Invicti Standard

NEW FEATURES

• Added “Do not differentiate HTTP and HTTPS protocols” option to scope settings
• Added 3-Legged Token flow for OAuth2 authentication
• Added an option to be able to use a fixed OAuth2 token type

NEW SECURITY CHECK

• Added new XSS pattern that injects attack payload to HREF attribute

IMPROVEMENTS

• Added reporter account id to JIRA Send To
• Updated SSRF ipv6 pattern names
• Improved the visibility of Resume button while performing a Manual Crawling
• Improved the error message displayed while importing Swagger links

FIXES

• Fixed retrying getting OAuth2 token
• Fixed a NullReferenceException thrown when OAuth2 enabled scan is loaded
• Fixed an UnhandledException thrown during DOM Simulation in some rare cases
• Fixed pausing scan when OAuth2 authentication failed
• Fixed logging OAuth2 error messages
• Fixed showing context menu for activity viewer’s group rows
• Fixed a NullReferenceException thrown when mouse is moved over sitemap
• Fixed the missing space character on Best Practice severity text on issues panel
• Fixed the incorrect position of Force Pause button on high DPI screens
• Fixed the white screen flashed on dark theme while navigating between KB screens
• Fixed the tiny progress animation on license popup dialog
• Fixed the dark theme issues on Advanced Settings screen
• Fixed a KeyNotFoundException thrown when the scan has finished
• Fixed the issue where ignoring first vulnerability variation ignores all variations
• Fixed a NullReferenceException thrown while Security Checklist panel is being activated if Scan Policy Editor dialog is opened by Assistant
• Fixed an issue where DOM simulation might conflict with some JS frameworks
• Fixed the broken Ignore From this Scan context menu action on Sitemap panel
• Fixed a NullReferenceException thrown from Invicti Assistant
• Fixed the NullReferenceException thrown when a Manual Crawling scan is imported and then resumed
• Fixed the issue where recently optimized scan policy is not selected when the Start a New Scan window is opened again
• Fixed an issue where multiple persona could be selected on Form Authentication settings
• Fixed the garbled configuration sample in Remedy section of HSTS Policy Not Enabled vulnerability
• Fixed the incorrect behavior on Notifications panel when it is scrolled to the end
• Fixed a NullReferenceException thrown while generating a report from a scan that contains a File Upload Vulnerability
• Fixed an issue where an extra ampersand is appended to query string while generating URL of a Swagger imported link
• Fixed an XmlException while trying to parse a sitemap.xml response that is not found
• Fixed a GZip decoding issue while trying to decode a compressed sitmeap.xml
• Fixed an unhandled NullReferenceException thrown from Sitemap
• Fixed parsing OAuth2 response regardless of the response content type
• Fix parsing JSON content type in Swagger parser to handle unexpected content types instead of creating a request for them
• Fixed performance issues caused by excessive logging when Activity Tracking is enabled
• Fixed a stuck scan issue on web sites using React JavaScript framework
• Fixed a Postman file importing issue where the response is not base64 encoded
• Fixed a NullReferenceException thrown while checking mutations on DOM
• Fixed an unhandled “InvalidOperationException: Object is currently in use elsewhere” error
• Fixed an error where XML and JSON responses could not be rendered on response viewers
• Fixed an unhandled NullReferenceException thrown from Assistant
• Fixed several NullReferenceException errors thrown while viewing knowledgebase items
• Fixed an issue where the current ongoing scan could be deleted from Local Scans section
• Fixed an InvalidOperationException “Database is not open” error

NEW FEATURES

• Added Invicti Assistant, a smart scan assistant that will guide you through a Scan
• Added OAuth2 Authentication support
• Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical
• Added Azure DevOps Send To integration
• Added an option to report only Confirmed vulnerabilities while generating reports
• Added Redmine Send To integration
• Added Bugzilla Send To integration
• Added F5 WAF rule generation
• Added Dark UI theme
• Added RESTful API Modeling Language (RAML) link import support
• Added facility to exclude certain URLs from URL Rewrite Detection
• Added support for importing links from WordPress REST API files
• Added a Scan Policy for OWASP Top 10 vulnerabilities
• Added a Scan Policy for PCI vulnerabilities
• Added support for deleting a Scan from Local Scan files

NEW SECURITY CHECKS

• Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340)
• Added Unicode Transformation (Best-Fit Mapping) security check
• Added detection for possible Header Injection
• Added out-of-date detection for Oracle Database Server
• Added out-of-date detection for Mithril
• Added out-of-date detection for ef.js
• Added out-of-date detection for Match.js
• Added out-of-date detection for List.js
• Added out-of-date detection for RequireJS
• Added out-of-date detection for Riot.js
• Added out-of-date detection for Inferno
• Added out-of-date detection for Marionette.js
• Added out-of-date detection for GSAP
• Added config.json check to Resource Finder
• Added detection support for TS Web access
• Added detection support for .travis.yml

IMPROVEMENTS

• Improved Scan performance by allocating computer resources better
• Included XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families
• Out-of-date server-side apps are highlighted in the Site Profile
• Clicking on links displayed in Knowledge Base items will navigate to the related node
• Added URL to the Email List Knowledge Base
• Added URL to the request which cookie is set on Cookies Knowledge Base
• Custom URL Rewrite Rules can be sorted by clicking the column header
• Added a description that tells why only 10 pages are reported on Slowest Pages Knowledge Base
• The URL Rewrite Rules that are found automatically during the scan are sorted alphabetically in the Knowledge Base
• Added an option to prevent the operating system from going to sleep while there is a scan in progress
• Added an Exploit context menu item to the Sitemap and Issues nodes
• Vulnerable parameters are now highlighted in the Sitemap and Issues nodes
• Updated Code Evaluation (PHP) attack patterns
• Due Date setting has been replaced with Due Days on some of the Send To integrations
• Improved the icons used in the Sitemap and Issues nodes
• Removed deleted scan files from the File Import list
• Improved DOM Simulation performance and fixed several issues
• Improved react JavaScript framework support on Form Authentication
• HTML Select elements without event listeners are simulated in DOM Simulation
• Improved the performance of the Activity pane’s viewer
• Added a Copy URL context menu item to the Activity viewer
• The File Upload engine searches newly discovered file names in the upload response and in the upload folders
• Improved operating system detection by the Site Profile node in the Knowledge Base
• Added Activity Status information to the Sitemap nodes
• Added support for attacking the name of POST parameters
• Improved the layout for Reports on scans that detected zero vulnerabilities
• Improved the External References for several vulnerabilities
• Added ISO 27001 information to the Executive Summary Report
• CSP vulnerabilities will no longer display a ‘certainty’ value if they are already marked as Confirmed
• Fixed an issues in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework
• Added support for exploiting XSS on text and XML content types
• Users can now resize the Activity Viewer columns
• Out of Date SQL vulnerabilities are reported as Confirmed
• Added clarification for branch logic in the latest versions of the Report Template for Out of Date vulnerabilities
• Added hyperlinks for Folders.txt in the Common Directories engine and GenericEmails.txt to Ignored Email Address settings for easy access
• All security engines are checked when the Controlled Scan panel is manually opened
• Added Cookie Whitepaper reference to cookie vulnerability templates
• Added External References to ExpressJS, CakePHP and Possible Stored XSS templates
• Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details
• Added support for highlighting input elements that are used to send passwords over query strings
• Improved rendering performance of the Knowledge Base’s Comments page when there are too many comments
• More commands are executed in the Code Evaluation exploitation to generate proofs
• Improved Out of Band SSTI attack payloads
• Added automatic selection in the Form Authentication dialog when all fields are filled up
• Added case sensitive search for Raw Response viewer
• Added an overlay to display longer scans are being imported, to block user activity and show progress
• Added Show/Hide Password button in Form Authentication settings
• Added an information dialog displayed when a scan is finished and Invicti window is in the background
• Improved highlight function for detected JavaScript libraries
• Improved reports to display the product version on which the Scan is performed
• Improved the HTTP Request Builder panel to display generic headers
• Manuscript has been renamed FogBugz
• Scan Profile, Scan Policy and Report Policy comboboxes are disabled when the Scan is finished
• Improved RFI confirmation for URL Rewrite parameters
• Improved adding Out of Date Information Database information to the Site Profile
• Improved signatures of Nginx Version Disclosure patterns
• Optimized the attack speed of XSS and LFI engines
• The Concurrent Connection slider in the Scan Policy Editor has been changed to Request Per Second to comply with new scan performance improvements
• Added a piece of extra information to Out-of-date vulnerability templates to explain the vulnerability reason
• Security Checks search has been improved in the Scan Policy Editor by tagging the SSL/TLS related security checks
• Cookie checks will analyze session cookie names to detect platform-specific default session names
• Missing HIPAA classifications in Insecure Transportation Security Protocol Supported Default Report Policy templates have been added
• Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved
• Phishing by Navigating Browser Tabs Default Report Policy vulnerability description have been improved
• Added Jira Account ID field for Jira Send To Action to assign issues to a user as JIRA Api will not accept username after 29 April 2019

FIXES

• Fixed failing VDB update when multiple instances were running
• Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes
• Fixed the issues where extra vulnerabilities were added to the Sitemap during a Retest All
• Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes
• Fixed an issue where JavaScript file parsing was taking longer than expected in some occasions
• Fixed an issue where copied URL Rewrite Rules from Knowledge Base cannot be pasted in URL Rewrite settings
• Fixed an issue where JavaScript file parsing might take longer than expected in some occasions
• Fixed a NullReferenceException that was thrown while saving the layout of panes
• Fixed an ObjectDisposedException that was thrown when cancelling a Retest
• Fixed the Listening Port so that it is no longer set for the next Manual Crawl
• Fixed the issue where Finished Scans were displayed a Paused Scan icon
• Fixed the issue where the Fixed notice text was missing for fixed vulnerabilities
• Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie
• Fixed the incorrect order of the vulnerabilities in the Issues panel
• Fixed the Trial Licence dialog that was popping up twice
• Fixed the issue where data from a previous scan was displaying in the Activity panel
• Fixed HTTP 400 errors raised by the ServiceNow Send To integration
• Fixed the ObjectDisposedExceptions error that was thrown during Blind SQL Injection checks
• Fixed an issue where the SSL client handshake code was having issues while trying to communicate with a specific server with different configuration
• Fixed the issue where the status bar displayed the incorrect number of remaining trial days
• Fixed the oversized icons displayed in the Logs panel caused when the screen DPI was set too high
• Fixed the filtering issue in the Issues panel which caused new vulnerabilities discovered to be displayed even though they did not match the filter
• Fixed the incorrect vulnerability count, caused by variations, that was displayed in the Status Bar
• Fixed an UnauthorizedAccessException that was thrown while attempting to select restricted folders during the Export to Cloud process
• Fixed an issue in the CSP engine where the ‘strict-dynamic’ directive was reported as an unsupported hash
• Fixed the problem where the application was hanging on shutdown
• Fixed missing Authentication cookies in the Knowledge Base
• Fixed incorrect nonce detected without matching script block vulnerability
• Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored
• Fixed a Retest issue where Out-of-Band SSTI vulnerabilities were marked as retestable
• Fixed the issue where the tiny Validation Error icon was displaying in screens when the screen DPI was set too high
• Fixed the issue where cookies were sent during the request for the Favicon image of the target URL
• Fixed the handling of newline characters while rendering the Proof of Concept section of the Vulnerability details
• Fixed the high DPI issues in the Bulk Export to Enterprise panel
• Fixed the issue where the uninstall process was interrupted if an Invicti instance was still running
• Fixed high DPI issues in the Local Scans panel during Import
• Fixed a NullReferenceException that occurred while rendering Vulnerability Details
• Fixed the issue where the Activity Viewer automatically scrolled to the top following updates to activities
• Fixed the Knowledge Base Report’s header, where the image, title and severity level were overlapping
• Fixed the issue where Internal Path Disclosure was reported on script and stylesheet files
• Fixed an issue that caused FP Insecure Reflected Content to be reported
• Fixed the issue where the CSRF engine did not highlight the vulnerable HTML form when the name and action were not specified
• Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type
• Fixed an issue in the Request Builder where the POST parameters were removed after switching tabs
• Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server
• Fixed an issue in the Response Viewer tab where the selected text remained highlighted even after the search was cleared
• Fixed the issue where vulnerability fields were not updated after a Retest
• Fixed the value of double encoded null byte in LFI, XSS attack patterns
• Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized
• Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload
• Fixed an issue in the Request Builder where duplicate headers could be added because header names were treated as Case Sensitive
• Fixed the problem where the wrong error message was displayed when a file parameter was selected in the Request Builder
• Fixed an unnecessary Header Warning dialog that popped up when the Edit Link button was clicked in the Request Builder
• Fixed an issue where an imported link could be saved without correcting the errors in the Request form
• Fixed an issue where links generated in Invicti attacks were added to the Sitemap
• Fixed the value of the double encoded null byte in the Header Injection pattern
• Fixed the encoding of the % sign in the base64 payload in XSS attacks
• Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern
• Fixed an issue where version numbers were not correctly displayed in the Affected Versions section of VDB vulnerabilities
• Fixed an issue where the wrong importer format was selected by default in the Enter Links dialog
• Fixed the selection issue in the filtered Security Checks of the Scan Policy panel
• Fixed the encoding issue in the SQL Injection confirmation attack
• Fixed the validation issue of the Send to Action configuration
• Fixed the unnecessary node selection when the Expand/Collapse button was clicked on the Sitemap tree
• Fixed the grouping issue on vulnerability variations and instances
• Fixed HTTP method icons in the Sitemap
• Fixed issues caused by language changes
• Fixed the scrolling problem in the Vulnerability viewer
• Fixed the confusion over which persona was used during Form Authentication verification
• Fixed an order issue in the Sitemap tree
• Fixed the incorrect variation count presentation issue in the Issues tree
• Fixed the broken tab key in the Request Builder panel
• Fixed the incorrect Remaining Day presentation in the License reminder
• Fixed the issue where the Back button was clickable during the Bulk Export to Invicti Enterprise, causing the export to fail
• Fixed the issue where an error was displayed instead of the Proof in Blind SQL injection attacks
• Fixed the wrong proxy display after resetting settings to the default
• Fixed a performance issue that occurred while exporting a large Scan to Invicti Enterprise
• Fixed duplicate cookie names that were reported on a Cookie vulnerability
• Fixed a high DPI issue in the message box
• Fixed visual issues in the binary Response viewer
• Fixed an issue where the DOM engine failed to restart on some occasions
• Fixed an issue where Local/SessionStorage values were not persisting throughout the scan
• Fixed an issue where Form Authentication sometimes failed while trying to login to some websites that are built with React.JS
• Fixed a NullReferenceException that was sometimes thrown while saving Scan data
• Fixed HTML form simulation for cases where the form did not have an element with the Submit type
• Fixed HTML form simulation to take the Exclude by CSS Selector option into account to ignore required form elements
• Fixed an issue where overriding the Unicode Replacement characters in binary and JavaScript files sometimes broke the files and did not execute
• Fixed an issue where Invicti sometimes prevented Windows from shutting down while a Scan was running
• Fixed an issue where NTLM Authentication was being ignored during Logout Detection
• Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured
• Fixed an issue where the Max Simulated Elements option was causing the simulation to hang
• Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang
• Fixed an issue where Signature checks were adding false-positive Site Profile information to the Knowledge Base issue
• Fixed an issue where ignored vulnerabilities were retested while performing an Incremental Scan
• Fixed an issue where an incorrect “Subresource Integrity (SRI) Hash Invalid” vulnerability was reported because of hash miscalculation

FIXES

• Fixed an InvalidOperationException thrown when application is forced to close during computer shutdown
• Fixed the clipboard format of Knowledgebase URL Rewrite List item
• Fixed a race condition that causes an ArgumentOutOfRangeException when rate limiting option is used

IMPROVEMENTS

• Added proof generation and Get Shell support for Code Evaluation (ASP) vulnerability
• Added Retest support for several cookie vulnerabilities
• Moved the target URL to the first position on Site Profile Knowledgebase

FIXES

• Fixed the Retest All button also retests the issues on additional web sites too
• Fixed the popup hide issue on custom form authentication script dialog
• Fixed a few unexpected NullReferenceException issues
• Fixed the broken arrow key navigation on Sitemap and Issues panels
• Fixed the incorrect vulnerability count reported on Issues panel tree groups
• Fixed the representation of fixed vulnerability on Issues panel
• Fixed the incorrect duplicate export dialog shown when trying to import a scan from cloud
• Fixed the issue where Issues panel were not being refreshed when retest is finished
• Fixed the initial panel shown by changing it from Progress panel to Activity panel
• Fixed the process cannot access the file issue while updating VDB
• Fixed a bug in cookie handling code during form authentication
• Fixed the incorrect severity reported for Cookie not Marked as Secure vulnerability on some scans
• Fixed an ArgumentOutOfRangeException thrown on some long scans
• Fixed an InvalidOperationException thrown while closing the application
• Fixed the incorrect Filter menu state on Sitemap panel

NEW FEATURES

• Rewrote Sitemap and Issues trees which improves the performance and adds features like filtering, grouping, sorting and searching.
• Added vulnerability families feature where similar types of vulnerabilities are not reported separately
• Added support for Swagger 3 / OpenAPI link import
• Added support for 64-bit smart card drivers for authentication
• Added GitLab Send To integration
• Added Bitbucket Send To integration
• Added Unfuddle Send To integration
• Added Zapier Send To integration
• Added Azure DevOps Send To integration
• Added support for importing links from IOdocs file format
• Added automatic upload to Invicti Enterprise option
• Added copy to clipboard buttons to request and response viewers
• Added a new Knowledge Base item for Not Found pages
• Added a hex view for binary responses in reports
• Added options to switch Scan Profile, Scan Policy and Report Policy for the current scan
• Added Uncheck by Severity context menu item to the Report Policy editor
• Added ISO 27001 vulnerability classifications and report template
• Added raw value support for Send To custom fields
• Added option to report variations of vulnerabilities

NEW SECURITY CHECKS

• Added a new pattern for CherryPy Version Disclosure
• Added an LFI attack pattern for WEB-INF/web.xml
• Added Ruby Error Disclosure detection
• Added WP Engine Configuration File detection
• Added CherryPy Stack Trace Disclosure detection
• Added Intro.js out-of-date version detection
• Added Axios out-of-date version detection
• Added Fingerprintjs2 out-of-date version detection
• Added XRegExp out-of-date version detection
• Added DataTables out-of-date version detection
• Added Lazy.js out-of-date version detection
• Added FancyBox out-of-date version detection
• Added Underscore.js out-of-date version detection
• Added Lightbox out-of-date version detection
• Added JBoss application server out-of-date version detection
• Added SweetAlert2 out-of-date version detection
• Added Lodash out-of-date version detection
• Added Bluebird out-of-date version detection
• Added Polymer out-of-date version detection

IMPROVEMENT

• Separated the Scan Activity panel and Progress chart into their own dock panels below
• Added a button to the Reporting tab for creating new Custom Report Templates
• Improved Knowledge Base item updates to prevent unexpected scrolling to the top of the screen
• Ordered several Knowledge Base items alphabetically
• Concurrent Connection count of imported scans can be modified
• Changed default Issue type to Story in JIRA Send To integration
• Changed CallerId field to optional in ServiceNow Send To integration
• Added PHP extension attack for Nginx vulnerability to File Upload engine
• Added File Upload patterns for Nginx parsing vulnerability
• Added settings to File Upload engine for configuring upload folders
• Added errorlog.axd detection support
• Improved elmah.axd detection
• The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
• Improved SSTI PHP Smarty attack detection
• Retest All can now be started when the scan is paused
• Improved the Swagger link importer to handle additional properties with integer and string value types
• Improved the Expect-CT engine by only reporting a vulnerability once for each host
• Improved RSA key confirmation by handling OpenPGP format
• Added a Statistics tab to the HTTP response viewer
• Increased the HSTS Not Enabled vulnerability severity from Information to Low
• Improved HTTP 407 proxy authentication error handling
• Improved missing license handling for non-interactive Windows sessions
• Controlled scan is now cancelled when a new scan is imported
• Added classifications to the HSTS Not Enabled vulnerability
• Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
• Improved the user experience of suggestions in the Scan Policy Optimizer when navigating back and forward in the wizard
• New certificate imported for Client Certificate Authentication is automatically selected
• Improved JSON request/response viewer performance for large documents
• Spaces in URLs of vulnerabilities are encoded in the vulnerability viewer
• Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
• Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
• Updated HTTP response data of vulnerabilities after retest
• Scan Policy Optimizer now respects the security engine and pattern selections of the base policy
• Improved JSON format detection
• Replaced Unicode replacement characters with question marks in responses
• Added a Scan Policy option to attack cookies
• Improved element click DOM simulation for various element types
• SRI Not Implemented will no longer be reported for localhost URLs
• Improved ASP.NET error message detection
• Added descriptions to PCI categories in the PCI Compliance Report
• Improved Boolean SQL Injection detection
• Improved the Blind Command Injection attack patterns
• Improved the representation of Report Template compilation errors
• Removed the dependency of Object Model Installer for using TFS Send To integration
• Improved the language used in Retest and Controlled Scan results
• Focused policies are now set to the currently used ones in Scan Policy Editor and Report Policy Editor
• Misconfigured X-Frame-Options Header is now reported separately
• Improved source code disclosure checks to prevent reporting JavaScript template pages
• The link to a created Issue is now displayed on the status bar after sending a vulnerability to an integration
• Status code, status description and content length information have been added to the Slowest Pages knowledge base node
• Retest activities are marked on the Scan Activity panel
• Added the list of failed vulnerabilities to retest results dialog
• Improved WADL document parsing by ignoring DTDs
• Improved Open Redirect DOM based confirmation performance
• Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
• Cookie vulnerabilities report where the cookie is set from
• Improved the multi-line representation of LFI Exploitation data
• Removed the redundant scan save confirmation dialog displayed when closing the app
• Improved Swagger Document Format detection
• Options dialog now remembers its location and size
• File upload engine now detects new links in the response after the file is uploaded

FIXES

• Fixed double URL encoding problem in various Report Templates
• Fixed parsing issue that occurs when the upload folder contains a slash
• Fixed the issue where authentication does not work when retesting
• Fixed an exception thrown prior to scan when the language is set to Korean
• Fixed the incorrect license holder name displayed on application title
• Fixed a controlled scan issue where it fails if the connection check response status code is not 200 (OK)
• Fixed Jira send to custom field values by HTML encoding them
• Fixed double HTML encoding problem in TFS Send To template
• Fixed the issue where the connection error is displayed during a controlled scan when the response status code is not 200 (OK)
• Fixed a NullReferenceException thrown when a link label is clicked in a dialog
• Fixed display of Post Scan ribbon group’s caption text
• Fixed the issue where the Swagger importer generates an invalid JSON request body
• Fixed the ArgumentException thrown while performing Heartbleed security checks
• Fixed visibility of fixed vulnerabilities in Report Templates
• Fixed the issue where the wrong version was identified for Drupal
• Fixed the UriFormatException thrown during SSRF (Hawk) URI validation
• Fixed a disallowed HTTP method issue where some methods were still being allowed
• Fixed a typo in the CSP Not Implemented vulnerability details
• Fixed the issue where SRI Not Implemented URLs were not properly highlighted in the source code
• Fixed an InvalidCastException thrown while loading the panel layout
• Fixed a Form Authentication issue that occured on some React-based websites
• Fixed the issue where the old scan’s activities continued even when another scan was imported while performing a Retest All
• Fixed a NullReferenceException thrown in Retest
• Fixed signature detection for links found via the crawler
• Fixed an issue in CSP engine where it reported an incorrect vulnerability
• Fixed an URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
• Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
• Fixed the incorrect Retest Fail dialog in the InternalServerError vulnerability
• Fixed the URL decoding issue when the URL was copied in the Issues panel
• Fixed the comments that were injected via Invicti attacks reported in the Knowledge Base Comment node
• Fixed duplicate parsing source field values reported for IFrame vulnerabilities
• Fixed a corrupted PDF report
• Fixed an issue where Apache MultiViews could not be detected in the target server
• Fixed the incorrect Cookie Expire Date set during Form Authentication
• Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
• Fixed a Content-Type parsing issue in Form Authentication
• Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
• Fixed the NullReferenceException thrown by the Request Builder if there were no scans open
• Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
• Fixed an Out of Memory issue that occurred while trying to view a large document

IMPROVEMENT

• Improves licensing diagnostics mode

FIXES

• Fixed parsing issue in Swagger Importer that occurs while importing Swagger files in YAML format
• Fixed an issue that causes Invicti to fail to add certain pages to the sitemap when using the Manual Crawling

FIXES

• Fixed the issues on computers where FIPS compliancy is required
• Fixed the incorrect button positions on Website Checker dialog displayed during license activation

IMPROVEMENT

• Improved the list of resources discovered by the resource finder.

FIXES

• Fixed an issue that caused legacy trial license activation failure.
• Fixed a FormatException thrown when a scan was started using a trial license.
• Fixed an issue where when frame vulnerabilities were detected via DOM, it was not possible to locate the source code.
• Fixed an XPathException caused by an input node with special characters.
• Fixed an exception thrown by the report policy editor when an unbalanced parenthesis was entered into the vulnerability type search box.
• Fixed a NullReferenceException thrown by the DOM parser component.
• Fixed the problem where manually crawled pages were not updated in the Sitemap.

NEW FEATURES

• Added Bulk Export to Cloud feature
• Added Scan Speed graph
• Added Send To integration support for ServiceNow
• Added custom field support for Send To fields
• Added an encoder for JavaScript fromCharCode format
• Added Go to Identification Page button to Go to Parent link of current selected link
• Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

• Added Out of Band Server Side Template Injection security checks
• Added signature detection check for Caddy web server
• Added signature detection check for aah go server
• Added signature detection check for JBoss application server
• Added CakePHP framework detection
• Added CakePHP version disclosure detection
• Added CakePHP out-of-date version detection
• Added CakePHP Stack Trace Disclosure
• Added CakePHP default page detection
• Added Out of Date checks for CKEditor 5

IMPROVEMENTS

• Updated the licensing model
• Updated .NET Framework version requirement to 4.7.2.
• Improved the user interface by reducing the number of borders between panels
• Added more information to the window where Cloud integration is conducted
• Improved the design of vulnerability details
• Added a link to Cloud scan URL when a scan is exported to the Cloud
• Improved the list of resources found by the Resources Finder
• Added a button to start an incremental scan for a scan listed on File>Import>Local Scans
• Added Hawk configuration validation to the Scan Optimizer
• The state of vulnerability nodes are updated across the Sitemap and Issues trees when ignored or included in scan
• All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into single vulnerability
• Dialog locations and sizes are remembered each time you reopen Invicti
• Added Request Method column to the Vulnerabilities List CSV report
• Added vulnerability severity to email Send To action template
• Added URL validation to Target URL textbox in the Start a New Scan dialog
• Updated Vulnerabilities List CSV report template to display attack parameter only
• Added fine grained options to Resource Finder step of Scan Policy Optimization wizard
• A Summary dialog is displayed after the Controlled Scan informing users about whether new vulnerabilities have been found
• Added cookie analyzer checks for cookies added using JavaScript
• Added keyboard navigation support to navigation bar control in the Start a New Scan dialog
• Variation count is included in the total vulnerability count in Detailed Scan Report
• Improved LFI Exploitation panel usability
• Added tokenized deletion using Ctrl + Backspace to Target URL text box
• Variation count included in the total count in report templates
• Improved the error message displayed when the retest fails if Form Authentication fails
• Added Link Count to the Scan Summary dashboard
• Added not found Link Count to the Scan Summary dashboard
• Controlled scan shows the detected vulnerability count on parameters after it’s finished
• Improved the error message displayed when an incorrect command line argument is supplied
• Added Label field for JIRA Send To actions
• Added Tags field for Manuscript (FogBugz) Send To actions
• Added WorkItem Tags field for TFS Send To actions
• Added Disable Resource Finder button to the Scan Policy Editor
• Added a Max Fail limit to Retest All so it does not abort after one retest has failed
• Ignored vulnerabilities are excluded from Retest All
• Improved SQL Injection proof data by stripping HTML tags
• Controlled scan can be started for vulnerabilities that have no parameters
• Vulnerabilities confirmed at the end of the Scan are retested separately in Retest All
• Added Late Confirmation activity into Controlled Scans so the Scan progress can be observed
• Added Copy and Copy Value context menu items to Headers’ request and response viewers
• Improved automatic Form Authentication by performing several additional attempts when the Submit button is disabled
• Improved CSRF token detection in cookie values
• Improved the error details displayed when link import fails

FIXES

• Fixed the incorrect Content-Type header sent during Form Authentication requests
• Fixed the vulnerability viewer display issue when a vulnerability node on Sitemap is reselected.
• Fixed the incorrect badge drawn on the ribbon’s Quick Access Toolbar buttons
• Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were also blocking the other HTTP methods
• Fixed the URL encoding issue for vulnerabilities which are sent to Manuscript (FogBugz)
• Fixed several usability issues on the Short File Names exploitation panel
• Fixed the error where the ExpectCT header was reported as an interesting header
• Fixed the Multiple File Open Dialog high DPI issues
• Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
• Fixed the incorrect number on the Detailed Scan report template’s instance column
• Fixed patterns that weren’t enabled when Security Checks were enabled with the Check All command
• Fixed the issue that the Controlled Scan won’t start on a link node
• Fixed high DPI issues on Scan Policy Optimizer wizard
• Fixed the issue that the style of child nodes was not updated when the vulnerability was ignored
• Fixed the issues that a confirmed Permanent XSS vulnerability was not added to the Confirmed group on the Issues tree
• Fixed the report templates that included ignored vulnerabilities in statistics
• Fixed the incorrect response displayed for SSRF vulnerabilities when the request was redirected to another page
• Fixed several dock panel issues
• Fixed a NullReferenceException thrown when setting a custom user agent on a Scan Policy
• Fixed the Critical Vulnerability Count in report templates
• Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
• Fixed a highlighting issue for vulnerabilities that display multiple responses
• Fixed an incorrect possible LFI vulnerability when the response was redirected
• Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
• Fixed an issue where some Sitemap nodes were not added to the tree until a New Scan was started
• Fixed the broken case sensitivity check for crawled links
• Fixed a smartcard driver issue that occured when the path contained space characters
• Fixed a FormatException that occurred while parsing cookies
• Fixed several incorrect Source Code Disclosure reports
• Fixed the issue where cookies that were set by JavaScript were not highlighted
• Fixed a JsonReaderException that occured while trying to parse a Swagger document
• Fixed an ObjectDisposedException thrown when a tooltip was closing
• Fixed an ArgumentOutOfRangeException thrown while generating reports
• Fixed a case sensitivity issue on the Sitemap tree where two nodes with same name but different cases were not added to the tree
• Fixed a double HTML encoding problem in the generated exploit template
• Fixed adding multiple empty rows to Additional Website settings
• Fixed parsing URLs with encoded chars
• Fixed the problem where scans could not be resumed when paused during the Recrawling phase
• Fixed hanging Open Redirect checks caused by binary responses
• Fixed double HTML encoding problem in the URL in the Detailed scan report template
• Fixed the DOM parser so that the Exclude by CSS Selector setting is saved and displayed correctly in the custom preset
• Fixed redundant Encode use in the report templates that caused double HTML encoding
• Fixed InvalidOperationException thrown when using Manual Crawling
• Fixes the error where the custom driver selection dialog was opening twice in the Import Smart Card Certificate dialog
• Fixed incorrect count of Proof List knowledge base
• Fixed the issue where XSS via RFI could not be detected with a certain payload
• Fixed the issue where the Scan skipped to the attacking phase after the Crawling phase was skipped when the Scan started in Crawl & Wait mode
• Fixed the issue where a Swagger YAML file could not be imported
• Fixed the usability issues of JavaScript preset selection on Scan Policies where entered values could not be deleted
• Fixed the vulnerabilities remaining from the previous scan on sitemap when an incremental scan has been started.
• Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie’s HttpOnly flag
• Fixed the issue where the late confirmed vulnerability was not added to the Sitemap
• Fixed the error where the activity time was not being updated during the extra confirmation phase

FIXES

• Fixed an ArgumentException caused by an incorrect URL entered on Start New Scan dialog.
• Fixed an XmlException thrown while trying to restore UI layout.
• Fixed missing cookies on form authentication when they are set from JavaScript context.
• Fixed an ArgumentException thrown on Start New Scan dialog for Korean systems.
• Fixed the ArgumentOutOfRangeException that occurs when creating reports through CLI.
• Fixed CORS security check retest issue where old response data were being used.
• Fixed a UriFormatException caused by an incorrect cloud integration server URL.
• Fixes an ArgumentOutOfRangeException that occurs when a URL with backslash is entered on Start New Scan dialog.

UPDATE

• Updated the Reporting API documentation.

FIXES

• Fixed a DirectoryNotFoundException thrown while trying to restore layout.
• Fixed an InvalidOperationException thrown while performing confirmation at the end of a scan.
• Fixed a highlighting related exception when there are no matches in the source code.
• Fixed an ArgumentNullException caused by an empty form authentication persona list when the scan is imported from cloud.

FIXES

• Fixed an issue where custom report policies could not be updated to the latest version of security check templates.
• Fixed incorrect time and duration information of cloud scans.
• Fixed empty request/response issue for scans exported to cloud.
• Fixed the issue that the controlled scan won’t start for selected links on sitemap.