Invicti Enterprise On-Demand

This update includes changes to Internal Agents. The internal agent’s current version is 2.0.2.125.

IMPROVEMENTS

• Added a new security check to identify version disclosure and out-of-date version for Atlassian Confluence CVE-2021-26084.

FIXES

• Fixed a bug that results in missing HTTP headers of target URL when added with imported links.
• Fixed an issue that causes proof creation for SQL injection and Cross-site Scripting even if the proof generation is disabled.
• Fixed an issue that prevents cookie's same site attribute from being updated which causes "same-site cookie is not implemented" vulnerability to be reported.
• Fixed a JSON Web Token (JWT) validation check that causes too many invalid token errors when using Bearer Authentication Tokens in the form authentication.
• Fixed an issue where host and path parameters in Postman collection were not imported when they are string instead of an array.
• Fixed a bug that returns 401 when the scanner sends HTTP headers in lowercase.
• Fixed a bug about cookie handling in the logout detection page during the form authentication verification.
• [INTERNAL AGENTS] Fixed a bug that results in slow response time from the web application to the agent that causes inconsistent vulnerability reports in the Blind SQL Injection.

IMPROVEMENT

• Added email and SMS filter to the Notification.
• Added an option to fail GitLab build for only confirmed vulnerabilities.

FIXES

• Fixed an issue where incorrect scan profiles and policies were used while performing group scans.
• Fixed an issue where the State field of an issue is converted to a numeric value when the state of a revived issue is set to some other state through API.
• Fixed an issue where an incorrect Affected Version value is reported for an out-of-date vulnerability.
• Fixed an issue where editing a scheduled scan displays incorrect scan policy, report policy, and agent data.
• Fixed an issue where a custom vulnerability profile data of a report policy is not retrieved correctly when called from vulnerability/template API endpoint.
• Fixed the missing LastLoginDate field by adding it back to member API call responses.

IMPROVEMENTS

• Added support for provisioning users without invitation requirement if the user is going to log in using SSO.
• Added support for setting external email recipients for notifications for all the event types.
• Added SANS Top 25 Report as export.
• Updated PCI Compliance Report to match the new style of the reports.
• Added Scan Profile name to Detailed Scan Report and several other compliance reports.

FIXES

• Fixed an issue where the scan files fail to archive to S3 storage and pile up on the agent machine.
• Fixed an issue where an Internal Server Error occurs while trying to start or schedule a new scan.

Fixes

• Fixed the attribute issue that prevented the Discovery Service from running the discovery properly.

This update includes changes to Internal Agents.

FEATURE

• Custom Security Checks via Scripting feature that allows extending vulnerability detection capabilities. (Needs to be enabled per account basis)

IMPROVEMENT

• [INTERNAL AGENT] Improved agents to reduce the number of IOPS performed.

IMPROVEMENTS

• Added an option to fail the build for Azure Pipelines Integration
• Added the Description field for Websites and Website Groups

FIXES

• Fixed an issue where some paused scans stuck and were not be able to resume
• Fixed an issue where the incremental scan fails for a scan with form authentication configuration
• Fixed an internal agent issue where the agent was not able to start as a service
• Removed the redundant Domain field requirement on Proxy settings of a Scan Policy

This update includes changes to Internal Agents.

FEATURE

• Added DefectDojo Integration.
• Added support for editing built-in sections of custom report policies.
• Added Pre-Request Script feature which helps to configure HMAC Authentication on the New Scan page.
• Added DITA STIG, NIST SP 800-53, and ASVS 4.0 Compliance Reports
• Added a new State filter on the Issues page.

IMPROVEMENT

• Added an option to fail Azure build for only confirmed vulnerabilities.
• Improved the statusCode and errorMessage returned from members/deleteinvitation API endpoint on cases when the invitation is missing.
• Changed roles/update API endpoint response status code from 201 to 200 to better comply with REST best practices.
• Added “Override Version Vulnerability Severities” option to Scan Policy > Attacking settings.
• Improved the error message displayed when a Website Group cannot be deleted due to it being referenced by a notification.
• Extended the range of digits that can be entered for HOTP and TOTP configuration.
• Improved global dashboard performance.
• Changed the error message for members/update API endpoint for password POST requests.
• Added a control in the UserRoleWebsiteGroupMapping API endpoint to prevent null object reference exceptions.

REMOVAL

• Removed X-Scanner request header from the default scan policies to prevent web application firewalls from blocking scans.

FIXES

• Fixed an error preventing NIST, DISA STIG, and ASVS classifications from appearing in the Issue details.
• Fixed an unhandled error that occurs while deleting scans.
• Fixed an issue where the check state is reset when the search keyword is modified on the Report Policy Editor security checklist.
• Fixed scheduled website group scans that do not use primary scan policies.
• Fixed an issue where multiple Common Weakness Enumeration values were being sent to Kenna Integration.
• Fixed the incorrect API documentation of roles/listpermissions endpoint.
• Fixed an issue where form authentication may fail because of credentials being modified when the scan profile is updated.
• Fixed missing state field on the member API endpoint.
• Fixed the 500 Internal Server Error message for a query string to a non-existent page.
• [INTERNAL AGENT] Fixed an issue where a scan policy name containing invalid filename characters was causing scans to fail.
• [INTERNAL AGENT] Fixed several scan failure issues caused by an error that occurred while trying to open the vulnerability database.
• [INTERNAL AGENT] Fixed agent attempting to use proxy even after settings are changed.
• [INTERNAL AGENT] Fixed an unhandled error thrown while archiving the scan data.
• [INTERNAL AGENT] Added NoProxy option to internal agents.

This update includes changes to Internal Agents.

FIX

• [INTERNAL AGENT] Fixed an unhandled ArgumentNullException which causes some authenticated scans to fail.

This update includes changes to Internal Agents. The internal agent’s current version is 2.0.2.134.

NEW FEATURES

• Added OWASP Top Ten 2021 report and classification.

IMPROVEMENTS

• Improved the Authentication Verifier Agent. The new version supports the improved performance for single page applications, consumes less resources, and comes with the auto update feature.

FIXES

• Added workspace information for Bitbucket integration.
• Fixed a bug that threw a communication error when sending an issue to Kenna.
• Added Tags property to the Kenna integration.

This update includes changes to the internal agents. The internal scan agent’s current version is 23.5.0. The internal authentication verifier agent’s current version is 23.5.0

New security checks

• Added new security check for LDAP injection for IAST.
• Added new security check for MongoDB injection.
• Added new security check for Server-side Template Injection for IAST.
• Added new security check for XPath injection for IAST.
• Implemented security check for Sensitive Data Exposure.

Improvements

• Updated the Java sensor for more stability in the sensor.
• Added the Response Receiver information event to remove waiting time for requests.
• Improved the discovery service for email, website, and main website matching.
• Improved the Not Contains filter for tags.
• Added the EC2 Instance ID column to the default columns on the Discovered Websites page.
• Updated API documentation for outdated ApiFileModel JSON example.
• Added an information message to the report policy page in case the custom report policy cannot be found.
• Improved the agent assignment process to prevent performance issues.
• Changed the Launch Scan button to the New Scan button on the dashboard.
• The Scan data files and Agent files (for Scanner/Verifier upgrades) are retrieved from AWS S3.

Fixes

• Fixed an issue that caused a bad CSRF token when confirming Cross-site Scripting.
• Fixed the issue that is filling out the login form on the logout page during the login verification.
• Fixed the issue of changing the order of API parameters while importing the JSON file.
• Fixed the vulnerability signature types for Cloudflare and Cdnjs.
• Fixed the custom script information on the 3-Legged Authorization in the scan summary.
• Fixed the issue that prevented empty website groups from being deleted.
• Fixed the issue that resulted in the scanning of the target URL instead of the GraphQL endpoint.
• Fixed the token detection issue although the Detect Bearer Authorization Token function is disabled.
• Fixed the case-sensitive parameter name that caused issues when migrating the database.
• Fixed the ServiceNow integration issue that failed to export the issue information.
• Fixed the issue that allowed a user with permission to add/edit a website group the ability to view all account websites.
• Fixed the permission issue that a user can add and edit discovery connection via an API endpoint although the user does not have that permission.
• Fixed the logo issue that the Knowledge Base report was showing the old Invicti logo.
• Fixed issues encountered during scan deletion and canceling to improve performance.