Invicti Standard

IMPROVEMENTS

• Enhanced and fixed several DOM simulations.
• Removed redundant SSL logs caused by HSTS security checks.
• Improved localization capabilities of Report Policy Editor.

NEW FEATURES

• Manual Crawling (Proxy Mode) now supports protocols like TLS 1.1 and 1.2.
• Added scan policy settings for CSRF security checks.
• Added ability to use custom HTTP headers during scan.
• Added element exclusion support using CSS query selectors for DOM/JavaScript simulation.
• Added /generatereport CLI argument for report generation from scan session files.
• Added hex editor view for requests on request builder.
• Added attacking optimization option for recurring parameters on different pages.
• Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.

NEW SECURITY CHECKS

• Added Referrer Policy security checks.
• Added markdown injection XSS patterns.
• Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
• Added Database Name Disclosure security checks for MS SQL and MySQL.
• Added Out of Date security checks for several JavaScript libraries.
• Added Remote Code Evaluation (Node.js) security checks.
• Added SSRF detection with server-status.
• Added user controllable cookie detection.
• Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.

IMPROVEMENTS

• Updated the links to several external references.
• Added cancellation of ongoing attack activities when excluded from site map.
• Improved JavaScript and CSS resource parsing.
• Added exploitation for XXE vulnerabilities.
• Added DOM simulation options to scan policy optimizer wizard.
• Improved Mixed Content vulnerability reporting by separating them according to resource types.
• Improved the CSS query selector generation on form authentication custom script dialog.
• Improved boolean SQL injection detection for redirect responses.
• Improved WSDL parsing for files that contain optional extensions.
• Added current scan profile, scan policy and report policy names to status bar.
• Improved .sql file detection signature.
• Improved the highlighting of patterns on HTTP responses.
• Added extra confirmation for weak credentials detection.
• Added POST parameters to crawling activities on scan activity list.
• Added scan policy option to allow XHR requests during DOM simulation.
• Added response statistics to request builder.
• Added form value for password input types to default scan policy.
• Added status column to the request history in request builder.
• Increased the maximum response size limit for JavaScript resources.
• Improved the send to JIRA error message.
• Added maximum number of option elements per select element to simulate scan policy setting.
• Added filter 'colon' events scan policy option to filter events that contain colon character in its name during DOM simulation.
• Improved error based SQLi exploitation by generating prefix/suffix dynamically.
• Improved command injection vulnerability detection by prepending original parameter value to attack payload.
• Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.

FIXES

• Fixed the incorrect imported link count when search panel is active on the grid view.
• Fixed the "Open in Browser" context menu action broken for root nodes on site map.
• Fixed the undefined password value issue on form authentication custom script dialog.
• Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
• Fixed the duplicate import link issue.
• Fixed request builder issues on parsing query string and encoding.
• Fixed a request builder issue where the error dialog should not be shown while switching tabs if the raw request is empty.
• Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
• Fixed the broken custom cookie issue where the custom cookie is not sent for imported scan files.
• Fixed crawling of URLs on pages where base element points to some other URL.
• Fixed some missing vulnerabilities on site map.
• Fixed the slow performing certificate load operation on start new scan dialog.
• Fixed the incorrect vulnerability severity counts on bar chart and status bar.
• Fixes an issue where blacklisted Invicti attacks prevent further source code disclosures in HTML response.
• Fixed the splash screen which stays open when Invicti is started from command line.
• Fixed the focus stealing issue when HTML response contains the autofocus attribute.
• Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
• Fixed missing response on request builder when the request is loaded from history list.
• Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
• Fixed an issue where signature fails to match MS SQL username in error messages.
• Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.

New Security Check

• Added new vulnerability checks for Apache Struts framework vulnerabilities.

Improvements

• Added JSON format option for "Crawled URL(s) List", "Scanned URL(s) List" and "Vulnerabilities List" report templates.
• Improved Blind SQL Injection detection for MySQL databases.

Fixes

• Fixed the incorrect weak signature algorithms reported for root certificates.
• Fixed the broken editing capabilities on report policy editor.
• Fixed the empty activity list issue during scans.
• Fixed the missing custom cookie issue on imported scans.

New Security Checks

• New security check that detects insecure targets in Content Security Policy.
• Added checks for exposure of trace.axd in ASP.NET applications.
• New security check for Time Based Server-Side Request Forgery.
• Added Markdown Injection attack pattern to XSS engine.
• Added a Code Evaluation check for Apache Struts framework.

Improvements

• Improved Boolean SQL Injection detection.
• Updated the Local File Inclusion vulnerability classifications.
• Improved Trace/Track security checks.
• Improved coverage of XSS engine in redirects.
• Added policy optimization support for SSRF security checks.
• Added exploit generation support for "Cross-site Scripting via Remote File Inclusion" vulnerability.
• Added a specialized parser to parse JavaScript responses better to reduce discovering incorrect links.
• Improved form authentication logout detection by ignoring the responses of some attacks to prevent incorrect logout detections.
• Added type ahead search box for Security Check Groups on Scan Policy Editor.
• Added "Send to Request Builder" context menu item for activities on scan activity pane.
• Added input validation for placeholder patterns on Custom URL rewrite grid.
• Added scheduling support for Incremental Scan feature.
• Added the number of crawled links next to scanned host names on sitemap tree.
• Improved code generation for form authentication custom scripts.
• Improved proxy options UI. Now proxy address inputs can be pasted along with user credentials and port.
• Added VDB support to Blind & Boolean SQLi post exploitation.
• Added an info message to Browser View tab that tells this view is a limited preview.
• Added file parameter type support to Request Builder.
• Added support for multiple report exporting to Scheduled Scans.
• Added the number of vulnerability severities of current scan to status bar.
• Added Copy URL and Copy as cURL context menu items to Imported Links grid.
• Added pause scan button to interactive login dialog.
• Improved sqlmap command generation by adding database server type parameter.
• Start New Scan dialog is made resizable.
• Added Search feature to Imported Links.
• Added Cancel button for Request Builder.
• Added support for checking Open Redirection vulnerability on Refresh response header.
• Added the XPath information of the element that causes the DOM XSS vulnerability.
• Added "Sub Path Max Dynamic Signatures" setting for Heuristic URL Rewrite detection.
• Added database specific queries for the selected SQLi vulnerability on exploitation panel.
• Added a JavaScript scan policy option to filter events that are attached to "document" by name to a constant set of mousedown, keyup etc. to reduce triggered event count during the simulation.
• Added a JavaScript scan policy option to exclude HTML elements such as logout buttons from event simulation by CSS selectors.
• Added finding vulnerabilities which sink into window.name capability for DOM XSS security checks.
• Improved coverage of Local File Inclusion engine so that a vulnerability can be found in a full url attack.

Bug Fixes

• Fixed several issues related to DOM parsing and simulation.
• Fixed a NullReferenceException thrown by HTTP Methods checks.
• Fixed a StackOverflowException caused by JSON responses with too many nested elements.
• Fixed PoC generation during post exploitation for time based SQLi checks.
• Fixed incorrect bearer token log message on verify dialog even when bearer token detection is disabled.
• Fixed a NullReferenceException while confirming a Boolean SQLi vulnerability.
• Fixed several issues related with splash screen to make sure it is hidden when the application is loaded.
• Fixed a NullReferenceException thrown by logout detection while trying to close the application.
• Fixed an issue where scan is paused when an additional host is unreachable.
• Fixed an issue where the new link nodes added under an excluded branch on sitemap tree were not excluded.
• Fixed the misleading message that is shown when a manual crawling scan is started, Form Authentication feature no more requires installing a certificate to your computer.
• Fixed IndexOutOfRangeException thrown while trying to open Scan Policy Editor dialog if the UI language is set to Korean.
• Fixed keyboard tab order on Form Authentication settings.
• Fixed an issue where injection HTTP response displays an empty string because deserialized file does not contain the HTML response of the attack.
• Fixed typos in CSP vulnerability templates.
• Fixed the broken impacts table on Executive Summary Report PDF when the table spans 2 pages.
• Fixed several issues related with report policy naming when the name is invalid or too long.
• Fixed generated blank pages on PDF reports.
• Fixed OperationCanceledException thrown during extra confirmation.
• Fixed UI glitches on form authentication Custom Script dialog caused when splitters are resized.
• Fixed several Request Builder issues.
• Fixed Test Credentials button on basic authentication settings which does not send Authorization request header if Do Not Expect Challange check box is checked.
• Fixed the ignored email are still reported on knowledge base issue.
• Fixed a bug where double encoded attacks are not exploitable in browser when proof URL is clicked.
• Fixed an issue where source code disclosure is reported in JS and CSS files.
• Fixed an SQL exploitation issue where executing a SQL query which expects an integer result is no longer giving failure for PostgreSQL database.
• Fixed a Text Parser issue where single quote characters were being captured as part of links.
• Fixed the incorrect path disclosure caused by the Shellshock attack.
• Fixed a TargetInvocationException thrown when a new license is trying to be loaded using Help > Load New License menu item.
• Fixed missing SSRF proofs under Proofs knowledge base.
• Fixed an ArgumentException thrown by DOM XSS checks when the web site is crawled using manual crawling mode.
• Fixed incorrect encoded parameter names for multipart/form-data forms.
• Fixed the incorrect auto update notification even when you have a more up-to-date version of the application.
• Fixed the large right margin on Knowledge Base Report (PDF) summary page.
• Fixed the splash screen that is shown in front of the trial popup message.
• Fixed the performance issues of recrawling related to DOM XSS checks on web sites with lots of links.
• Fixed the incorrect CR LF encoding issues on proof URLs.
• Fixed a retest issue where all parameters of the link were being retested whereas only the vulnerable parameter must be retested.
• Fixed the visual glitch occurs on Imported Links section upon importing new links.
• Fixed DOM Parser clearInterval JavaScript function simulation.
• Fixed an issue where stored XSS vulnerability is reported in an XHR response rather than in the page itself which makes XHR request.
• Fixed an issue where Boolean SQLi vulnerability is missed due to crawled parameter value.
• Fixed an issue where reflected XSS vulnerability is missed because the reflected payload is HTML encoded in an attribute.
• Fixed an issue where Text Parser does not handle the same referenced JavaScript in different files.

FIXES

• Fixed a Web App Fingerprinter issue causing degraded performance.

FIXES

• Fixed a form authentication issue where the URL in Location response header is followed even if status code is not a redirection status code.

FIXES

• Fixed an issue on Custom Form Authentication script editor where an extra header sent causing some pages not to load.
• Fixed a form authentication issue where cookies with same names were not updated.
• Fixed an issue where vulnerability is not reported due to XML Content-Type which exploitation might not be possible.
• Fixed a compatibility issue occurs while trying to load an old scan session file.

FIX

• Fixed clipped Scan Policy Editor dialog issue on high DPI display settings.

Fixes

• Fixed an InvalidOperationException which occurs on some specific setups.
• Fixed several scan activity list issues and enhanced performance.

IMPROVEMENTS

• Added CVSS information to more vulnerabilities.
• Updated vulnerability database.

FIXES

• Fixed a crash which occurs when too many elements are nested in the HTTP response.
• Fixed a text parsing issue where absolute URLs were converted to invalid relative URLs.
• Fixed incorrect protocol detection for protocol-relative URLs.

New Features

• Included support for the Invicti Hawk infrastructure for detection of SSRF and OOB vulnerabilities.
• Support for importation of Postman files.
• Added "Copy as cURL" context menu item to sitemap.
• Added "Copy sqlmap Payload" context menu item for SQL Injection vulnerabilities.
• Added HTTP request rate limiting options to Scan Policy.
• Added "Ignored Email Addresses" section for Scan Policy.
• Added accept and reject options for untrusted SSL certificates.
• Added an option to disable automatic detection of 404 error pages.

New Security Checks

• New security checks for Server Side Request Forgery (SSRF) vulnerability
• New security checks for out-of-band vulnerabilities such as OOB SQL Injection, OOB XXE, Blind XSS, OOB RCE, OOB RFI etc.
• Added "Missing object-src in CSP Declaration" vulnerability detection.
• Added "Apache Multiple Choices" vulnerability detection.
• Added "Stored DOM based XSS" vulnerability detection.

Improvements

• Improved the message displayed when trying to open an invalid session file.
• Added /nopdf command line switch to prevent generating PDF reports while performing automated scans.
• Added AttackPattern.GetAllEngines() and AttackPattern.GetAllPatterns() methods to reporting API to get the list of engine and pattern IDs.
• Added "Test Credentials" support for Basic, NTLM/Kerberos authentication configuration screen.
• Added progress dialog for importing links.
• Improved the performance of several link importers.
• Added global proxy options under Tools > Options to configure an application wide proxy.
• Added "Bearer Token" support for form authentication.
• Added confirmation for Frame Injection vulnerabilities.
• Added http: and https: checks for CSP vulnerability detection.
• Improved link importers where redundant CONNECT requests are now excluded.
• Optimized attacker performance for links containing single parameter.
• Added SSL protocol selection for scan policies.
• Added context menu items to the Report Policy Editor to multiple selected vulnerabilities by severity.
• Optimized crawling parser by skipping DOM simulation on pages with static content.
• Improved coverage of CORS security check with extra attacks.
• Removed GWT attacks from file upload security checks.
• Improved DOM simulation performance.
• Improved CSS parsing which now follows CSS import directives.
• Improved coverage of open redirect security checks by adding/updating attacks patterns.
• Improved logout detection by skipping JavaScript responses.
• Added support for "HTTP 410 Gone" and "HTTP 451 Unavailable For Legal Reasons" response status codes.

Bug Fixes

• Fixed an issue where a multiple cookies issue should not be reported.
• Fixed a JSON parsing issue with text parser.
• Fixed a request builder issue where the credentials on URL were not preserved.
• Fixed a request builder issue where the port number change is not reflected to raw request tab.
• Fixed a NullReferenceException which may have been thrown while closing the splash screen.
• Fixed a NullReferenceException which may have been thrown while updating activities on scan summary dashboard.
• Fixed clipped texts on several windows while using higher DPI settings.
• Fixed a request builder issue where the port on pasted URL is not parsed.
• Fixed a request builder issue where Cookie request header is not sent.
• Fixed a request builder issue where Cache-Control request header value was being duplicated.
• Fixed an HTTP response reading issue where the response could not be read when only BOM bytes are sent on first read attempt.
• Fixed the list on LFI exploitation panel where the same files were being duplicated.
• Fixed an issue in report policy editor that causes CVSS editing controls to disappear.
• Fixed a NullReferenceException on scan policy editor dialog thrown while clicking select inverse context menu on some security check groups.
• Fixed an issue where a false-positive file upload vulnerability might be reported.
• Fixed several DOM simulation issues on pages that have many iframe elements.
• Fixed a NullReferenceException while performing an internal MD5 encoding operation.
• Fixed an issue where the vulnerabilities found on a scan lingers to the next scan started.
• Fixed an encoding issue on a proof URL of an XSS vulnerability.
• Fixed a hang issue occurs when too many email addresses found on the response.
• Fixed an issue where "Shell Script Identified" vulnerability is not found when retested.
• Fixed a scan profile load issue occurs when a link with binary body is imported.
• Fixed the table layout on comparison report which was having too wide columns when the URLs were too long.
• Fixed the duplicate request issue on "AJAX / XML HTTP Requests" knowledge base report.
• Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
• Fixed an ArgumentOutOfRangeException thrown while trying to match the redirected URL to configured logout detection pattern.

FIXES

• Fixed a hang issue occurs on some configurations.

FIXES

• Fixed an issue that occurs during the attacking phase where all threads cannot be utilized.
• Fixed handling of blob: protocol on DOM simulation.

New Technical Check

• Added "Cookie Header Contains Multiple Cookies" check

Improvements

• Improved the Content Security Policy (CSP) and "Misconfigured Access-Control-Allow-Origin Header" vulnerability templates.
• Improved CSP vulnerability detection by only reporting vulnerabilities on HTML resources.
• Team Foundation Server Send To action now populates severity and repro steps fields.
• Improved report generation dialog by remembering the last used settings separately for each report type.
• Added "Copy as cURL" context menu item to site map.
• Added support for HTTP POST method while using Open in Browser site map context menu option.
• Added support for attacking to User-Agent and Referer request headers.
• Improved scan session export dialog by suggesting default file names.
• Improved the coverage of the boolean SQL injection vulnerability engine.
• Improved GitHub send to configuration by check the existence of the specified repository.

Fixes

• Fixed various encoding issues on request builder.
• Fixed the splash screen issue where it opens on wrong monitor on multi monitor setups.
• Fixed External CSS, Script and Frame knowledge base items which do not consider the port while performing checks.
• Fixed the missing method values on vulnerability summary table of reports.
• Fixed the missing dashboard statistics when a scan session is imported.
• Fixed the site map Copy URL issue for some nodes which were missing URL information.
• Fixed a hang that may occur when windows gets locked, goes to sleep or hibernation.
• Fixed an issue with auto save where scan is not saved during the extra confirmation phase.
• Fixed an issue in open redirect detection where incorrect URLs may also be reported.
• Fixed the zero progress bar issue on loaded scan files.
• Fixed various CSP vulnerability highlight issues.
• Fixed an issue related with form authentication which prevents logout detection during attacking phase.
• Fixed an issue related with temp file generation.
• Fixed an Local File Inclusion vulnerability detection issue when attacked with a FullUrl payload.
• Fixed an extra tab on Scanned URLs List (CSV) report template.
• Fixed the size of scan policy editor dialog on screens with high DPI.
• Fixed the incorrect severity icon on site map when a vulnerability is selected.
• Fixed an incorrect retest result occurs when the target web site is not reachable.
• Fixed a CSP vulnerability issue for deprecated CSP header name on meta tags.
• Fixed the remaining registry keys after uninstall.

IMPROVEMENTS

• Improved vulnerability templates.
• Added support for sending vulnerabilities to JIRA when JIRA is homed at a path instead of the root.
• Added support for detecting requests made to blob-schemed URIs during DOM simulation.

FIXES

• Fixed missing external references on some vulnerability templates.

FIXES

• Fixed the issue where HTTPS protocol is enforced while using JIRA Send To action.
• Fixed an issue where print dialogs could be displayed during scans.
• Fixed a form authentication issue where the last form authentication sequence requests were prematurely cancelled.

FIXES

• Fixed an issue where some scan files from older versions cannot be opened with the latest version.
• Fixed an issue with TFS Send To action when the project name contains spaces.

FIXES

• Fixed an issue which prevents resource files (report templates, etc.) updates.

NEW FEATURES

• Added the ability to configure the scanner to scan websites which are linked from the target website.
• Added the Common Vulnerability Scoring System (CVSS) in vulnerability reports.
• Added ability to play sounds while certain program events occur (i.e. scan finished, vulnerability found).
• Added OWASP Proactive Guide to classification list.

NEW SECURITY CHECKS

• Added security checks for Content Security Policy (CSP) web security standard.
• Added DOM based open redirection security check.

IMPROVEMENTS

• Improved XSS security checks coverage.
• Improved the Report Policy Editor.
• Improved the default filename of generated exploits.
• Renamed "Permanent XSS" vulnerability to "Stored XSS".
• Authentication credentials are now stored encrypted in profile files.
• Increased the number of vulnerabilities for which the scanner highlights the text related to the vulnerability in the HTTP response viewer.
• Added an option to follow redirects for the HTTP Request Builder.
• Added auto completion support to Scan Policy > Headers grid for well-known request headers.
• Added the version information of Invicti to the reports.
• Added type ahead search functionality for Scan Policy > Security Checks.
• Added HTTP methods to AJAX / XML HTTP Requests knowledgebase section.
• Added editing support for imported links.
• Optimized the performance of SOAP web service parsing by skipping the WSDLs that are already parsed.
• Added Scan Policy > Crawling options to enable/disable parsing of SOAP and REST web services.
• Added JavaScript dialog support for form authentication verification dialog.
• Improved HTTP request logging by splitting log files once a certain amount of requests are logged.
• Improved DOM simulation by simulating "contextmenu" events.
• Added "Attacked Parameters" column to "Scanned URLs List" report.
• Improved Manual Crawl (Proxy Mode) feature to work as passive and not re-issue the requests made during manual crawl phase.
• Increased the default values for "Maximum Page Visit" and "Max. Number of Parameters to Attack on a Single Page" settings.
• Improved XML parsing during crawling by parsing empty XML elements as parameters too.
• Added the ability to attack parameter names.
• Added a note to vulnerability detail for non-exploitable frame injection.
• Added .jhtml and .jsp attacks to file upload engine.
• Improved CORS security checks.
• Improved Open Redirect engine to detect CNAME injection such as example.com.r87.com.
• Added tooltips for long texts shown on activity dashboard.
• Added current DOM XSS attack information to activity pane.
• Improved XSS confirmation for vulnerabilities found inside noscript tags.
• Added a new method (Vulnerability.GetTemplateSections) for reporting API to be able to get vulnerability template section content separately.
• Added an attack pattern to the command injection engine to bypass whitespace filtering using $IFS environment variable.
• Added /resumescan parameter to command line options to resume the loaded scan.

FIXES

• Fixed an issue where incorrect PHP source code disclosures are reported for some binary responses.
• Fixed the position of clipped auto update notification.
• Fixed the broken External Reference link on Remote Code Evaluation (PHP) vulnerability.
• Fixed a file upload input DOM parsing issue which prevents some file upload attacks.
• Fixed an issue where switching between builder and raw tabs causes POST parameter to be removed on Request Builder.
• Fixed the duplicate log printed for same WSDLs.
• Fixed a NullReferenceException thrown when the Request Builder fails to make a request with the current SecurityProtocol setting.
• Fixed the blurred message dialog icons on high DPI screens.
• Fixed various navigation issues of Previous and Next buttons on HTTP Response viewer.
• Fixed the missing GET parameter request builder issue occurs when a full querystring/URL attack request is sent.
• Fixed a form authentication issue occurs on web sites that opens popups during form authentication sequence.
• Fixed a DOM simulation issue occurs when there is a form element with name "action" on target web page.
• Fixed the duplicate cookie issue occurs while using Manual Crawling (Proxy Mode) scanning feature.
• Fixed duplicate "Email Address Disclosure" reporting issue.
• Fixed a NullReferenceException on occurs during CORS security checks.
• Fixed an issue where current OS UI language was not being selected automatically upon first start.
• Fixed a CSRF exploit generation issue where the generated file is empty.
• Fixed an issue where injection/identification responses are unable to display for file upload vulnerability.
• Fixed an issue where XSS vulnerability is missed when multiple redirects occur.
• Fixed a text parsing issue where relative URLs were not supported as base href values.
• Fixed an issue where Missing X-Frame-Options Header vulnerability is reported even though ALLOW-FROM is included in the header.
• Fixed an XSS attacking issue where duplicate attacks are made for same payload.
• Fixed a Header Injection attack issue where first line of the HTTP request gets corrupted on full URL attacks.
• Fixed an issue where post exploitation does not work sometimes.
• Fixed a form authentication issue where any slash character in credentials cannot be used.

FIXES

• Fixed an issue in which Invicti crashes when using the Korean interface and trying to start a scan or load a scan file.

FIXES

• Fixed a NullReferenceException thrown during late confirmation.
• Fixed an incorrect crawling activity reported on scan summary dashboard UI while performing a passive analysis of an attack response.
• Fixed a Request Builder issue where response is incorrectly reported as binary.
• Fixed a Request Builder issue where "Enable Raw Request Body" option is initially selected when a GET request is dropped on the builder.

NEW FEATURES

• Added the HTTP Request Builder penetration testing tool.
• Added a button on start new scan dialog to open target URL on default web browser.
• Added a new activity type group called "Passive Analysis" which shows the analysis activity of attack responses.

IMPROVEMENTS

• Improved the "HTML Base Tag Hijacking" vulnerability template.
• Improved the long-term memory usage of the DOM simulation and cross-site scripting (XSS). scanning
• DOM simulation smart filtering now prunes unnecessary DOM branches.
• Improved the detection of "Redirect Body Too Large" vulnerability.

FIXES

• Fixed an issue in which the editing of a report policy can cause some external references to be removed unintentionally.
• Fixed an issue in which multiple tabs on the web browser could be opened while trying to open a vulnerability URL.
• Fixed a comparison report issue in which charts were not being generated according to selected report policy.
• Fixed a NullReferenceException that can be thrown by the Subresource integrity security checks.
• Fixed a report policy editor bug where clicking check all/none affects the vulnerability types that are not currently displayed.
• Fixed an issue where the vulnerability types disabled on current report policy were affecting the number of vulnerability count on "Issues" panel title.

IMPROVEMENTS

• Improved the automatic form authentication script to click "button" HTML elements if no suitable button is found.

FIXES

• Fixed the clipped dialog buttons on "Report Policy Editor".
• Fixed the incompatibility issues of "Report Policy Editor" on some Windows 8/8.1 systems with Internet Explorer 10.
• Fixed a Report Policy issue where a vulnerability hidden from a scan was still not being displayed when a report is generated using the Default Report Policy.
• Fixed scope related bugs in SRI checks.

NEW FEATURES

• Scanning of RESTful web services.
• Report Policies to customize the scan results and reports
• "Heuristic Rule Detection" support while using custom URL rewrite rules.
• Added an option to disable logout detection for form authentication.
• Added ASP.NET Web Application project import support.

NEW SECURITY CHECKS

• Added Samesite cookie attribute check.
• Added Reverse Tabnabbing check.
• Added Subresource Integrity (SRI) Not Implemented check.
• Added Subresource Integrity (SRI) Hash Invalid check.

IMPROVEMENTS

• Various memory usage improvements to handle large web sites.
• Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
• Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
• Improved coverage of LFI engine.
• Added name completion for profile save as dialog.
• Updated missing localized text for Korean translation.

FIXES

• Fixed the issue of form authentication remembers the cookies from the previous scan while using the same Invicti instance for a new scan.
• Fixed the incorrect progress bar while performing a controlled scan.
• Fixed the issue of DOM Based XSS security checks enabled status were not being logged.
• Fixed the "Cross-site Scripting via Remote File Inclusion" vulnerability was not being confirmed issue.
• Fixed JIRA Send To action issue where the port number of the JIRA service were being ignored.
• Fixed the synchronization issue on JavaScript Scan Policy section where UI elements are left enabled even though "Analyze JavaScript / AJAX" option is not checked.
• Fixed the NullReferenceException thrown when scan is paused and resumed during performing form authentication.
• Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
• Fixed the broken layout of input controls on basic authentication dialog shown during form authentication.
• Fixed the error reporting issue occurs when log file collection and/or compression fails.
• Fixed the HTTP Archive Importer issue where POST method was parsed as GET when postData is empty.
• Fixed the ObjectDisposedException thrown on form authentication verification dialog.
• Fixed a bug where GWT parameter cannot be detected which contains a Base64 encoded value.
• Fixed a time span parsing bug in Knowledge base report templates.
• Fixed an issue where some vulnerabilities are treated as fixed while retesting.
• Fixed an issue where XSS proof URL was missing alert function call.
• Fixed a typo on "Base Tag Hijacking" vulnerability template.
• Fixed the broken "Generate Debug Info" function of JavaScript simulation feature.

IMPROVEMENTS

• Added PCI DSS 3.2 vulnerability ratings
• Update the PCI Compliance report template with the details of PCI DSS version 3.2