Invicti Enterprise On-Demand

This update includes changes to the internal agents. The internal scan agent’s current version is 23.12.0. The internal authentication verifier agent’s current version is 23.12.0.

New features

• Added CVSS 4.0 categorization of vulnerabilities
• Added support for PCI DSS 4.0

Improvements

• Added descriptions to the agent warning messages on the Scan Summary page
• Updated messaging around the functionality of the Team Administrator role
• Improved the request body rating algorithm
• Improved the Postman collection parsing algorithm
• Resolved an issue with adding a client certificate to set up a scan
• Improved the vulnerability calculator for Boolean MongoDB

Fixes

• Fixed an issue with the agent auto-updater
• Added a missing control for SSO users while editing members
• Fixed a bug in the communication between Invicti and ServiceNow
• Fixed a bug that was preventing administrators from creating new notifications or editing built-in notifications
• Fixed an issue that was causing verifiers to not use scan policy proxy settings
• Fixed an auth verifier client certificate authentication path error
• Fixed the Invicti crawler that wasn't getting JS endpoints correctly

New security checks

• Google ProtocolBuffers: CVE-2022-1941

Fixes

• Fixed a bug that was preventing customers from adding back previously deleted targets
• Increased character length for the Jira and Snow integration URL validation regex to ensure it accommodates Top-Level Domains (TLDs)
• Paused scheduled scans that were resuming automatically will now remain paused until manually resumed
• Removed the previous limit on the number of supported second-level domains in the Discovery feature
• Fixed an error that was occurring when updating an issue from Fixed (confirmed) to Accepted Risk status
• Fixed discrepancies in the numbers displayed on the Dashboard

This update includes changes to the internal agents. The internal scan agent’s current version is 23.11.0. The internal authentication verifier agent’s current version is 23.11.0.

New features

• Added the ability to pull a PCI Report from the CloneSystem itself by using API endpoints
• Added the option for customers to define a namespace for their HashiCorp integration
• Enhanced reporting capabilities with more attributes available in .csv exports and the option to do a .csv export in more places in the UI
• Added an option under New Scan Policy > Ignored Parameters to allow customers to set 'Cookie' as a type of ignored parameter

New security checks

• Added new checks for the WordPress Login with Phone Number Plugin: CVE-2023-23492
• Added new checks for the WordPress JupiterX Core Plugin: CVE-2023-38389, CVE-2023-38388

Improvements

• Added support for custom authentication tokens without token type
• Improved LFI attack patterns for better accuracy
• Fixed some vulnerabilities in the Docker image
• Stricter sensitive data rules
• Improved bot detection bypass scenarios

Fixes

• Fixed a sensitive data issue when uploading a pre-request script
• Fixed a bug that was preventing scheduling group scans using API
• Fixed custom header values in scan profiles so that they are masked
• Docker Cloud Stack check has been updated to reduce noise
• SSL/TLS classification updated from CWE-311 to CWE-319

New features

• Added a setting for administrators to enable internal agents to get VDB updates from the WebApp to avoid routing and proxy issues
• Added the option for administrators to hide sensitive data (passwords, tokens, session IDs, etc) from the UI
• Added functionality to the Dashboard so that you can drill down to view more information when clicking on the Severities and Securities Overview section

Fixes

• Fixed a bug in scheduling group scans with API
• Removed 401 to 500 status code conversion for internal agent requests
• Changed the IP range limitation for excluded IPs in Discovery Settings to fix the Invalid IP address error
• Fixed an issue with scheduled scans not following the scan time window
• Fixed the problem with scan failed logs not appearing in activity logs
• Fixed the broken verify login and logout function in scan profiles
• Updated the vulnerability severity ranking so that issues are correctly sent to integrated issue tracking systems
• Changed the Active Issue count on the dashboard so that it is consistent with the number when you click on it
• Fixed an issue with accessing a scan profile

New features

• Added an option under General > Settings to require a password for edit access to custom scripts
• Added an option under General > Settings to set a session timeout limit for all users

Fixes

• Fixed an issue related to having multiple integrations with the same project but with different issue types
• Fixed an issue in the 'Basic, Digest, NTLM/Kerberos, Negotiate Authentication' settings for scans
• Fixed the Jira Server integration issue that was causing only some Jira users to display when configuring Jira Field Mappings
• Fixed a bug that was causing URL rewrite rules to not be included in the Export Knowledge Base report
• Fixed a problem with the internal agent not sending a heartbeat to the web app when in archiving state
• Fixed an issue with Jira-related integration information being removed from the issue history when a previous scan is deleted
• Fixed an internal agent issue that was causing an exception when registering a vulnerability
• Fixed an issue that was causing the Knowledgebase, Crawled URLs, and Scanned URLs to fail when there is no content
• Fixed the missing mapping for Proxy Bypass On Local that was not saving when a scan policy was saved
• Fixed a bug that was duplicating roles when a Team Administrator modified another Team Administrator direct role assignment
• Fixed a bug that was preventing the import of WSDL files
• Fixed version information reported in Web App Fingerprint Vulnerabilities

This update includes changes to Internal Agents. The internal agent’s current version is 2.0.2.123.

FEATURES

• Introduced a login banner warning. The banner displays security and legal notices to users accessing the system.
• Added pre-scan validations so that Invicti can automatically choose TLS protocol.

IMPROVEMENTS

• Added the tag filtering to the Recent Scans page.
• Added the tag limitation. Users cannot add more than 20 tags.
• Added the date range filter to the global dashboard. Thanks to this improvement, users can filter scan data according to the selected time range.
• Added website and website groups information to Jira integration. When users send an issue to Jira via Invicti Enterprise, website and website groups information, if any, appears in that ticket.
• Added a check for the Trend Matrix Report to ignore null records in the database.
• Improved the method to query known vulnerabilities in Invicti Enterprise.
• Changed SCIM response status code from 400 to 409 when the same email address is submitted twice.
• Added a 400 Error message in the SCIM response status code when a user tries to change its email to a username.
• Updated the error message when deleting the website during a PCI scan.
• Added the severity level icons to the websites listed on the Websites' page.

FIXES

• Fixed the retest retry limit if the base scan is not loaded.
• Fixed an email notification error sent to guest users which showed "Failed - Unable to load scan session" error in the scheduled scans although the scan was successful.
• Fixed a NullReferenceException thrown while checking target URL in the New Scan page.
• Fixed password autocomplete issue in the form authentication saved in a scan profile.
• Fixed an error that prevents the URL Rewrite rule from being updated in the saved scan profile.
• Fixed an error that prevents scan tags from being shown while creating a scheduling scan.
• [INTERNAL AGENT] Fixed the Ignore SSL Certificate issue that prevents internal agents from being auto-updated.
• [INTERNAL AGENT] Improved the performance of security check on cases when multiple checks are running concurrently.

This update includes changes to Internal Agents. The internal agent’s current version is 2.0.2.127.

NEW FEATURES

• Added Node.js sensor for Invicti Shark (IAST).

NEW SECURITY CHECKS

• Added signature matching to Web app fingerprint checker.
• Added patterns for Base64 encoded DOM Cross-site Scripting.
• Added phpMyAdmin Version Disclosure security check.
• Added Atlassian Confluence Version disclosure and Out-of-date security checks.
• Added exclusion feature to JavaScript Library detection.
• Added PHP Version Detection via phpinfo() call.
• Added the Shopify Identified security check.

IMPROVEMENTS

• Added the Bridge URL and Shark token support for Invicti Shark (IAST).
• Added the "not contains" filter to exclude specific titles, such as Out-of-Date.
• Added the notification on the Reporting page when the time start predates the time end.
• Added setting to configure Session Cookie Names.
• Updated CWE classification category orders for Out-of-date templates.
• Improved Cross-site Scripting attack pattern.
• Added support for exploiting local storage and session storage in the DOM XSS security checks.
• Added highlighting support for custom scripts.
• Added Web Application Firewall to the site profile.
• Changed the default ignored parameter comparison to case insensitive.
• Added 'Is Encoded' option to OAuth2 parameters.
• Added JWT Token pre-request script template.
• Added the CSP Not Implemented that will be reported as confirmed.
• Added the Subresource integrity not implemented that will be reported as confirmed.
• Marked weak TLS ciphers.

FIXES

• Fixed the issue that Content-Type header missing was reported when there was no content in the response.
• Fixed the issue that false positive JSON Web Token (JWT) was reported in a not found response.
• Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
• Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
• Fixed FP Waf Identified.
• Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
• Fixed the issue source code disclosure is reported in binary responses.
• Fixed the issue JWT JKU vulnerabilities are not reported in Invicti Enterprise because of Null Reference Exception.
• Fixed the issue fingerprint checker crashes when an applications file could not be found.
• Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
• Fixed the issue that some cipher suites are not reported as weak.
• Fixed the issue classification links were not rendered correctly when there are multiple values.
• Fixed the issue proof prefix was added when there were no more characters to be found.

IMPROVEMENTS

• Added Scan Profile Name column to Recent Scans page.
• Added Website URL as a filter field to Scheduled Scans page.
• Removed encrypted authentication credentials from API responses.

FIXES

• Fixed an issue where the scans launched from CI/CD without a Scan Profile were creating redundant Scan Groups on the Website dashboard.
• Fixed an issue where pressing the TAB key was not committing the entered email address on email input fields.
• Fixed an issue where some settings are not saved when you save a cloned Scan Policy for the first time.
• Fixed an issue where the View Scan Reports and Manage Issues (Restricted) options under Scan Permission are not saved while creating new members.
• Fixed an issue where the modified Scan Profile settings are not saved when another profile is selected from the dropdown.

This update includes changes to the internal agents. The internal scan agent's current version is 2.0.2.148. The internal authentication verifier agent's current version is 2.0.2.148.

IMPROVEMENTS

• Improved the web app to store the agent file’s version to prevent unnecessary updates. 
• Improved the internal agent not to start without updating itself when there is an update. 
• Improved the internal agent not to display the “Update Agent” button when the agent has the latest version. 

FIXES

• Fixed the bug that prevents the internal agent from being auto-updated.

This update includes changes to the internal agents. The internal scan agent's current version is 2.0.2.156. The internal authentication verifier agent's current version is 2.0.2.156.

New security check

• Added the Text4Shell (CVE-2022-42889) check.

Improvements

• Updated the docker scanner agent.
• Added an active scan check before deleting a scan profile related to that active scan.
• Improved the importing link to parse the complex example value for RAML.

Fixes

• Fixed the issue in which the authentication verifier agent is not listed after the time zone is changed.
• Improved the authentication verifier configuration file to support using the plus (+) for space encoding.
• Improved the log for the knowledge base report.
• Fixed the mistaken information on the retestable vulnerabilities.
• Fixed the fix calculation bug in the Issues API endpoint that occurred when scan(s) are deleted.
• Fixed the issue that deleted the customization folder in the agent’s folder after the update.
• Fixed the bug that displayed different method icons on the technical report page.

This update includes changes to internal scan and authentication verifier agents. The internal scan agent's current version is 2.0.2.138. The internal authentication verifier agent's current version is 2.0.2.138.

IMPROVEMENT

• Netsparker Enterprise now Invicti Enterprise.
• Updated the Bamboo plug-in to the version 1.8.
• Added the OWASP API Top Ten 2019 scan policy.
• Added a check to prevent from entering special characters to the optimized scan policy.
• Added the DeleteById field when a website is deleted.
• Added validation of the URLs entered by a user in the ImportedLink section while saving the database.
• Improved the SCIM error message when a user filters users/groups with mistaken syntax.

FIXES

• Fixed null exception error while mapping imported links in API.
• Fixed a bug that causes the Issues page to be crashed when the state filter is selected.
• Fixed a bug in which the new scan page is stuck although a new scan has been launched.
• Fixed a bug that causes an error when you want to delete a scheduled scan that has a website with tags which were included into a scan profile.
• Fixed a bug that generates a blank scan report when a vulnerability has a null name value.
• Fix a bug that does not show imported links in scheduled scans.
• [Internal Authentication Verifier Agent] Fixed OAuth2 verification that fails due to the OTP settings model being null.
• [Internal Scan Agent ] Fixed a bug that prevents the WSDL files from being imported.

FIXES

• Fixed an issue where some Client Certificates might not work properly for authentication
• Fixed an issue where scans might get stuck in the Pausing state