Home
/
Documentation
/
Invicti Standard Release Notes
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
Release Notes

Invicti Standard

RSS FEED
9-Apr-2020
COPY LINK

IMPROVEMENTS

  • Added an image injection pattern to the Blind Cross-site Scripting security check
  • Added Script Type information to the comment section of the Custom Security Check scripts
  • Added the ability to show the Custom Scripts Panel without opening a scan

FIXES

  • Fixed an issue so that the JavaScript configuration in the Scan Policy is saved when it is updated by Invicti Assistant
  • Fixed an issue where the web proxy was not being used while connecting to Invicti Enterprise
  • Fixed an issue where the Custom Scripts were not executing inside pop-up dialogs that open during Form Authentication
  • Fixed an issue wherelogouts was not detected with single page applications that used Form Authentication
8-May-2019
COPY LINK

FIX

  • Fixed a NullReferenceException thrown when a vulnerability variation is ignored from Issues tree
8-May-2019
COPY LINK

FIXES

  • Fixed an InvalidOperationException thrown from several operations during scan
  • Fixed the incorrect favicon rendered on Sitemap tree
8-Mar-2018
COPY LINK

IMPROVEMENTS

  • Added support for importing Postman v2.1 files.
  • Added certificate extension aliases support to Client Certificate Authentication.

FIXES

  • Fixed certificates not listing in the client certificates dropdown list issue.
  • Fixed Invicti Hawk validation issue.
8-Jun-2018
COPY LINK

UPDATE

  • Updated the Reporting API documentation.

FIXES

  • Fixed a DirectoryNotFoundException thrown while trying to restore layout.
  • Fixed an InvalidOperationException thrown while performing confirmation at the end of a scan.
  • Fixed a highlighting related exception when there are no matches in the source code.
  • Fixed an ArgumentNullException caused by an empty form authentication persona list when the scan is imported from cloud.
8-Feb-2017
COPY LINK

FIXES

  • Fixed an issue on Custom Form Authentication script editor where an extra header sent causing some pages not to load.
  • Fixed a form authentication issue where cookies with same names were not updated.
  • Fixed an issue where vulnerability is not reported due to XML Content-Type which exploitation might not be possible.
  • Fixed a compatibility issue occurs while trying to load an old scan session file.
8-Feb-2017
COPY LINK

FIX

  • Fixed clipped Scan Policy Editor dialog issue on high DPI display settings.
8-Apr-2016
COPY LINK

NEW FEATURES

NEW SECURITY TESTS

  • Added Missing X-XSS-Protection Header vulnerability check.
  • Added Video.js JavaScript library detection.
  • Added Critical Form Send to HTTP vulnerability check.
  • Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

IMPROVEMENTS

  • Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid multiple scanning of the same or similar parameters.
  • Added license load option to Help menu.
  • Improved "Not Found Analyzer" to better handle binary responses and long strings.
  • Changed the default settings of JIRA Send to Action for better out of the box support.
  • Added a link to the proof URL for XSS vulnerabilities.
  • Added link generation to Text Parser for all select element options.
  • Improved the DOM parser to skip redirect responses.
  • Added an option to allow the user to move the Invicti data directory to a different location.
  • Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
  • Added support for modifying asynchronous JavaScript executions in order to increase DOM Parser coverage.
  • Improved relative link parsing on JavaScript files.
  • Improved the coverage of file upload security checks.
  • Improved the coverage of XSS security checks.

FIXES

  • Fixed an issue where LFI attack patterns are reported as internal path disclosure.
  • Fixed the incorrect raw response representing SSL connections.
  • Fixed an issue where forms containing ignored parameters are not reported as CSRF vulnerability.
  • Fixed a case where dynamically generated HTML option elements' change event were not being triggered.
  • Fixed cross-domain document access errors on DOM parser and XSS scanner.
  • Fixed an issue where a JSON request's method was incorrectly recognized as POST rather than GET.
  • Fixed a retest issue where a vulnerability is reported as fixed incorrectly.
  • Fixed form values target setting to use Name as the default value when a Target is not selected.
  • Fixed an issue related with JavaScript "Load Preset Values" combo where selecting a preset value may revert the combo value to "(Custom)".
  • Fixed a file extension parsing issue related with File Extension List knowledgebase item.
  • Fixed a hang issue occurs while performing JavaScript library checks.
  • Fixed a custom form authentication API issue where "ns" namespace was conflicting with a global variable on target web site (authentication API has been moved to "invicti" namespace preserving the "ns" backward compatibility)
  • Fixed a DOM Parser and XSS scanner bug that incorrectly follows redirects.
  • Fixed misplaced certainty label on vulnerability details for trial editions.
  • Fixed an ObjectDisposedException occurs on trial edition when you press escape key several times during application load.
  • Fixed a resource deployment issue occurs on Invicti installations with custom application data path.
  • Fixed a form values issue where empty form values should not set any default values for parameters.
  • Fixed an issue where trying to set Connection request header fails.
7-Oct-2016
COPY LINK

FIXES

  • Fixed an issue where some scan files from older versions cannot be opened with the latest version.
  • Fixed an issue with TFS Send To action when the project name contains spaces.
6.8.0.38168
COPY LINK

NEW FEATURES

  • Added auto-GraphQL attack after endpoint is detected.
  • Added request wait filter for request wait handler.

NEW SECURITY CHECKS

  • Added MongoDB Time-based (Blind) Injection.
  • Added SQLite Boolean SQL Injection.
  • Added MongoDB Error-based Injection.

IMPROVEMENTS

  • Updated the embedded browser.
  • Updated the hardcoded scan policy for http://rest.testinvicti.com.
  • Added the out-of-scope check for the target website content links.
  • Updated the Check for VDB Update status and tooltip when users start the check for update.
  • Updated Vulnerability Detection Logic in JWT engine.
  • Updated Liferay portal signature and added a mapping for version conversion.

FIXES

  • Fixed the web security issue for the origin header problem.
  • Fixed the sitemap bug that caused missing information when imported.
  • Fixed the bug that threw an error when exporting as SQL script.
  • Fixed the bug that threw an error, as HTTP Requester deletes the whole body part of the request which contains the login credentials.
  • Fixed multiple headers highlighting for the same value.
  • Fixed highlighting CSP Directives in different header issues.
  • Fixed duplicate bearer tokens for some requests.
  • Fixed the out-of-memory bug at the browser manager.
  • Fixed the null reference exception on the custom script screen.
  • Fixed the connection time-out issue caused by the RegEx engine.
  • Fixed an issue that resulted in false positive Cross-site Scripting (DOM-based).
  • Fixed the retest issue that displays zero requests in the repetitive retests.
  • Fixed the bug that shows the previous version of VDB.
  • Fixed parsable false attack patterns place.
6.7.1.37730
COPY LINK

IMPROVEMENTS

  • Updated embedded Chromium browser.
6.7.0.37625
COPY LINK

SECURITY CHECKS

  • Added pattern for XSS via file upload SVG.

IMPROVEMENTS

  • Added the Cache By CSS Selector and Max Cache Elements to the scan policies.
  • Added the GraphQL endpoints and libraries to the Knowledge Base.
  • Updated the Jira tooltip for the access token or password field.
  • Removed the target URL health check that lets the scan continue despite getting error messages such as 403.
  • Improved the raw scan file expired information message.
  • Improved the scan profile test coverage.
  • Updated regex for Stack Trace Disclosure (Java) - Java.Lang Exceptions.
  • Improved the JSON Web Tokens secret list.
  • Improved the re-login process when the logout is detected.

FIXES

  • Fixed the retest issue.
  • Fixed the null reference error thrown during the late confirmation.
  • Fixed an issue of using the disposed objects.
  • Fixed the exception error when cloning the report policy.
  • Fixed the broken links on the report policy.
  • Fixed mistaken NIST and DISA classifications.
  • Fixed a bug that threw the database locked error when Invicti is restarted after a scan.
  • Fixed an issue where a JavaScript Setting option blocks inputs for the single-page applications to be reported in the Web Pages with Inputs node.
  • Fixed a bug that caused the scan session failure when the scan is paused and resumed.
  • Fixed failed scans where the Target URL is IPv6 and starting with ::1
  • Fixed the Postman collection parsing by removing / in front of the query in the URL.
  • Fixed the Shark validation issue that threw exceptions while validating.
  • Fixed the issue with proxy settings, so Invicti prioritizes the settings in the scan policy.
  • Fixed NodeJS RCE-OOB security check.