certain pages to the sitemap when using the Manual Crawling