Home
/
Documentation
/
Invicti Enterprise On-Demand Release Notes
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
Release Notes

Invicti Enterprise On-Demand

RSS FEED
18-Aug-2022
COPY LINK

This update includes changes to the internal agents. The internal scan agent's current version is 2.0.2.150. The internal authentication verifier agent's current version is 2.0.2.150.

IMPROVEMENTS

  • Improved the Jira integration.
  • Improved the notification rule scope.
  • Added an option to block navigation on SPAs pages.
  • Removed the target URL health check that lets the scan continue despite getting error messages such as 403.
  • Added the information message when users want to delete the preferred agent configured to a scan.
  • Improved the scan profile to edit Basic, Digest, NTLM/Kerberos, and Negotiate Authentication while starting a new scan.
  • Updated the text on the GraphQL Instropection pop-up.
  • Updated the Basic Authentication message for the internal authentication verifier agent.

FIXES

  • Fixed a bug that caused the scan session failure when the scan is paused and resumed.
  • Fixed a bug that causes server error when expired integration is cloned.
  • Fixed an issue where the Due Days for FreshService integration is displayed as required despite being optional.
  • Fixed an issue that prevented the Authentication Verifier Server from communicating with the web application when the IP Restriction is enabled.
  • Fixed a bug that disabled the Send To button on the All Issues page when users select edit but navigate back to the page.
  • Fixed a bug where DefectDojo automatic issue import is not working.
  • Fixed timeout issues during website DNS checking.
  • Fixed an issue where a JavaScript Setting option blocks inputs for the single-page applications to be reported in the Web Pages with Inputs node.
  • Fixed the improper path parsing when a postman collection file is imported.
  • Fixed a bug that caused the browse section to continue appearing on the Links/API definition page after the import process is canceled.
  • Fixed the null return upon the "GET /scans/list-scheduled" API call.
17-Nov-2021
COPY LINK

The internal agent’s current version is 2.0.2.128.

IMPROVEMENTS

  • Added a behavior that the system sets the default policies of a website group to a website for the Scheduled Group Scans and Group Scans. The system sets the default policies only if users select the default policies on the General Settings page and then assign these policies to a website group on the policies page.
  • Added an information message for updating the agent's status.

FIXES

  • Fixed an issue that set the wrong default scan and report for the Scheduled Group Scan and Group Scan if there is a scan profile.
  • Fixed an issue that prevented a user from editing the default scan policy.
  • Fixed an issue that removes the client certificate from the Form Authentication page if the related scan profile is updated.
  • Fixed an issue that occured when the same vulnerability was sent to Jira's endpoint more than once.
  • Fixed a mismatching type issue on /scanprofiles/list API response model.
17-Mar-2021
COPY LINK

This update includes changes to Internal Agents.

IMPROVEMENT

  • Improved the load times of the global dashboard page.
  • [INTERNAL AGENT] Added a port configuration option for the agent helper service.

FIXES

  • Fixed an issue on /teammembers/new API endpoint where minimum password length requirement is enforced incorrectly for admin users.
  • Fixed a UI glitch where the Fixed Issues widget on the global dashboard page is clipped.
  • Fixed a user enumeration issue that exists for users where SSO is enforced.
  • Fixed an issue where updates to Custom Cookies input on Scan Profiles do not persist.
  • Fixed an issue where the Next button on Welcome Wizard is not enabled even if you select Website Groups as indicated.
  • Fixed the incorrect input label names on the HashiCorp Vault settings dialog.
  • [INTERNAL AGENT] Fixed an issue where stuck scans do not honor the Maximum Scan Duration setting.
  • [INTERNAL AGENT] Fixed an issue where an agent was creating temp files on C: drive even though it is installed in D: drive.
17 January 2023
COPY LINK

This update includes changes to the internal agents. The internal scan agent's current version is 2.0.2.159. The internal authentication verifier agent's current version is 2.0.2.159.

New features

  • Added the ability to run a scanner agent for the OpenShift environment.
  • Added a scan control center to suspend all scans, and pause and resume all scans when needed.
  • Added control for login and logout during vulnerability retest.

Improvements

  • Improved the Invicti web application performance.
  • Improved the ServiceNow Incident Management integration.
  • Improved the detection of whether the Jira instance is on the cloud or on-premises.
  • Improved the Jira integration to add the Affected Versions as an option.
  • [Early Release] Change the Second Level Domain option on the Discovery Service to disabled by default.
  • Change the icon of the vulnerability list for website groups on the Reporting page.
  • Added the keep connection alive message between Invicti Shark (IAST) and the web application scanner to keep the connection alive.
  • Improved the vulnerability report in which any credit card information is masked.
  • Added the Authentication Verifier Service’s IP address to the setting to prevent it from being affected by the IP Restrictions.
  • Improved the agent’s configuration file to specify a folder where the agent’s scan data is to be saved.
  • Improved the API endpoint to create team members and update their information.
  • Added the last revived date parameter to the All Issues API endpoint.
  • Improved the maximum scan duration detection.
  • Updated the TeamCity plugin that requires the Server URL and Domain URL to be the same.
  • Added the GUID control before getting the integration id to prevent any issue in the flow.
  • Improved the scanning of Burp files that are without XML extensions.
  • Increased the time-out for the cloud PDF converter to prevent timeout-related errors.

Fixes

  • Fixed case sensitivity when checking HTTP headers for JWT.
  • Fixed missing CSP 3 Directive.
  • Removed the redundant semicolon on the scan pages.
  • Fixed an issue that prevented the new website group from appearing on the Manage Groups page immediately.
  • Fixed a bug that prevents the scanner from attacking to login and logout pages.
  • Fixed the policies loading issue on the General Settings page.
  • Fixed the user interface issue to reflect the agent information on the Installed Framework accurately.
  • Fixed the inconsistent risk level on the generated reports.
  • Fixed the IPv6 registered website resolution issue thrown before scanning.
  • Fixed the bug of excluding addressed issues in reports generated via Azure Pipeline Extension.
  • Fixed the synchronization issue for the Discovery Service.
  • Fixed the bug that throws a null reference exception at the authentication.
  • Fixed a bug that prevents the scanner from attacking to login and logout pages.
  • Fixed an issue that overrode TLS settings available in the scan policy when the Ignore SSL Certificate Errors is set to True in the Appsetting.json file.
  • Fixed the bug in which OAuth2 settings were not transferred properly from the web application to the agent.
  • Fixed the bug that threw an error when exporting a report.
  • Fixed null reference error during SCIM User creation.
16-Aug-2022
COPY LINK

The internal scan agent's current version is 2.0.2.149. The internal authentication verifier agent's current version is 2.0.2.149.

FIXES

  • Fixed a bug that showed an internal error when cloud agents cannot access internal webpages.
16 March 2023
COPY LINK

This update includes changes to the internal agents. The internal scan agent's current version is 23.3.0. The internal authentication verifier agent's current version is 23.3.0

New security checks

  • Added package.json Configuration File attack pattern.
  • Added new File Upload Injection pattern.
  • Added SSRF (Equinix) vulnerability.
  • Added Swagger user interface Out-of-Date vulnerability.
  • Added a file upload injection pattern.
  • Added StackPath CDN Identified vulnerability.
  • Added Insecure Usage of Version 1 GUID vulnerability.
  • Added JBoss Web Console JMX Invoker check.
  • Added Windows Server check.
  • Added Windows CE check.
  • Added Cloudflare Identified, Cloudflare Bot Management, Cloudflare Browser Insights, and cdnjs checks.
  • Added Varnish Version Disclosure vulnerability check.
  • Added Stack Trace Disclosure (Apache Shiro) vulnerability check.
  • Added Java Servlet Ouf-of-Date vulnerability check.
  • Added AEM Detected vulnerability check.
  • Added CDN Detected(JsDelivr) vulnerability check.

Improvements

Improvements in scans

  • Improved the bulk update of those issues with the Fixed(Can’t Retest) status.
  • Added a column on the Issues page to show users whether an issue is retestable.
  • Improved the scan compression algorithm to lower the size of the scan data.
  • Added a tooltip to show the full scan report name when it is too long.
  • Added a progress indication while exporting a PCI scan report.
  • Added an option to delete the stuck agents' commands.
  • Fixed the business logic recorder issue while using the Basic, NTLM/Kerberos Configurations.
  • Improved the internal agents on Windows to prevent possible Unquoted Service Path issues.

Improvements in API

  • Improved the descriptions for /api/1.0/issues/report endpoint and the integration parameter on the Allissues endpoint.

Improvements in security checks

  • Improved WS_FTP Log vulnerability test pattern.
  • Improved X-XSS-Protection Header Issue vulnerability template.
  • Improved MySQL Database Error Message attack pattern.
  • Improved XML External Entity Injection vulnerability test pattern.
  • Improved Forced Browsing List.
  • Added CWE classification for Insecure HTTP Usage.
  • Added GraphQL Attack Usage to existing test patterns by default.

Fixes

  • Fixed the update issue in the Proof node in the Knowledge Base panel.
  • Fixed the scan profile issue when exported from Invicti Standard to Invicti Enterprise.
  • Fixed the API token reset issue for team members.
  • Fixed the API documentation’s website that failed to show descriptions.
  • Fixed the business logic recorder issue where the session is dropped because of a cookie.
  • Fixed the default email address that appeared on the login page during the custom script window.
  • Fixed the Out-of-Memory issue caused by the Text Parser when adding any extension to the parser.
  • Fixed the Client Secret in raw text appearing in the scan report for OAuth2.
  • Fixed the Hawk validation issue.
  • Fixed the scan flow with different logic for incremental scans that are launched via CI/CD integrations and the user interface.
  • Fixed the custom vulnerability deletion problem on the custom report policy.
  • Fixed the vulnerability database issue that occurred because of a URL redirect problem.
  • Fixed the internal server error on the Audit logs' list endpoint.
  • Fixed the issue of email notifications when a new scan is launched.
  • Fixed the typo on the OAuth2 settings page.
  • Fixed the issue updating timeout issue.
  • Fixed the PCI scan icon issue that disappeared during the scan.
15-Sep-2022
COPY LINK

This update includes changes to the internal agents. The internal scan agent's current version is 2.0.2.152. The internal authentication verifier agent's current version is 2.0.2.152.

NEW FEATURES

  • Added the Amazon Web Service to the Discovery, so Invicti can discover your web assets on AWS.

IMPROVEMENTS

  • Added the report option to the Jenkins integration.
  • Updated embedded Chromium browser.
  • Added notification to warn users if they are creating a vulnerability profile that exists on the report policy.
  • Added content and return type to the scans/report and scans/downloadscanfile API endpoint.

FIXES

  • Fixed the Jenkins plug-in integration so that it can work after the Log4j update.
  • Fixed the maximum scan duration bug when set in the user interface and API endpoint.
  • Fixed the tooltip color on the scan status page.
  • Fixed the Nuget package version issue.
15-Jun-2022
COPY LINK

This update includes changes to the internal scan agent. The internal scan agent's current version is 2.0.2.143.

NEW FEATURES

IMPROVEMENTS

  • Updated embedded Chromium browser.
  • Added a discovered date column for websites detected by the Discovery Service.
  • Updated out-of-date Lodash library.
  • Added a timeout for website import. The default value for timeout is 400 ms.
  • Improved the tooltip for security checks on the scan policy page to properly reflect the security policy selections.
  • Updated the SCIM integration for provisioning on Azure Active Directory’s marketplace.
  • Added the ability to bulk edit issues.

FIXES

  • Fixed a bug that prevents members with user-defined roles from being deleted.
  • Fixed a bug that prevents the information displayed when users select Jira on the user mapping.
  • Fixed a bug that does not request to verify website ownership when the website's agent mode is changed from internal to Cloud.
  • [Internal agent] Fixed a bug that causes showing an outdated vulnerability database version of an agent on the user interface.
  • Fixed a bug that shows different information between Invicti Standard and Invicti Enterprise on the Known Issues of the Out-of-Date Node when the software composition analysis is run.
  • Fixed a null reference type issue while creating JsonSerialized Kafka issues.
  • [Internal agent] Fixed a bug that does not show the website thumbnail when the scan is completed.
  • Fixed an issue that causes custom vulnerabilities not to be added to the Vulnerability Lookup table.
  • Changed filter for Groupable Custom vulnerabilities when creating vulnerability model.
  • Fixed a bug that prevents a scan profile from being updated when users add a client certificate.
  • Fixed a bug that threw an error when users tried to delete a scan policy.
  • Fix a bug that prevents exporting a vulnerability list report in CSV or XML when Netsparker Shark (IAST) is enabled.
  • Fixed a bug that prevents the loading of form authentication pages when OTP is selected.
  • Fixed a bug while excluding cookies during the scan.
  • Fixed a bug that prevents websites from being deleted.
  • Fixed the Jazz Team Server multiple category issue.
  • Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
  • Fixed a bug that prevents editing the FreshService integration.
  • Fixed the link that throws an error on the SCIM API documentation page.
  • [Internal agent] Fixed a bug that throws an exception when the agent is started in debug mode on IDE.
  • Fixed a bug that prevents a notification from being sent to users when users filter the state.
  • Removed the space at the CVSS Scores that caused incorrect values to show up.
15-Dec-2021
COPY LINK

The internal agent’s current version is 2.0.2.131.

NEW SECURITY CHECKS

14-October-2022
COPY LINK

This update includes changes to the internal agents. The internal scan agent's current version is 2.0.2.155. The internal authentication verifier agent's current version is 2.0.2.155.

FIXES

  • Fixed the comma issue that appeared when the scan is launched with the Header Authentication.
  • Fixed the internal agent issue in which the scan is stuck after the scan is canceled.
14-Feb-2022
COPY LINK

This update includes changes to internal scan agents. The internal scan agent's current version is 2.0.2.136.

IMPROVEMENTS

  • Improved to comply with WCAG 2.1 - Level AA.
  • Implemented new Log4j attack patterns.
  • Improved the U2F Security Key standard to the Web Authentication API.
  • [INTERNAL AGENTS] Improved the internal agent to take a screenshot to make sure that the first page loads properly.

FIXES

  • Fixed an issue where the '>' symbol displayed on the Manage Agents page.
  • Fixed an issue that reports incorrect results during checking the redirect URL for Open Redirect vulnerability.
  • Fixed the /scans/report/{id} API endpoint that returned empty HTML report.
  • Fixed an issue that the Discovery Service keeps working for the disabled accounts and websites.
  • Fixed an issue that duplicates the number of RegEx parameters when the page is refreshed.
  • [INTERNAL AGENTS] Fixed NHS exception errors in the Docker agent.
13-October-2022
COPY LINK

This update includes changes to the internal agents. The internal scan agent's current version is 2.0.2.154. The internal authentication verifier agent's current version is 2.0.2.154.

NEW FEATURES

NEW SECURITY CHECKS

  • Added MongoDB Time-based (Blind) Injection.
  • Added SQLite Boolean SQL Injection.
  • Added MongoDB Error-based Injection.

IMPROVEMENTS

  • Improved the Trend Matrix Report exporting to include the severity information as well.
  • Improved the HashiCorp integration to authenticate with user tokens, too.
  • Updated Vulnerability Detection Logic in the JWT engine.
  • Improved the GraphQL scanning to include the separated comment lines in GraphQL files.
  • Improved the Authentication Verifier Agent to work with self-signed SSL.
  • Improved the Azure Pipeline Extension to generate a scan report on the release pipeline.
  • Updated Liferay Portal signature & added a mapping for version conversion.

FIXES

  • Fixed a bug that corrupts the header authentication credentials after updating the scheduled scan.
  • Fixed the status information showing different data on the Discovered Webpages page.
  • Fixed the Docker Agent build fail because of the compiler package.
  • Fixed the Total Elapsed and Average Time values displaying 00:00:00 on the Scan Performance tab of the Technical Report.
  • Fixed the time values displaying 00:00:00 on the Crawling Performance node of the Technical Report.
  • Fixed the Authentication Verifier Agent’s time zone bug.
  • Fixed an issue that results in false positive Cross-site Scripting (DOM-based).
  • Fixed the bug that duplicates the login page when users try to revalidate the login form.
  • Fixed the Single Sign-on - encryption certification issue.
  • Fixed the web security issue for the origin header problem.
  • Fixed the sitemap bug that caused missing information when imported.
  • Fixed the bug that threw an error, as HTTP Requester deletes the whole body part of the request which contains the login credentials.
  • Fixed highlighting CSP Directives in different header issues.
  • Fixed duplicate bearer tokens for some requests.
  • Fixed an issue that resulted in false positive Cross-site Scripting (DOM-based).
  • Fixed the bug that shows the previous version of VDB.
  • Fixed parseable false attack patterns place.