Invicti Standard

IMPROVEMENT

• Improves licensing diagnostics mode

FIXES

• Fixed parsing issue in Swagger Importer that occurs while importing Swagger files in YAML format
• Fixed an issue that causes Invicti to fail to add certain pages to the sitemap when using the Manual Crawling

FIXES

• Fixed the issues on computers where FIPS compliancy is required
• Fixed the incorrect button positions on Website Checker dialog displayed during license activation

IMPROVEMENT

• Improved the list of resources discovered by the resource finder.

FIXES

• Fixed an issue that caused legacy trial license activation failure.
• Fixed a FormatException thrown when a scan was started using a trial license.
• Fixed an issue where when frame vulnerabilities were detected via DOM, it was not possible to locate the source code.
• Fixed an XPathException caused by an input node with special characters.
• Fixed an exception thrown by the report policy editor when an unbalanced parenthesis was entered into the vulnerability type search box.
• Fixed a NullReferenceException thrown by the DOM parser component.
• Fixed the problem where manually crawled pages were not updated in the Sitemap.

NEW FEATURES

• Added Bulk Export to Cloud feature
• Added Scan Speed graph
• Added Send To integration support for ServiceNow
• Added custom field support for Send To fields
• Added an encoder for JavaScript fromCharCode format
• Added Go to Identification Page button to Go to Parent link of current selected link
• Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

• Added Out of Band Server Side Template Injection security checks
• Added signature detection check for Caddy web server
• Added signature detection check for aah go server
• Added signature detection check for JBoss application server
• Added CakePHP framework detection
• Added CakePHP version disclosure detection
• Added CakePHP out-of-date version detection
• Added CakePHP Stack Trace Disclosure
• Added CakePHP default page detection
• Added Out of Date checks for CKEditor 5

IMPROVEMENTS

• Updated the licensing model
• Updated .NET Framework version requirement to 4.7.2.
• Improved the user interface by reducing the number of borders between panels
• Added more information to the window where Cloud integration is conducted
• Improved the design of vulnerability details
• Added a link to Cloud scan URL when a scan is exported to the Cloud
• Improved the list of resources found by the Resources Finder
• Added a button to start an incremental scan for a scan listed on File>Import>Local Scans
• Added Hawk configuration validation to the Scan Optimizer
• The state of vulnerability nodes are updated across the Sitemap and Issues trees when ignored or included in scan
• All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into single vulnerability
• Dialog locations and sizes are remembered each time you reopen Invicti
• Added Request Method column to the Vulnerabilities List CSV report
• Added vulnerability severity to email Send To action template
• Added URL validation to Target URL textbox in the Start a New Scan dialog
• Updated Vulnerabilities List CSV report template to display attack parameter only
• Added fine grained options to Resource Finder step of Scan Policy Optimization wizard
• A Summary dialog is displayed after the Controlled Scan informing users about whether new vulnerabilities have been found
• Added cookie analyzer checks for cookies added using JavaScript
• Added keyboard navigation support to navigation bar control in the Start a New Scan dialog
• Variation count is included in the total vulnerability count in Detailed Scan Report
• Improved LFI Exploitation panel usability
• Added tokenized deletion using Ctrl + Backspace to Target URL text box
• Variation count included in the total count in report templates
• Improved the error message displayed when the retest fails if Form Authentication fails
• Added Link Count to the Scan Summary dashboard
• Added not found Link Count to the Scan Summary dashboard
• Controlled scan shows the detected vulnerability count on parameters after it's finished
• Improved the error message displayed when an incorrect command line argument is supplied
• Added Label field for JIRA Send To actions
• Added Tags field for Manuscript (FogBugz) Send To actions
• Added WorkItem Tags field for TFS Send To actions
• Added Disable Resource Finder button to the Scan Policy Editor
• Added a Max Fail limit to Retest All so it does not abort after one retest has failed
• Ignored vulnerabilities are excluded from Retest All
• Improved SQL Injection proof data by stripping HTML tags
• Controlled scan can be started for vulnerabilities that have no parameters
• Vulnerabilities confirmed at the end of the Scan are retested separately in Retest All
• Added Late Confirmation activity into Controlled Scans so the Scan progress can be observed
• Added Copy and Copy Value context menu items to Headers' request and response viewers
• Improved automatic Form Authentication by performing several additional attempts when the Submit button is disabled
• Improved CSRF token detection in cookie values
• Improved the error details displayed when link import fails

FIXES

• Fixed the incorrect Content-Type header sent during Form Authentication requests
• Fixed the vulnerability viewer display issue when a vulnerability node on Sitemap is reselected.
• Fixed the incorrect badge drawn on the ribbon's Quick Access Toolbar buttons
• Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were also blocking the other HTTP methods
• Fixed the URL encoding issue for vulnerabilities which are sent to Manuscript (FogBugz)
• Fixed several usability issues on the Short File Names exploitation panel
• Fixed the error where the ExpectCT header was reported as an interesting header
• Fixed the Multiple File Open Dialog high DPI issues
• Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
• Fixed the incorrect number on the Detailed Scan report template's instance column
• Fixed patterns that weren't enabled when Security Checks were enabled with the Check All command
• Fixed the issue that the Controlled Scan won't start on a link node
• Fixed high DPI issues on Scan Policy Optimizer wizard
• Fixed the issue that the style of child nodes was not updated when the vulnerability was ignored
• Fixed the issues that a confirmed Permanent XSS vulnerability was not added to the Confirmed group on the Issues tree
• Fixed the report templates that included ignored vulnerabilities in statistics
• Fixed the incorrect response displayed for SSRF vulnerabilities when the request was redirected to another page
• Fixed several dock panel issues
• Fixed a NullReferenceException thrown when setting a custom user agent on a Scan Policy
• Fixed the Critical Vulnerability Count in report templates
• Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
• Fixed a highlighting issue for vulnerabilities that display multiple responses
• Fixed an incorrect possible LFI vulnerability when the response was redirected
• Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
• Fixed an issue where some Sitemap nodes were not added to the tree until a New Scan was started
• Fixed the broken case sensitivity check for crawled links
• Fixed a smartcard driver issue that occured when the path contained space characters
• Fixed a FormatException that occurred while parsing cookies
• Fixed several incorrect Source Code Disclosure reports
• Fixed the issue where cookies that were set by JavaScript were not highlighted
• Fixed a JsonReaderException that occured while trying to parse a Swagger document
• Fixed an ObjectDisposedException thrown when a tooltip was closing
• Fixed an ArgumentOutOfRangeException thrown while generating reports
• Fixed a case sensitivity issue on the Sitemap tree where two nodes with same name but different cases were not added to the tree
• Fixed a double HTML encoding problem in the generated exploit template
• Fixed adding multiple empty rows to Additional Website settings
• Fixed parsing URLs with encoded chars
• Fixed the problem where scans could not be resumed when paused during the Recrawling phase
• Fixed hanging Open Redirect checks caused by binary responses
• Fixed double HTML encoding problem in the URL in the Detailed scan report template
• Fixed the DOM parser so that the Exclude by CSS Selector setting is saved and displayed correctly in the custom preset
• Fixed redundant Encode use in the report templates that caused double HTML encoding
• Fixed InvalidOperationException thrown when using Manual Crawling
• Fixes the error where the custom driver selection dialog was opening twice in the Import Smart Card Certificate dialog
• Fixed incorrect count of Proof List knowledge base
• Fixed the issue where XSS via RFI could not be detected with a certain payload
• Fixed the issue where the Scan skipped to the attacking phase after the Crawling phase was skipped when the Scan started in Crawl & Wait mode
• Fixed the issue where a Swagger YAML file could not be imported
• Fixed the usability issues of JavaScript preset selection on Scan Policies where entered values could not be deleted
• Fixed the vulnerabilities remaining from the previous scan on sitemap when an incremental scan has been started.
• Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie's HttpOnly flag
• Fixed the issue where the late confirmed vulnerability was not added to the Sitemap
• Fixed the error where the activity time was not being updated during the extra confirmation phase

FIXES

• Fixed an ArgumentException caused by an incorrect URL entered on Start New Scan dialog.
• Fixed an XmlException thrown while trying to restore UI layout.
• Fixed missing cookies on form authentication when they are set from JavaScript context.
• Fixed an ArgumentException thrown on Start New Scan dialog for Korean systems.
• Fixed the ArgumentOutOfRangeException that occurs when creating reports through CLI.
• Fixed CORS security check retest issue where old response data were being used.
• Fixed a UriFormatException caused by an incorrect cloud integration server URL.
• Fixes an ArgumentOutOfRangeException that occurs when a URL with backslash is entered on Start New Scan dialog.

UPDATE

• Updated the Reporting API documentation.

FIXES

• Fixed a DirectoryNotFoundException thrown while trying to restore layout.
• Fixed an InvalidOperationException thrown while performing confirmation at the end of a scan.
• Fixed a highlighting related exception when there are no matches in the source code.
• Fixed an ArgumentNullException caused by an empty form authentication persona list when the scan is imported from cloud.

FIXES

• Fixed an issue where custom report policies could not be updated to the latest version of security check templates.
• Fixed incorrect time and duration information of cloud scans.
• Fixed empty request/response issue for scans exported to cloud.
• Fixed the issue that the controlled scan won't start for selected links on sitemap.

IMPROVEMENTS

• Improved confirmation on time-based attacks.

FIXES

• Fixed the percent encoding issue on Detailed Scan Report.
• Fixed the stale custom report template buttons which were removed from the disk.
• Fixed the InvalidOperationException caused by Expect CT IP endpoint highlighting.
• Fixed a NullReferenceException while generating sitemap tree.
• Fixed the incorrect numbers reported on vulnerability summary table of Detailed Scan Report.
• Fixed the selection issue on scan policy user agent settings.
• Fixed the FormatException when HTTP rate limits are set on a scan policy.

FEATURES

• Netsparker Enterprise integration: ability to import and export scans between the scanners.
• New user interface with new skin and improved usability.
• Smart Card authentication support.
• Attack Radar panel that shows detailed attacking progress of security checks.
• Added the OWASP 2017 Top Ten classifications report template.
• Added Server-Side Template Injection (SSTI) vulnerability checks.

SECURITY CHECKS

• Expect-CT security checks.
• Added various new web applications in the application version database.
• Added out of date checks for Hammer.JS, Phaser, Chart.js, Ramda, reveal.js, Fabric.js, Semantic UI, Leaflet, Foundation, three.js, PDF.js, Polymer.

IMPROVEMENTS

• Crawler can now parse multiple sitemaps in a robots.txt file.
• Improved the representation of POST, JSON and XML parameters on sitemap.
• Added support for opening links in all web browsers installed on the computer.
• Improved high DPI support.
• Improved sorting on Issues panel.
• New Extensions scan policy settings to specify which extensions should be crawled and attacked.
• Added activity status text for XSS and Open Redirect confirmation phases.
• Added target link address to status bar on vulnerability descriptions.
• Added "Import from Scan Session" option to populate form values based on an existing scan.
• Added support for parsing swagger documents in yaml format.
• Added Open Redirect and XSS confirmation timeout settings.
• Added support for parsing relative meta refresh URLs.
• Moved Knowledge base items to own panel.
• Improved the vulnerability summary section of Detailed Scan Report.
• Added "Copy to Clipboard" link to unmatched URL rewrite rules table within URL Rewrite knowledge base.
• Improved the usability of User Agent scan policy settings.
• Favicon of the target website shown to sitemap tree.
• Search capability in the Knowledge base details.
• Improved parsing of websites using React framework.
• Content-Security-Policy-Report-Only header is not reported as an interesting header.
• Added support for sending text to Encoder panel from other panels in the application.
• Added save report button to Knowledge base.
• Added "Ignore Authentication" option to Request builder.
• Added a hotkey to "Ignore from This Scan" menu.
• Added "Force User Agent" setting to force the selected User Agent value on scan policy.
• Added support for Postman v2.1 version.
• Scan logs in Logs panel are now saved along with scan file.
• Added an extra consistency check to ROBOT attacks.
• Added scan policy settings to include/exclude certain cookie names from Cookie security checks.
• Improved the "Interesting Header" list support.
• Added anti-CSRF token support for Blind SQL Injection exploitation.
• Removed BOM from JSON and XML report templates.
• Improved the numbers reported on dashboard.
• Added summary table to several reports.
• Variations are retested before starting an incremental scan.
• Improved JavaScript content check performance while detecting out of date checks.
• Added multi-thread support to Controlled Scan.
• Added anti-CSRF token support for tokens in request headers, meta tags, manual crawling and imported links.
• Added command line auto update option.
• Renamed FogBugz send to action to its new name Manuscript.
• Testing Send To actions now creates issues on target systems.
• GitHub Send to action now works with organization accounts and private repositories.
• Scan Policy and Report Policy editor dialogs remember their locations and sizes.
• Added support for handling HTTP 307 redirects.
• DS_STORE files are discovered and parsed.
• Improved MySQL double encoded string attacks.

FIXES

• Fixed scheduled scans to prevent incorrect settings to be saved.
• Fixed the overflow issue of "Maximum 404 Signatures" scan policy setting.
• Fixed the unsaved Disallowed HTTP Methods issue for scan profiles.
• Fixed some possible vulnerabilities missing [Possible] indicator in title.
• Fixed the exception that occurs when importing scan file because the path has invalid chars.
• Fixed an ArgumentOutOfRangeException occurs when the back button clicked on the Scan Policy Optimizer.
• Fixed the incorrect "Exclude Branch" icon.
• Fixed the missing Host header issue on Request Builder.
• Fixed the issue where header enabled and disabled states are not preserved in Postman v2 files.
• Fixed the issue where the selected vulnerability is not being recognized while performing a retest.
• Fixed the issue where all variations are removed from Issues panel if a parent vulnerability is removed.
• Fixed the issue where parent vulnerability is striked out in sitemap when a variation is fixed after retest.
• Fixed the issue where some vulnerabilities that are not fixed comes up as fixed after retest.
• Fixed highlighting problem for "Password Transmitted over HTTP" vulnerability.
• Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
• Fixed incorrect "[Possible] WS_FTP Log File Detected" vulnerability.
• Fixed the issue where a variation node is not added to the Issues panel.
• Fixed incorrect average speed calculation on Detailed Scan Report.
• Fixed some issues in Incremental Scan and Controlled Scan where some vulnerabilities are reported as fixed while they still exist.
• Fixed the issue where same post parameters appears twice in the request builder form.
• Fixed Hawk validation error by not following redirects.
• Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
• Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
• Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
• Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
• Fixed the SSL check hang on HTTP only hosts.
• Fixed LFI engine by not analyzing source code disclosure on binary responses.
• Fixed a validation issue for some Swagger documents.
• Fixed the issue where CSP keywords are not reported when used without single quotes.
• Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
• Fixed the issue where cookie header in raw request not added to the sqlmap command.
• Fixed the issue where crawler keeps trying to crawl target URL when clicked Retry if there is a connection failure.
• Fixed incorrect source code disclosures reported in binary responses.
• Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
• Fixed out of date version reporting behavior when no ordinal is found in version database.
• Fixed Lighttpd version disclosure detection signatures.
• Fixed a Swagger parsing issue.
• Fixed broken proxy chaining in manual crawl mode.

FIXES

• Fixed an issue where old scan files fail to import.
• Fixed Short File Names Exploiter by disabling it when other vulnerability types are selected.
• Fixed disabled UI where Cloud is not reachable.
• Fixed blocked UI during VDB update check.
• Fixed copying URL Rewrite rules in knowledgebase by copying RegExp patterns with place holder patterns.
• Fixed opening Scan Summary Dashboard when clicked root node from sitemap tree.
• Fixed hiding backstage when export file dialog is canceled.
• Fixed an incorrect encoded space character on Detailed Scan Report.
• Fixed overlapping icons of optimized scan policies on Start a New Scan Dialog.

FIX

• Fixed a security vulnerability in form authentication verification.

IMPROVEMENTS

• Added support for importing Postman v2.1 files.
• Added certificate extension aliases support to Client Certificate Authentication.
  
  

FIXES

• Fixed certificates not listing in the client certificates dropdown list issue.
• Fixed Invicti Hawk validation issue.

IMPROVEMENTS

• Added a new report template - Detailed Vulnerabilities List in XML.
• Optimized ROBOT attack check performance.
• Improved React Controlled Field coverage in form authentication custom scripts.

FIXES

• Fixed the non-rendered web page on form authentication verification dialog, due to malformed Content-Type header.
• Fixed the disabled Retest menu item for vulnerabilities on Issues tree.

FIXES

• Fixed perhost certificate generation issue which renders manual crawling unusable.
• Fixed an ArgumentNullException thrown from DOM simulation.

NEW SECURITY CHECK

• Added security check for "The ROBOT Attack" vulnerability.

IMPROVEMENTS

• Improved performance of huge JavaScript file parsing.
• Improved custom form authentication scripting support for pages using React JavaScript framework.

NEW FEATURE

• Added JavaScript timeout settings for Open Redirect and XSS confirmation in Scan Policy.

IMPROVEMENT

• Improved the parsing of large JavaScript files.

FIXES

• Fixed the empty target URL text box on start new scan window on initial load.
• Fixed the hang issue caused by popup windows during form authentication.
• Fixed the exception that occurs when root directory node is excluded in sitemap.
• Fixed an exception thrown while shutting down the application.
• Fixed a NullReferenceException occurs while trying to parse compressed sitemap files.
• Fixed a serialization exception issue occurs while trying to load older scan files.
• Fixed the broken tooltip message on Custom Form Authentication Script dialog.
• Fixed the exception that occurs when importing scan file because the path has invalid chars.
• Fixed duplicate activities displayed while analyzing crawled pages.

NEW FEATURES

• Users can now preconfigure local/session web storage data for a website.
• Added a new send to action to send e-mails.
• Added HTTP Header Authentication settings to add request HTTP Headers with authentication information.
• Added CSV file link importer.
• Parsing of form values from a specified URL.
• Added custom root certificate support for manual crawling.
• Added gzipped sitemap parsing support.

NEW SECURITY CHECKS

• Added reflected "Code Evaluation (Apache Struts 2)" security check (CVE-2017-12611).
• Added "Remote Code Execution in Apache Struts" security check. (CVE-2017-5638).

IMPROVEMENTS

• Renamed "Important" severity name to "High".
• Updated external references for several vulnerabilities.
• Improved default Form Values settings.
• Improved scan stability and performance.
• Added Form Authentication performance data to Scan Performance knowledgebase node.
• Added "Run only when user is logged on" option to the scan scheduling.
• Added a warning before the scan starting if there are out of scope links in imported links.
• Improved Active Mixed Content vulnerability description.
• Improved DOM simulation for events attached to document object.
• Added "Alternates", "Content-Location" and "Refresh" response header parsing.
• Removed "Disable IE ESC" requirement on Windows server operating systems.
• Improved Content Security Policy (CSP) engine performance by checking CSP Nonce value per directory.
• Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
• Added --batch argument to sqlmap payloads.
• Removed Markdown Injection XSS attack payloads.
• Filtered out irrelevant certificates generated by Invicti from client certificate selection dropdown on Client Certificate Authentication settings.
• Added highlighting for detected out of date JavaScript libraries.
• Added ALL parameter type option to the Ignored Parameters settings.
• Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
• Added an option to export only PDF reports without HTML.
• Added -nohtml argument to CLI to create only pdf reports.
• Updated the Accept header value for default scan policy.
• Added CSS exclusion selector supports frames and iframes.
• Added embedded space parsing for JavaScript code in HTML attribute values.
• Added scan start time information to the dashboard.
• Skip Phase button is disabled if the phase cannot be skipped.
• Added validation messages for invalid entries on start new scan dialog sections.
• Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
• Added highlight support for password transmitted over HTTP vulnerabilities.
• Email disclosure will not be reported for email address used in form authentication credentials.
• Added focus and blur event simulation for form authentication set value API calls.
• Uninstaller now checks for any running instances.
• Internal proxy now serves the certificate used through HTTP echo page.
• Added spell checker for Report Policy Editor.
• Added an error page if any internal proxy exception occurs.
• Added more information about the HTML form and input for vulnerabilities found on HTML forms.
• Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
• Extensions on the URLs are handled by the custom URL rewrite rule wizard.
• Added Parameter Value column to Vulnerabilities List CSV report.
• Added match by HTML element id for form values.
• Added "Ignore document events" to JavaScript settings to ignore triggering events attached to document object.
• Improved Windows Short Filename vulnerability details Remedy section.
• Improved scan policy security check filtering by supporting short names of security checks.
• Improved Burp file import dialog by removing the file extension filter.
• Improved table column widths on several reports.
• Updated default User-Agent HTTP request header string.
• URL Rewrite parameters are now represented as asterisks in sqlmap payloads.

FIXES

• Fixed the InvalidOperationException on application exit.
• Fixed CSRF vulnerability reporting on change password forms.
• Fixed Email Disclosure highlight issue where only the first email address is highlighted when there are multiple email addresses on the page.
• Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
• Fixed the incorrect progress bar value displayed when a scan is imported.
• Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
• Fixed up/down movement issue on Form Values when multiple rows are selected.
• Fixed various source code disclosure issues.
• Fixed an escaping issue with CSS exclusion selectors.
• Fixed the issue where the basic authentication credentials are not being sent on logout detection phase.
• Fixed a NullReferenceException when an invalid raw request is entered in request builder.
• Fixed HTTP Request Builder where it does not set request method to POST if the selected method is PUT.
• Fixed the issue where the response URL is displayed in the vulnerability details.
• Fixed the issue where some links were not excluded from scan from sitemap.
• Fixed enabled security check group with all security checks within are disabled.
• Fixed a random DOM simulation exception occurs when site creates popup windows.
• Fixed a RemotingException occurs on Form Authentication Verifier.
• Fixed a possible NullReferenceException on Form Authentication.
• Fixed the message dialog windows displayed by the 3rd party component on Form Authentication Verification.
• Fixed the broken form authentication custom script when the last line of the script is a single line comment.
• Fixed certificate search in store by subject name returns matches without exact subject names.
• Fixed ESC key handling on message dialogs.
• Fixed huge parameter value deserialization memory usage.
• Fixed an issue with Load New License occurs when the source and destination license files are same.
• Fixed the issue where the parsing source is set to Unspecified for links found by resource finder in reports.
• Fixed the incorrect sitemap representation of excluded nodes when a scan is imported.
• Fixed the wrong URLs added with only extension values.
• Fixed the logout detection portion of form authentication verification where it was not using the configured proxy.
• Fixed the message overflow issue in the out of scope link warning dialog.
• Fixed a NullReferenceException which may be thrown while importing a swagger file.
• Fixed the incorrect Skip Current Phase button state when scan phase is changed
• Fixed internal proxy throwing when certain browsers do not send the full URL with the initial request.
• Fixed an issue in which the form authentication is not being triggered on retest.
• Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
• Fixed a swagger file parsing issue where target URL should be used when host field is missing.
• Fixed swagger importer by ignoring any metadata properties.
• Fixed the empty request/response displayed for some sitemap nodes with 404 response.
• Fixed the autocomplete issue in Content-Type header in Request builder
• Fixed a NullReferenceException occurs during DOM simulation.
• Fixed the incorrect URLs parsed on attack responses.
• Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
• Fixed show/hide issue for Dashboard and Sitemap panels.
• Fixed the issue where Retest All button disappears after a Retest.
• Fixed the issue where the dollar sign in imported URL is encoded after scan.
• Fixed the empty request/response header issue for links discovered during attacking.
• Fixed ignore parameter issue for parameters containing special characters.
• Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
• Fixed missing vulnerabilities requiring late confirmation for incremental scans.
• Fixed a NullReferenceException may occur on iframe security checks.
• Fixed the exception that occurs while adding duplicate POST parameters with the same name in Request builder.

NEW SECURITY CHECK

• Added more Command Injection and Blind Command Injection patterns for Windows systems.

IMPROVEMENT

• Updated vulnerability database to latest version.

FIX

• Fixed the incorrect percentage encoding on Detailed Scan Report template.

NEW SECURITY CHECK

• Added "Out of Band Code Evaluation (Apache Struts 2)" security check (CVE-2017-12611).

IMPROVEMENTS

• Improved the stability of DOM and JavaScript simulation.
• Improved report templates.

NEW SECURITY CHECK

• Added "Out of Band Code Evaluation (Apache Struts 2)" security check (CVE-2017-9805).

FIX

• Fixed an out of memory issue.

IMPROVEMENTS

• Improved the form authentication element click API by providing the mouse coordinates.

FIXES

• Fixed an object leak causing performance issues during scans.
• Fixed a backup file check where scan policy selections were not honoured.
• Fixed the broken Basic, NTLM/Kerberos "Test Credentials" button.
• Fixed the unencrypted credentials saved with profile files.
• Fixed the JavaScript parsing issue by checking the mime type of the script tags.
• Fixed the broken email disclosure detection which was not able to match multiple emails.
• Fixed the incorrect links parse on JavaScript source map files.

NEW FEATURES

• New Basic, NTLM, Digest and Kerberos authentication settings to support multiple credentials for different URL paths.

NEW SECURITY CHECKS

• Checks for default pages of IIS 10.0, 8.5, 7.5, 7.0 web servers.
• Checks for WordPress Setup Configuration File.
• Remote Code Execution checks for Node.js on Windows.

IMPROVEMENTS

• Improved Local File Inclusion (LFI) attack patterns.
• Improved DOM XSS attack patterns.
• Improved Blind Command Injection detection on Linux systems.
• Added response compression and length information to HTTP Request Builder.
• Displaying times in 24-hour format on scan reports.
• Improved DOM/JavaScript simulation.
• Improved the performance of email address disclosure detection.
• Improved the performance of database connection string disclosure detection.
• Improved the performance of JavaScript library detection.
• Improved the performance of RoR database configuration detection.
• Improved "Enter Links" dialog by adding format selection for all the supported import formats.
• Added parameter type information to nodes on "Issues" panel.
• Improved scan import performance significantly.
• Added context menu item for sitemap root node to open the scan folder.
• Improved resource finder to find more hidden resources.
• Time zone information added to reports.
• Improved support for simulating customized select elements.
• Improved NTLM, Digest and Kerberos authentication support.
• Improved DOM simulation stability and performance.
• Added the list of URLs that do not match the rewrite rules on URL Rewrite knowledge base.
• Added number of links that match to a URL Rewrite rule on URL Rewrite knowledge base.
• Added out of scope links count information to the knowledge base.
• Improved the default parameter name list for Parameter Based Navigation.
• Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
• Improved boolean and blind SQL injection checks for MySQL databases.
• Improved blind SQL injection checks for PostgreSQL databases.
• Added excluded URLs list to the detailed scan report.
• Improved reflected and stored XSS detection.
• HSTS checks now reports missing preload directives.
• Updated Korean translation.
• Added XML report types for Crawled URLs List and Scanned URLs List reports.
• Added toolbar to open and copy URLs for Browser View tab.
• Improved JSON response parsing.
• Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
• Improved email disclosure checks by checking host names against to public suffix list.

FIXES

• Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
• Fixed an incorrect "Password Transmitted over HTTP" issue for relative URLs on pages redirected to HTTPS addresses.
• Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
• Fixed the missing activities while performing a controlled scan.
• Fixed the missing DOM parsing activity when "Override Target URL with authenticated page" option is selected.
• Fixed the incorrect total security check count while performing controlled scans on activity list.
• Fixed incorrect "Interesting Header" report for Content-Security-Policy header.
• Fixed the redundant extra headers added to requests while using request builder.
• Fixed the disabled "Start Proxy" button when Invicti is opened after an application crash.
• Fixed directory listing is not reported issues on some IIS versions.
• Fixed page break issues on reports.
• Fixed the issue where comments in CSS files are not parsed.
• Fixed the incorrect URL found in CSS comments.
• Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
• Fixed an IndexOutOfRangeException caused by CSP checks.
• Fixed the signature pattern which fails to match "Programming Error Message (PHP)" in multiple lines.
• Fixed markdown XSS attack patterns causing incorrect findings.
• Fixed the double quote encoding issue on generated sqlmap commands.
• Fixed incorrect "Interesting Header" reports for some headers.
• Fixed the incorrect http protocol displayed for SSL vulnerabilities.
• Fixed the duplicate delete confirmation message while deleting the scan and report policies using a keyboard shortcut.
• Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
• Fixed the incorrect progress report during controlled scans.
• Fixed the encoding issue on reported DOM XSS stack traces.
• Fixed the highlighting issue of multiple custom data reported on vulnerabilities.
• Fixed the incorrect rows deleted issue when multiple rows are selected on imported links section.
• Fixed the incorrect behaviour of move up/down controls on custom URL rewrite section.
• Fixed the maximum crawled URL limit exceeded issue.
• Fixed duplicate resource finder requests.
• Fixed CSS escaping in CSS selector generation.
• Fixed the failing error report when the unexpected exception title is too long.
• Fixed the WADL import issue where the operation fails for responses with no status codes.
• Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
• Fixed incorrect cURL and sqlmap commands when basic authentication is used.
• Fixed the incorrect missing object-src report on CSP checks.
• Fixed an issue where default crawled value is double-encoded instead of single.
• Fixed the problem where the unique links added twice while importing Postman files.
• Fixed the "Property set method not found" that occurs while using FogBugz send to action
• Fixed the missing content for Site Profile section of Knowledge Base report.
• Fixed "The selected task no longer exists." error when trying to run a scheduled scan on some Windows machines.