Changelogs

Invicti Standard

RSS Feed

18 Dec 2018

NEW FEATURES Rewrote Sitemap and Issues trees which improves the performance and adds features like filtering, grouping, sorting and searching. Added vulnerability families feature where similar types of vulnerabilities are not reported separately Added support for Swagger 3 / OpenAPI link import Added support for 64-bit smart card drivers for authentication Added GitLab Send To …

NEW FEATURES

  • Rewrote Sitemap and Issues trees which improves the performance and adds features like filtering, grouping, sorting and searching.
  • Added vulnerability families feature where similar types of vulnerabilities are not reported separately
  • Added support for Swagger 3 / OpenAPI link import
  • Added support for 64-bit smart card drivers for authentication
  • Added GitLab Send To integration
  • Added Bitbucket Send To integration
  • Added Unfuddle Send To integration
  • Added Zapier Send To integration
  • Added Azure DevOps Send To integration
  • Added support for importing links from IOdocs file format
  • Added automatic upload to Invicti Enterprise option
  • Added copy to clipboard buttons to request and response viewers
  • Added a new Knowledge Base item for Not Found pages
  • Added a hex view for binary responses in reports
  • Added options to switch Scan Profile, Scan Policy and Report Policy for the current scan
  • Added Uncheck by Severity context menu item to the Report Policy editor
  • Added ISO 27001 vulnerability classifications and report template
  • Added raw value support for Send To custom fields
  • Added option to report variations of vulnerabilities

NEW SECURITY CHECKS

  • Added a new pattern for CherryPy Version Disclosure
  • Added an LFI attack pattern for WEB-INF/web.xml
  • Added Ruby Error Disclosure detection
  • Added WP Engine Configuration File detection
  • Added CherryPy Stack Trace Disclosure detection
  • Added Intro.js out-of-date version detection
  • Added Axios out-of-date version detection
  • Added Fingerprintjs2 out-of-date version detection
  • Added XRegExp out-of-date version detection
  • Added DataTables out-of-date version detection
  • Added Lazy.js out-of-date version detection
  • Added FancyBox out-of-date version detection
  • Added Underscore.js out-of-date version detection
  • Added Lightbox out-of-date version detection
  • Added JBoss application server out-of-date version detection
  • Added SweetAlert2 out-of-date version detection
  • Added Lodash out-of-date version detection
  • Added Bluebird out-of-date version detection
  • Added Polymer out-of-date version detection

IMPROVEMENT

  • Separated the Scan Activity panel and Progress chart into their own dock panels below
  • Added a button to the Reporting tab for creating new Custom Report Templates
  • Improved Knowledge Base item updates to prevent unexpected scrolling to the top of the screen
  • Ordered several Knowledge Base items alphabetically
  • Concurrent Connection count of imported scans can be modified
  • Changed default Issue type to Story in JIRA Send To integration
  • Changed CallerId field to optional in ServiceNow Send To integration
  • Added PHP extension attack for Nginx vulnerability to File Upload engine
  • Added File Upload patterns for Nginx parsing vulnerability
  • Added settings to File Upload engine for configuring upload folders
  • Added errorlog.axd detection support
  • Improved elmah.axd detection
  • The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
  • Improved SSTI PHP Smarty attack detection
  • Retest All can now be started when the scan is paused
  • Improved the Swagger link importer to handle additional properties with integer and string value types
  • Improved the Expect-CT engine by only reporting a vulnerability once for each host
  • Improved RSA key confirmation by handling OpenPGP format
  • Added a Statistics tab to the HTTP response viewer
  • Increased the HSTS Not Enabled vulnerability severity from Information to Low
  • Improved HTTP 407 proxy authentication error handling
  • Improved missing license handling for non-interactive Windows sessions
  • Controlled scan is now cancelled when a new scan is imported
  • Added classifications to the HSTS Not Enabled vulnerability
  • Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
  • Improved the user experience of suggestions in the Scan Policy Optimizer when navigating back and forward in the wizard
  • New certificate imported for Client Certificate Authentication is automatically selected
  • Improved JSON request/response viewer performance for large documents
  • Spaces in URLs of vulnerabilities are encoded in the vulnerability viewer
  • Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
  • Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
  • Updated HTTP response data of vulnerabilities after retest
  • Scan Policy Optimizer now respects the security engine and pattern selections of the base policy
  • Improved JSON format detection
  • Replaced Unicode replacement characters with question marks in responses
  • Added a Scan Policy option to attack cookies
  • Improved element click DOM simulation for various element types
  • SRI Not Implemented will no longer be reported for localhost URLs
  • Improved ASP.NET error message detection
  • Added descriptions to PCI categories in the PCI Compliance Report
  • Improved Boolean SQL Injection detection
  • Improved the Blind Command Injection attack patterns
  • Improved the representation of Report Template compilation errors
  • Removed the dependency of Object Model Installer for using TFS Send To integration
  • Improved the language used in Retest and Controlled Scan results
  • Focused policies are now set to the currently used ones in Scan Policy Editor and Report Policy Editor
  • Misconfigured X-Frame-Options Header is now reported separately
  • Improved source code disclosure checks to prevent reporting JavaScript template pages
  • The link to a created Issue is now displayed on the status bar after sending a vulnerability to an integration
  • Status code, status description and content length information have been added to the Slowest Pages knowledge base node
  • Retest activities are marked on the Scan Activity panel
  • Added the list of failed vulnerabilities to retest results dialog
  • Improved WADL document parsing by ignoring DTDs
  • Improved Open Redirect DOM based confirmation performance
  • Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
  • Cookie vulnerabilities report where the cookie is set from
  • Improved the multi-line representation of LFI Exploitation data
  • Removed the redundant scan save confirmation dialog displayed when closing the app
  • Improved Swagger Document Format detection
  • Options dialog now remembers its location and size
  • File upload engine now detects new links in the response after the file is uploaded

FIXES

  • Fixed double URL encoding problem in various Report Templates
  • Fixed parsing issue that occurs when the upload folder contains a slash
  • Fixed the issue where authentication does not work when retesting
  • Fixed an exception thrown prior to scan when the language is set to Korean
  • Fixed the incorrect license holder name displayed on application title
  • Fixed a controlled scan issue where it fails if the connection check response status code is not 200 (OK)
  • Fixed Jira send to custom field values by HTML encoding them
  • Fixed double HTML encoding problem in TFS Send To template
  • Fixed the issue where the connection error is displayed during a controlled scan when the response status code is not 200 (OK)
  • Fixed a NullReferenceException thrown when a link label is clicked in a dialog
  • Fixed display of Post Scan ribbon group’s caption text
  • Fixed the issue where the Swagger importer generates an invalid JSON request body
  • Fixed the ArgumentException thrown while performing Heartbleed security checks
  • Fixed visibility of fixed vulnerabilities in Report Templates
  • Fixed the issue where the wrong version was identified for Drupal
  • Fixed the UriFormatException thrown during SSRF (Hawk) URI validation
  • Fixed a disallowed HTTP method issue where some methods were still being allowed
  • Fixed a typo in the CSP Not Implemented vulnerability details
  • Fixed the issue where SRI Not Implemented URLs were not properly highlighted in the source code
  • Fixed an InvalidCastException thrown while loading the panel layout
  • Fixed a Form Authentication issue that occured on some React-based websites
  • Fixed the issue where the old scan’s activities continued even when another scan was imported while performing a Retest All
  • Fixed a NullReferenceException thrown in Retest
  • Fixed signature detection for links found via the crawler
  • Fixed an issue in CSP engine where it reported an incorrect vulnerability
  • Fixed an URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
  • Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
  • Fixed the incorrect Retest Fail dialog in the InternalServerError vulnerability
  • Fixed the URL decoding issue when the URL was copied in the Issues panel
  • Fixed the comments that were injected via Invicti attacks reported in the Knowledge Base Comment node
  • Fixed duplicate parsing source field values reported for IFrame vulnerabilities
  • Fixed a corrupted PDF report
  • Fixed an issue where Apache MultiViews could not be detected in the target server
  • Fixed the incorrect Cookie Expire Date set during Form Authentication
  • Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
  • Fixed a Content-Type parsing issue in Form Authentication
  • Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
  • Fixed the NullReferenceException thrown by the Request Builder if there were no scans open
  • Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
  • Fixed an Out of Memory issue that occurred while trying to view a large document

24 Sep 2018

IMPROVEMENT Improves licensing diagnostics mode FIXES Fixed parsing issue in Swagger Importer that occurs while importing Swagger files in YAML format Fixed an issue that causes Invicti to fail to add certain pages to the sitemap when using the Manual Crawling

IMPROVEMENT

  • Improves licensing diagnostics mode

FIXES

  • Fixed parsing issue in Swagger Importer that occurs while importing Swagger files in YAML format
  • Fixed an issue that causes Invicti to fail to add certain pages to the sitemap when using the Manual Crawling

19 Sep 2018

FIXES Fixed the issues on computers where FIPS compliancy is required Fixed the incorrect button positions on Website Checker dialog displayed during license activation

FIXES

  • Fixed the issues on computers where FIPS compliancy is required
  • Fixed the incorrect button positions on Website Checker dialog displayed during license activation

13 Sep 2018

IMPROVEMENT Improved the list of resources discovered by the resource finder. FIXES Fixed an issue that caused legacy trial license activation failure. Fixed a FormatException thrown when a scan was started using a trial license. Fixed an issue where when frame vulnerabilities were detected via DOM, it was not possible to locate the source code. …

IMPROVEMENT

  • Improved the list of resources discovered by the resource finder.

FIXES

  • Fixed an issue that caused legacy trial license activation failure.
  • Fixed a FormatException thrown when a scan was started using a trial license.
  • Fixed an issue where when frame vulnerabilities were detected via DOM, it was not possible to locate the source code.
  • Fixed an XPathException caused by an input node with special characters.
  • Fixed an exception thrown by the report policy editor when an unbalanced parenthesis was entered into the vulnerability type search box.
  • Fixed a NullReferenceException thrown by the DOM parser component.
  • Fixed the problem where manually crawled pages were not updated in the Sitemap.

12 Sep 2018

NEW FEATURES Added Bulk Export to Cloud feature Added Scan Speed graph Added Send To integration support for ServiceNow Added custom field support for Send To fields Added an encoder for JavaScript fromCharCode format Added Go to Identification Page button to Go to Parent link of current selected link Added Russian FSTEC BDU Vulnerability Database …

NEW FEATURES

  • Added Bulk Export to Cloud feature
  • Added Scan Speed graph
  • Added Send To integration support for ServiceNow
  • Added custom field support for Send To fields
  • Added an encoder for JavaScript fromCharCode format
  • Added Go to Identification Page button to Go to Parent link of current selected link
  • Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

  • Added Out of Band Server Side Template Injection security checks
  • Added signature detection check for Caddy web server
  • Added signature detection check for aah go server
  • Added signature detection check for JBoss application server
  • Added CakePHP framework detection
  • Added CakePHP version disclosure detection
  • Added CakePHP out-of-date version detection
  • Added CakePHP Stack Trace Disclosure
  • Added CakePHP default page detection
  • Added Out of Date checks for CKEditor 5

IMPROVEMENTS

  • Updated the licensing model
  • Updated .NET Framework version requirement to 4.7.2.
  • Improved the user interface by reducing the number of borders between panels
  • Added more information to the window where Cloud integration is conducted
  • Improved the design of vulnerability details
  • Added a link to Cloud scan URL when a scan is exported to the Cloud
  • Improved the list of resources found by the Resources Finder
  • Added a button to start an incremental scan for a scan listed on File>Import>Local Scans
  • Added Hawk configuration validation to the Scan Optimizer
  • The state of vulnerability nodes are updated across the Sitemap and Issues trees when ignored or included in scan
  • All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into single vulnerability
  • Dialog locations and sizes are remembered each time you reopen Invicti
  • Added Request Method column to the Vulnerabilities List CSV report
  • Added vulnerability severity to email Send To action template
  • Added URL validation to Target URL textbox in the Start a New Scan dialog
  • Updated Vulnerabilities List CSV report template to display attack parameter only
  • Added fine grained options to Resource Finder step of Scan Policy Optimization wizard
  • A Summary dialog is displayed after the Controlled Scan informing users about whether new vulnerabilities have been found
  • Added cookie analyzer checks for cookies added using JavaScript
  • Added keyboard navigation support to navigation bar control in the Start a New Scan dialog
  • Variation count is included in the total vulnerability count in Detailed Scan Report
  • Improved LFI Exploitation panel usability
  • Added tokenized deletion using Ctrl + Backspace to Target URL text box
  • Variation count included in the total count in report templates
  • Improved the error message displayed when the retest fails if Form Authentication fails
  • Added Link Count to the Scan Summary dashboard
  • Added not found Link Count to the Scan Summary dashboard
  • Controlled scan shows the detected vulnerability count on parameters after it’s finished
  • Improved the error message displayed when an incorrect command line argument is supplied
  • Added Label field for JIRA Send To actions
  • Added Tags field for Manuscript (FogBugz) Send To actions
  • Added WorkItem Tags field for TFS Send To actions
  • Added Disable Resource Finder button to the Scan Policy Editor
  • Added a Max Fail limit to Retest All so it does not abort after one retest has failed
  • Ignored vulnerabilities are excluded from Retest All
  • Improved SQL Injection proof data by stripping HTML tags
  • Controlled scan can be started for vulnerabilities that have no parameters
  • Vulnerabilities confirmed at the end of the Scan are retested separately in Retest All
  • Added Late Confirmation activity into Controlled Scans so the Scan progress can be observed
  • Added Copy and Copy Value context menu items to Headers’ request and response viewers
  • Improved automatic Form Authentication by performing several additional attempts when the Submit button is disabled
  • Improved CSRF token detection in cookie values
  • Improved the error details displayed when link import fails

FIXES

  • Fixed the incorrect Content-Type header sent during Form Authentication requests
  • Fixed the vulnerability viewer display issue when a vulnerability node on Sitemap is reselected.
  • Fixed the incorrect badge drawn on the ribbon’s Quick Access Toolbar buttons
  • Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were also blocking the other HTTP methods
  • Fixed the URL encoding issue for vulnerabilities which are sent to Manuscript (FogBugz)
  • Fixed several usability issues on the Short File Names exploitation panel
  • Fixed the error where the ExpectCT header was reported as an interesting header
  • Fixed the Multiple File Open Dialog high DPI issues
  • Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
  • Fixed the incorrect number on the Detailed Scan report template’s instance column
  • Fixed patterns that weren’t enabled when Security Checks were enabled with the Check All command
  • Fixed the issue that the Controlled Scan won’t start on a link node
  • Fixed high DPI issues on Scan Policy Optimizer wizard
  • Fixed the issue that the style of child nodes was not updated when the vulnerability was ignored
  • Fixed the issues that a confirmed Permanent XSS vulnerability was not added to the Confirmed group on the Issues tree
  • Fixed the report templates that included ignored vulnerabilities in statistics
  • Fixed the incorrect response displayed for SSRF vulnerabilities when the request was redirected to another page
  • Fixed several dock panel issues
  • Fixed a NullReferenceException thrown when setting a custom user agent on a Scan Policy
  • Fixed the Critical Vulnerability Count in report templates
  • Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
  • Fixed a highlighting issue for vulnerabilities that display multiple responses
  • Fixed an incorrect possible LFI vulnerability when the response was redirected
  • Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
  • Fixed an issue where some Sitemap nodes were not added to the tree until a New Scan was started
  • Fixed the broken case sensitivity check for crawled links
  • Fixed a smartcard driver issue that occured when the path contained space characters
  • Fixed a FormatException that occurred while parsing cookies
  • Fixed several incorrect Source Code Disclosure reports
  • Fixed the issue where cookies that were set by JavaScript were not highlighted
  • Fixed a JsonReaderException that occured while trying to parse a Swagger document
  • Fixed an ObjectDisposedException thrown when a tooltip was closing
  • Fixed an ArgumentOutOfRangeException thrown while generating reports
  • Fixed a case sensitivity issue on the Sitemap tree where two nodes with same name but different cases were not added to the tree
  • Fixed a double HTML encoding problem in the generated exploit template
  • Fixed adding multiple empty rows to Additional Website settings
  • Fixed parsing URLs with encoded chars
  • Fixed the problem where scans could not be resumed when paused during the Recrawling phase
  • Fixed hanging Open Redirect checks caused by binary responses
  • Fixed double HTML encoding problem in the URL in the Detailed scan report template
  • Fixed the DOM parser so that the Exclude by CSS Selector setting is saved and displayed correctly in the custom preset
  • Fixed redundant Encode use in the report templates that caused double HTML encoding
  • Fixed InvalidOperationException thrown when using Manual Crawling
  • Fixes the error where the custom driver selection dialog was opening twice in the Import Smart Card Certificate dialog
  • Fixed incorrect count of Proof List knowledge base
  • Fixed the issue where XSS via RFI could not be detected with a certain payload
  • Fixed the issue where the Scan skipped to the attacking phase after the Crawling phase was skipped when the Scan started in Crawl & Wait mode
  • Fixed the issue where a Swagger YAML file could not be imported
  • Fixed the usability issues of JavaScript preset selection on Scan Policies where entered values could not be deleted
  • Fixed the vulnerabilities remaining from the previous scan on sitemap when an incremental scan has been started.
  • Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie’s HttpOnly flag
  • Fixed the issue where the late confirmed vulnerability was not added to the Sitemap
  • Fixed the error where the activity time was not being updated during the extra confirmation phase

21 Jun 2018

FIXES Fixed an ArgumentException caused by an incorrect URL entered on Start New Scan dialog. Fixed an XmlException thrown while trying to restore UI layout. Fixed missing cookies on form authentication when they are set from JavaScript context. Fixed an ArgumentException thrown on Start New Scan dialog for Korean systems. Fixed the ArgumentOutOfRangeException that occurs …

FIXES

  • Fixed an ArgumentException caused by an incorrect URL entered on Start New Scan dialog.
  • Fixed an XmlException thrown while trying to restore UI layout.
  • Fixed missing cookies on form authentication when they are set from JavaScript context.
  • Fixed an ArgumentException thrown on Start New Scan dialog for Korean systems.
  • Fixed the ArgumentOutOfRangeException that occurs when creating reports through CLI.
  • Fixed CORS security check retest issue where old response data were being used.
  • Fixed a UriFormatException caused by an incorrect cloud integration server URL.
  • Fixes an ArgumentOutOfRangeException that occurs when a URL with backslash is entered on Start New Scan dialog.

08 Jun 2018

UPDATE Updated the Reporting API documentation. FIXES Fixed a DirectoryNotFoundException thrown while trying to restore layout. Fixed an InvalidOperationException thrown while performing confirmation at the end of a scan. Fixed a highlighting related exception when there are no matches in the source code. Fixed an ArgumentNullException caused by an empty form authentication persona list when …

UPDATE

  • Updated the Reporting API documentation.

FIXES

  • Fixed a DirectoryNotFoundException thrown while trying to restore layout.
  • Fixed an InvalidOperationException thrown while performing confirmation at the end of a scan.
  • Fixed a highlighting related exception when there are no matches in the source code.
  • Fixed an ArgumentNullException caused by an empty form authentication persona list when the scan is imported from cloud.

25 May 2018

FIXES Fixed an issue where custom report policies could not be updated to the latest version of security check templates. Fixed incorrect time and duration information of cloud scans. Fixed empty request/response issue for scans exported to cloud. Fixed the issue that the controlled scan won’t start for selected links on sitemap.

FIXES

  • Fixed an issue where custom report policies could not be updated to the latest version of security check templates.
  • Fixed incorrect time and duration information of cloud scans.
  • Fixed empty request/response issue for scans exported to cloud.
  • Fixed the issue that the controlled scan won’t start for selected links on sitemap.

17 May 2018

IMPROVEMENTS Improved confirmation on time-based attacks. FIXES Fixed the percent encoding issue on Detailed Scan Report. Fixed the stale custom report template buttons which were removed from the disk. Fixed the InvalidOperationException caused by Expect CT IP endpoint highlighting. Fixed a NullReferenceException while generating sitemap tree. Fixed the incorrect numbers reported on vulnerability summary table …

IMPROVEMENTS

  • Improved confirmation on time-based attacks.

FIXES

  • Fixed the percent encoding issue on Detailed Scan Report.
  • Fixed the stale custom report template buttons which were removed from the disk.
  • Fixed the InvalidOperationException caused by Expect CT IP endpoint highlighting.
  • Fixed a NullReferenceException while generating sitemap tree.
  • Fixed the incorrect numbers reported on vulnerability summary table of Detailed Scan Report.
  • Fixed the selection issue on scan policy user agent settings.
  • Fixed the FormatException when HTTP rate limits are set on a scan policy.

11 May 2018

FIXES Fixed an issue where old scan files fail to import. Fixed Short File Names Exploiter by disabling it when other vulnerability types are selected. Fixed disabled UI where Cloud is not reachable. Fixed blocked UI during VDB update check. Fixed copying URL Rewrite rules in knowledgebase by copying RegExp patterns with place holder patterns. …

FIXES

  • Fixed an issue where old scan files fail to import.
  • Fixed Short File Names Exploiter by disabling it when other vulnerability types are selected.
  • Fixed disabled UI where Cloud is not reachable.
  • Fixed blocked UI during VDB update check.
  • Fixed copying URL Rewrite rules in knowledgebase by copying RegExp patterns with place holder patterns.
  • Fixed opening Scan Summary Dashboard when clicked root node from sitemap tree.
  • Fixed hiding backstage when export file dialog is canceled.
  • Fixed an incorrect encoded space character on Detailed Scan Report.
  • Fixed overlapping icons of optimized scan policies on Start a New Scan Dialog.

11 May 2018

FEATURES Netsparker Enterprise integration: ability to import and export scans between the scanners. New user interface with new skin and improved usability. Smart Card authentication support. Attack Radar panel that shows detailed attacking progress of security checks. Added the OWASP 2017 Top Ten classifications report template. Added Server-Side Template Injection (SSTI) vulnerability checks. SECURITY CHECKS …

FEATURES

  • Netsparker Enterprise integration: ability to import and export scans between the scanners.
  • New user interface with new skin and improved usability.
  • Smart Card authentication support.
  • Attack Radar panel that shows detailed attacking progress of security checks.
  • Added the OWASP 2017 Top Ten classifications report template.
  • Added Server-Side Template Injection (SSTI) vulnerability checks.

SECURITY CHECKS

  • Expect-CT security checks.
  • Added various new web applications in the application version database.
  • Added out of date checks for Hammer.JS, Phaser, Chart.js, Ramda, reveal.js, Fabric.js, Semantic UI, Leaflet, Foundation, three.js, PDF.js, Polymer.

IMPROVEMENTS

  • Crawler can now parse multiple sitemaps in a robots.txt file.
  • Improved the representation of POST, JSON and XML parameters on sitemap.
  • Added support for opening links in all web browsers installed on the computer.
  • Improved high DPI support.
  • Improved sorting on Issues panel.
  • New Extensions scan policy settings to specify which extensions should be crawled and attacked.
  • Added activity status text for XSS and Open Redirect confirmation phases.
  • Added target link address to status bar on vulnerability descriptions.
  • Added “Import from Scan Session” option to populate form values based on an existing scan.
  • Added support for parsing swagger documents in yaml format.
  • Added Open Redirect and XSS confirmation timeout settings.
  • Added support for parsing relative meta refresh URLs.
  • Moved Knowledge base items to own panel.
  • Improved the vulnerability summary section of Detailed Scan Report.
  • Added “Copy to Clipboard” link to unmatched URL rewrite rules table within URL Rewrite knowledge base.
  • Improved the usability of User Agent scan policy settings.
  • Favicon of the target website shown to sitemap tree.
  • Search capability in the Knowledge base details.
  • Improved parsing of websites using React framework.
  • Content-Security-Policy-Report-Only header is not reported as an interesting header.
  • Added support for sending text to Encoder panel from other panels in the application.
  • Added save report button to Knowledge base.
  • Added “Ignore Authentication” option to Request builder.
  • Added a hotkey to “Ignore from This Scan” menu.
  • Added “Force User Agent” setting to force the selected User Agent value on scan policy.
  • Added support for Postman v2.1 version.
  • Scan logs in Logs panel are now saved along with scan file.
  • Added an extra consistency check to ROBOT attacks.
  • Added scan policy settings to include/exclude certain cookie names from Cookie security checks.
  • Improved the “Interesting Header” list support.
  • Added anti-CSRF token support for Blind SQL Injection exploitation.
  • Removed BOM from JSON and XML report templates.
  • Improved the numbers reported on dashboard.
  • Added summary table to several reports.
  • Variations are retested before starting an incremental scan.
  • Improved JavaScript content check performance while detecting out of date checks.
  • Added multi-thread support to Controlled Scan.
  • Added anti-CSRF token support for tokens in request headers, meta tags, manual crawling and imported links.
  • Added command line auto update option.
  • Renamed FogBugz send to action to its new name Manuscript.
  • Testing Send To actions now creates issues on target systems.
  • GitHub Send to action now works with organization accounts and private repositories.
  • Scan Policy and Report Policy editor dialogs remember their locations and sizes.
  • Added support for handling HTTP 307 redirects.
  • DS_STORE files are discovered and parsed.
  • Improved MySQL double encoded string attacks.

FIXES

  • Fixed scheduled scans to prevent incorrect settings to be saved.
  • Fixed the overflow issue of “Maximum 404 Signatures” scan policy setting.
  • Fixed the unsaved Disallowed HTTP Methods issue for scan profiles.
  • Fixed some possible vulnerabilities missing [Possible] indicator in title.
  • Fixed the exception that occurs when importing scan file because the path has invalid chars.
  • Fixed an ArgumentOutOfRangeException occurs when the back button clicked on the Scan Policy Optimizer.
  • Fixed the incorrect “Exclude Branch” icon.
  • Fixed the missing Host header issue on Request Builder.
  • Fixed the issue where header enabled and disabled states are not preserved in Postman v2 files.
  • Fixed the issue where the selected vulnerability is not being recognized while performing a retest.
  • Fixed the issue where all variations are removed from Issues panel if a parent vulnerability is removed.
  • Fixed the issue where parent vulnerability is striked out in sitemap when a variation is fixed after retest.
  • Fixed the issue where some vulnerabilities that are not fixed comes up as fixed after retest.
  • Fixed highlighting problem for “Password Transmitted over HTTP” vulnerability.
  • Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
  • Fixed incorrect “[Possible] WS_FTP Log File Detected” vulnerability.
  • Fixed the issue where a variation node is not added to the Issues panel.
  • Fixed incorrect average speed calculation on Detailed Scan Report.
  • Fixed some issues in Incremental Scan and Controlled Scan where some vulnerabilities are reported as fixed while they still exist.
  • Fixed the issue where same post parameters appears twice in the request builder form.
  • Fixed Hawk validation error by not following redirects.
  • Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
  • Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
  • Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
  • Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
  • Fixed the SSL check hang on HTTP only hosts.
  • Fixed LFI engine by not analyzing source code disclosure on binary responses.
  • Fixed a validation issue for some Swagger documents.
  • Fixed the issue where CSP keywords are not reported when used without single quotes.
  • Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
  • Fixed the issue where cookie header in raw request not added to the sqlmap command.
  • Fixed the issue where crawler keeps trying to crawl target URL when clicked Retry if there is a connection failure.
  • Fixed incorrect source code disclosures reported in binary responses.
  • Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
  • Fixed out of date version reporting behavior when no ordinal is found in version database.
  • Fixed Lighttpd version disclosure detection signatures.
  • Fixed a Swagger parsing issue.
  • Fixed broken proxy chaining in manual crawl mode.

23 Apr 2018

FIX Fixed a security vulnerability in form authentication verification.

FIX