Release Notes

Invicti Enterprise On-Premises

RSS FEED

v23.2.0

COPY LINK

Improvements

Improved the Technologies page for detailed version information of technologies identified.
Improved the target website deletion process to prevent any errors because of instantaneous action.
Improved the scan compression algorithm.
Add a new API endpoint (api/1.0/issues/summary) for better issue reporting.
Added /api/1.0/scans/validate-imported-links-file to retrieve errors in the imported links.
Added the last revived date parameter to the All Issues API endpoint.
Improved the API endpoint to create team members and update their information.
Improved the maximum scan duration to stop only those scans with the Scanning status.
Added a token matching rule when it is required to get the token from a website other than the target URL.
Added secure attribution for cookies.
Added interval for Update Agents' list on the installation wizard.
Added the GUID control before getting the integration id to prevent any issue in the flow.
Updated the scan control center to drop the difference between the unsuccessful resuming and pausing status.
Improved the detection of whether the Jira instance is on the cloud or on-premises.
Improved the ServiceNow Incident Management integration.
Added active scan check when deleting an authentication profile.
Improved the Invicti web application performance.
Improved the website deletion process to block access to the associated file of the deleted website.
Improved the Jira integration to add the Affected Versions as an option.
Updated the TeamCity plugin that requires the Server URL and Domain URL to be the same.
Improved the vulnerability report in which any credit card information is masked.
Added the Authentication Verifier Service’s IP address to the setting to prevent it from being affected by the IP Restrictions.
Improved the agent’s configuration file to specify a folder where the agent’s scan data is to be saved.
Fixed case sensitivity when checking HTTP headers for JSON Web Tokens.
Fixed missing CSP 3 Directive.
Changed the Second Level Domain option on the Discovery Service to disabled by default.
Improved the scanning of Burp files that are without XML extensions.

Fixes

Fixed the scanner agent issue where the Linux agents failed because of TLS as a result of breaking changes in .NET 5.
Fixed the configuration issue in a Docker scanner agent.
Fixed the Hawk validation issue.
Fixed the issue in the IAST installer that threw an error message despite successful installation.
Fixed the basic authentication issue that threw an error although the credentials are correct in the scan profile.
Fixed the business logic recorder issue that prevented the recorder to play recorded steps during a scan.
Fixed the inconsistent number of vulnerability counts by severity information on the scan report page.
Fixed the vulnerability serialization issue that caused the out-of-memory error.
Fixed the scan scope issue that does not load the scan scope correctly on the first try.
Fixed the scan profile issue that failed to register the database selected on the scan optimization page.
Fixed the corrupted scan data ZIP file downloaded via an API endpoint.
Fixed the silent installation issue in which the installation path cannot be located.
Fixed the business logic recorder issue where the session is dropped because of a cookie.
Fixed the sitemap issue that fails to show the site map after the scan.
Fixed the null reference exception thrown in the new installation.
Fixed the issue that fails to render the API document’s index page.
Fixed the bug that threw an error when exporting a report.
Fixed a bug that prevents the scanner from attacking to login and logout pages.
Fixed the synchronization issue for the Discovery Service.
Fixed an issue about header encoding that cause false positive CSP reporting.
Fixed an issue that caused unhandled exceptions when there is no service endpoint definition in the WSDL file.
Fixed null reference error during the SCIM User creation.
Fixed the user interface issue to reflect the agent information on the Installed Framework accurately.
Fixed the Hawk URL issue that is changed after the scan policy update via an API endpoint.
Fixed the bug that throws a null reference exception at the authentication.
Fixed the inconsistent risk level on the generated reports.
Fixed the bug that throws a null reference exception at the authentication.
Fixed the IPv6 registered website resolution issue thrown before scanning.
Improved the maximum scan duration detection.
Fixed the scheduled scans not being exported issue from Invicti Standard to Invicti Enterprise.
Fixed the bug in which OAuth2 settings were not transferred properly from the web application to the agent.
Fixed the bug that throws a null reference exception at the authentication.
Increased the time out for the cloud PDF converter to prevent timeout-related errors.

Removed

Removed the PCI DSS scan option on the New Scan page.

v23.12.1 - 19 December 2023

COPY LINK

Fixes

Fixed errors that were occurring with custom report policies
Fixed "The given key was not present in the dictionary" error that was occurring in Issues, Reports, and Scans

v23.12.0 - 8 December 2023

COPY LINK

New features

Added the ability to pull a PCI Report from the CloneSystem itself by using API endpoints
Added the option for customers to define a namespace for their HashiCorp integration
Enhanced reporting capabilities with more attributes available in .csv exports and the option to do a .csv export in more places in the UI
Added an option under New Scan Policy > Ignored Parameters to allow customers to set 'Cookie' as a type of ignored parameter
Added a setting for administrators to enable internal agents to get VDB updates from the WebApp to avoid routing and proxy issues
Added the option for administrators to hide sensitive data (passwords, tokens, session IDs, etc.) from the UI
Added functionality to the Dashboard so that you can drill down to view more information when clicking on the Severities and Securities Overview section
Added an option under General > Settings to require a password for edit access to custom scripts
Added an option under General > Settings to set a session timeout limit for all users
We now support AWS IAM Roles as an authentication method

New security checks

Added new checks for the WordPress Login with Phone Number Plugin: CVE-2023-23492
Added new checks for the WordPress JupiterX Core Plugin: CVE-2023-38389, CVE-2023-38388

Improvements

Added support for custom authentication tokens without token type
Improved LFI attack patterns for better accuracy
Fixed some vulnerabilities in the Docker image
Stricter sensitive data rules
Improved bot detection bypass scenarios
Added a warning message when selecting or assigning the Team Administrator role

Fixes

Fixed a sensitive data issue when uploading a pre-request script
Fixed a bug that was preventing scheduling group scans using API
Fixed custom header values in scan profiles so that they are masked
Docker Cloud Stack check has been updated to reduce noise
SSL/TLS classification updated from CWE-311 to CWE-319
Fixed a bug in scheduling group scans with API
Removed 401 to 500 status code conversion for internal agent requests
Changed the IP range limitation for excluded IPs in Discovery Settings to fix the Invalid IP address error
Fixed an issue with scheduled scans not following the scan time window
Fixed the problem with scan failed logs not appearing in activity logs
Fixed the broken verify login and logout function in scan profiles
Updated the vulnerability severity ranking so that issues are correctly sent to integrated issue tracking systems
Changed the Active Issue count on the dashboard so that it is consistent with the number when you click on it
Fixed an issue with accessing a scan profile
Fixed an issue related to having multiple integrations with the same project but with different issue types
Fixed an issue in the 'Basic, Digest, NTLM/Kerberos, Negotiate Authentication' settings for scans
Fixed the Jira Server integration issue that was causing only some Jira users to display when configuring Jira Field Mappings
Fixed a bug that was causing URL rewrite rules to not be included in the Export Knowledge Base report
Fixed a problem with the internal agent not sending a heartbeat to the web app when in archiving state
Fixed an issue with Jira-related integration information being removed from the issue history when a previous scan is deleted
Fixed an internal agent issue that was causing an exception when registering a vulnerability
Fixed an issue that was causing the Knowledgebase, Crawled URLs, and Scanned URLs to fail when there is no content
Fixed the missing mapping for Proxy Bypass On Local that was not saving when a scan policy was saved
Fixed a bug that was duplicating roles when a Team Administrator modified another Team Administrator direct role assignment
Fixed a bug that was preventing the import of WSDL files to Invicti Enterprise
Fixed version information reported in Web App Fingerprint Vulnerabilities

v23.10.0 - 26 October 2023

COPY LINK

New features

Added a new Team Administrator role that gives you the flexibility to designate an administrator for oversight across specific web applications, and assign certain roles and website groups to specific Teams or Team Members
Added an option under General > Settings to set a session timeout limit for all users
Added new options to the dashboard for selecting date ranges, including creating custom time periods
Added a notification to the scan results page to show the VDB update version and Invicti Hawk connectivity status for the agent used in the scan
Added a sensitive data (password, session cookie, token, etc.) encoder

New security checks

Added JQuery placeholder detection methods
Added a new security check for the Missing X-Content-Type-Options vulnerability

Improvements

Improved the JS Delivery CDN disclosure check to increase stability
Improved the remediation part for the Weak Ciphers Enabled vulnerability
Reduced the certainty value to 90 for the Robot Attack Detected vulnerability
Improved the detection method for CSP
Improved the detection method for the Dockerignore File Detected vulnerability
Improved the detection method for the Docker Cloud Stack File Detected vulnerability

Fixes

Fixed an issue with imported links in the API
Fixed a bug in the scan URL rewrite rules
Fixed a bug that was preventing retest scans from starting correctly when the vulnerability states were changed from 'Reviewed' to 'Fixed (Unconfirmed)'
Fixed a bug with disabling the scheduled scans list
Fixed an issue with viewing the Account Edit page
Added the missing CVE to the issue details for the "Out-of-date Version (jQuery Validation)" vulnerability
Fixed some bugs that were affecting BLR
Encrypted proxy password details when used in the Agent
Fixed a custom proxy bypass list issue
Fixed a unique analyzer bug for the WSDL importer
Improved our XSS capabilities
Fixed an NTLM login issue
Fixed an issue that was causing the license file to become empty after upgrading the product
Fixed several bugs that were impacting some agent proxy settings, synchronization of the vulnerabilities database, and saving scan policies when the proxy bypass feature is used
Other miscellaneous bug fixes

v23.1.0

COPY LINK

New features

Added a scan control center to suspend all scans, and pause and resume all scans when needed.
Added a feature to generate a report for vulnerabilities identified across a website group.
Added an API parameter to choose among agent groups to launch an incremental scan. [API-only]
Added an option to determine how long Invicti stores scan data.
Added auto-GraphQL test after endpoint is detected.

New Security Checks

Added MongoDB Time-based (Blind) Injection.
Added SQLite Boolean SQL Injection.
Added MongoDB Error-based Injection.
Added the Text4Shell (CVE-2022-42889) check.

Improvements

Improved the Jira integration.
Improved the ServiceNow Incident Management.
Added the report option to the Jenkins integration.
Improved the notification rule scope.
Updated embedded Chromium browser.
Updated the docker scanner agent.
Added an option to block navigation on SPAs pages.
Added an option to export the PCI DSS scan report even if it fails the scan.
Improved the scan report page’s performance.
Upgraded the TeamCity plugin.
Added an option to include the IAM Role to the Cloud Provider settings.
Improved the SSO to inform users about the expired SAML certificate.
Removed the target URL health check that lets the scan continue despite getting error messages such as 403.
Added URL validation check for the authentication verifier settings.
Added the information message when users want to delete the preferred agent configured to a scan.
Improved the scan profile to edit Basic, Digest, NTLM/Kerberos, and Negotiate Authentication while starting a new scan.
Updated the text on the GraphQL Instropection pop-up.
Updated the Basic Authentication message for the internal authentication verifier agent.
Improved the scan profile feature, so any updates on a scan profile are to be reflected on the scheduled scans, incremental scans, and retests.
Added information for stuck agents where the scan failed because of the agent’s deletion.
Improved the Activity Log page to list any changes on the general settings.
Improved the user agent to add custom user agents.
Improved the Basic, Digest, NTLM/Kerberos, Negotiate Authentication to inform users on the test credentials page whether this authentication is required or not.
Improved the required information for the Kafka integration.
Improved the raw scan file expired information message.
Added notification to warn users if they are creating a vulnerability profile that exists on the report policy.
Added content and return type to the scans/report and scans/downloadscanfile API endpoint.
Added the .gql to the supported file types for the import link.
Improved the Trend Matrix Report exporting to include the severity information as well.
Improved the HashiCorp integration to authenticate with user tokens, too.
Added a name validation for adding a new member’s name and editing a member’s name.
Improved the global dashboard performance.
Added an active scan check before deleting a scan profile related to that active scan.
Improved the importing link to parse the complex example value for RAML.
Added the support for browser flag.
Improved the website dashboard performance.
Added the attack option for Cross-site Request Forgery (CSRF).
Added the required tooltip for the Value field of the Kafka integration.
Added an explanation for the failed requests error.
Added name variable support for Passive and Singular Custom Security Checks.
Added auto responder for images to escape the onerror issue.

Fixes

Fixed the business logic recorder issue that prevented the recorder to play recorded steps during a scan.
Fixed the internal agent update issue that is stuck in the updating process.
Fixed the deserialization problem when importing the scan session.
Fixed the CSP analyzer Regex enumeration problem.
Fixed the stateless link uncrawled that is waiting for the resource finder.
Fixed the issue with updating Linux agents from versions older than 2.0.2.155.
Fixed the SQL timeout issue when the reporting date page is too large.
Fixed the retest issue.
Fixed the Shark validation issue that threw exceptions while validating.
Fixed the issue of adding emails with special characters to the Notification.
Fixed a bug that caused the scan session failure when the scan is paused and resumed.
Fixed a bug that causes server error when expired integration is cloned.
Fixed an issue where the Due Days for FreshService integration is displayed as required despite being optional.
Fixed an issue that prevented the Authentication Verifier Server from communicating with the web application when the IP Restriction is enabled.
Fixed a bug that disabled the Send To button on the All Issues page when users select edit but navigate back to the page.
Fixed a bug where DefectDojo automatic issue import is not working.
Fixed timeout issues during website DNS checking.
Fixed an issue where a JavaScript Setting option blocks inputs for the single-page applications to be reported in the Web Pages with Inputs node.
Fixed the improper path parsing when a postman collection file is imported.
Fixed a bug that caused the browse section to continue appearing on the Links/API definition page after the import process is canceled.
Fixed the null return upon the "GET /scans/list-scheduled" API call.
Fixed the late formation folder size issue.
Fixed a bug that does not show the status change drop-down on the scan report page when zoomed in.
Updated the Unfuddle Integration where optional fields have "required" text.
Improved the IP Restriction Infrastructure.
Fixed failed scans where the Target URL is IPv6 and starting with ::1
Fixed the null reference problem issue while using the 3-legged flow type for OAuth2.
Fixed the Chrome version number on the custom script editor while using an internal authentication agent.
Fixed the GraphQL retest bug that showed a different request count.
Fixed the single sign-on issue that prevented users from using SSO.
Fixed the Jenkins plug-in integration so that it can work after the Log4j update.
Fixed the maximum scan duration bug when set in the user interface and API endpoint.
Fixed the tooltip color on the scan status page.
Fixed the ServiceNow API endpoint issue.
Fixed the Nuget package version issue.
Fixed the required attribute for the category on the ServiceNow Incident Management integration.
Fixed the website's exporting to CSV issue when sorted by description.
Improved the scan status that running scans will be set as Failed if their Scanner Agent is Not Available or Terminated.
Fixed the deleted vulnerability issue while creating a scan report.
Improved the site map and vulnerability synchronization.
Fixed the Exclude Authentication Pages option on the scan scope when configuring an authentication profile.
Fixed a bug that corrupts the header authentication credentials after updating the scheduled scan.
Fixed the status information showing different data on the Discovered Webpages page.
Fixed the Docker Agent build fail because of the compiler package.
Fixed the Total Elapsed and Average Time values displaying 00:00:00 on the Scan Performance tab of the Technical Report.
Fixed the time values displaying 00:00:00 on the Crawling Performance node of the Technical Report.
Improved the GraphQL scanning to include the separated comment lines in GraphQL files.
Fixed the Authentication Verifier Agent’s time zone bug.
Fixed an issue that results in false positive Cross-site Scripting (DOM-based).
Fixed the bug that duplicates the login page when users try to revalidate the login form.
Improved the Authentication Verifier Agent to work with self-signed SSL.
Fixed the bug on the user interface of ServiceNow Incident Management integration that caused issues with the On Hold status.
Fixed the bug on the user interface of ServiceNow Incident Management integration that caused issues with the Closed status.
Improved the Azure Pipeline Extension to generate a scan report on the release pipeline.
Fixed the Single Sign-on - encryption certification issue.
Fixed the web security issue for the origin header problem.
Fixed the sitemap bug that caused missing information when imported.
Fixed the bug that threw an error, as HTTP Requester deletes the whole body part of the request which contains the login credentials.
Fixed highlighting CSP Directives in different header issues.
Fixed duplicate bearer tokens for some requests.
Updated Liferay Portal signature & added a mapping for version conversion.
Fixed an issue that resulted in false positive Cross-site Scripting (DOM-based).
Fixed the bug that shows the previous version of VDB.
Updated Vulnerability Detection Logic in the JWT engine.
Fixed parseable false attack patterns place.
Fixed the comma issue that appeared when the scan is launched with the Header Authentication.
Fixed the internal agent issue in which the scan is stuck after the scan is canceled.
Fixed the issue that showed the wrong country flags for country phone codes.
Fixed the product name in lowercase for those customers using Turkish Windows OS.
Fixed the issue in which the authentication verifier agent is not listed after the time zone is changed.
Improved the authentication verifier configuration file to support using the plus (+) for space encoding.
Improved the log for the knowledge base report.
Fixed the mistaken information on the retestable vulnerabilities.
Fixed the fix calculation bug in the Issues API endpoint that occurred when scan(s) are deleted.
Fixed the issue that deleted the customization folder in the agent’s folder after the update.
Fixed the bug that displayed different method icons on the technical report page.
Fixed the bug in sending issues to Mattermost.
Fixed the Slack integration issue that failed to send notifications.
Fixed the inconsistent discovered website result by handling null values.
Fixed a bug that prevented the PCI scan from running ever again if any previous PCI scan failed to start.
Fixed the Business Logic Recorder issue that prevents login when there is a custom script for the form authentication.
Improved the creation of websites via the Discovery Service to include the port numbers and the URL.
Fixed a bug that displayed vulnerabilities without their id on the website and global dashboard page.
Fixed WSDL parse issue for non-defined object types.
Fixed the null reference exception on HTTP Requester.
Fixed the internal agent update issue that is stuck in the updating process.
Fixed the attribute issue that prevented the Discovery Service from running the discovery properly.
Fixed the agent stuck issue when the target link scan timeout is detected.
Fixed an issue that overwrote TLS settings available in the scan policy when the Ignore SSL Certificate Errors is set to True in the Appsetting.json file.

v2.4.2

COPY LINK

Fixes

Fixed the Out of version range issue for the scanner agents.

v2.4.1

COPY LINK

Improvements

Improved the notification rule scope.

Fixes

Fixed the user agent version on the request tab of the scan policy.
Improved the scan status that running scans will be set as Failed if their Scanner Agent is Not Available or Terminated.

v2.1 19-Aug-2021

COPY LINK

NEW FEATURES

Added support for creating Teams and Roles.
Added SCIM 2.0 API support for improved SSO integration which supports user and group synchronization with popular Identity Providers.
Added IBM ALM (Jazz Team Server).

IMPROVEMENTS

Improved access control by introducing new more granular permissions
Improved role assignment for website groups while inviting new members
Improved the performance of issues/allissues API endpoint.
Added alternate email address field (if available) to the account/me API endpoint.
Added the Account Owner role instead of the Application Administrator role.
Added email and SMS filter to the notification.
Added an option to fail GitLab CI/CD build for only confirmed vulnerabilities.
Added Organization field to GitHub issue tracking integration.
Added an option to fail Azure Pipelines build for only confirmed vulnerabilities.
Prettified the outputs printed by Azure Pipelines, GitLab, and UrbanCode deploy CI/CD integrations.
Added support for committing changes on the tag editors with the TAB key.
Updated YouTrack issue tracker integration to use the new API.
Improved Splunk integration by sending the issue updates without requiring a new scan.
Improved the performance of the Technology Dashboard.
Improved the performance of the scans/report endpoint.
Updated the look and feel of emails sent.
Added Known Issues information to issues while sending to Kenna.
Improved the performance of PCI scan reports.
Added links to CVE IDs on reports.
Issue notes are added to reports which are exported.
Added an option to trigger user-defined notifications even for cases in which a user who configured the notification did not launch the scan.
Improved the statusCode and errorMessage returned from members/deleteinvitation API endpoint on cases when the invitation is missing.
Changed roles/update API endpoint response status code from 201 to 200 to better comply with REST best practices.
Added “Override Version Vulnerability Severities” option to Scan Policy > Attacking settings.
Improved the error message displayed when a Website Group cannot be deleted due to it being referenced by a notification.
Extended the range of digits that can be entered for HOTP and TOTP configuration.
Improved data validation for email addresses.
Added the Web Storage Exclusion to Ignored Parameters in the Scan Policy.

Deprecated APIs

The following APIs have been deprecated:

Deprecated APIsWhat to use instead/api/1.0/teammembers/newRenamed to /api/1.0/members/newinvitation/api/1.0/teammembers/listRenamed to /api/1.0/members/listThe request model has not changed, but the UserListApiResult response model has been replaced with MemberApiModelListApiResult./api/1.0/teammembers/getRenamed to /api/1.0/members/getThe request model has not changed but UserApiModel response model has been replaced with MemberApiModel/api/1.0/teammembers/getbyemailRenamed to /api/1.0/members/getbyemailThe request model has not changed but UserApiModel response model has been replaced with MemberApiModel/api/1.0/teammembers/updateRenamed to /api/1.0/members/updateThe request model has changed slightly; the response model is different./api/1.0/teammembers/deleteRenamed to /api/1.0/members/delete Only the endpoint is changed; request and response are the same./api/1.0/teammembers/gettimezonesRenamed to /api/1.0/members/gettimezones Only the endpoint is changed; request and response are the same/api/1.0/teammembers/getapitokenRenamed to /api/1.0/members/getapitoken Only the endpoint is changed; request and response are the same

FIXES

Fixed an unhandled error that occurs while deleting scans.
Fixed an issue where the check state is reset when the search keyword is modified on the Report Policy Editor security checklist.
Fixed an issue where multiple Common Weakness Enumeration values were being sent to Kenna Integration.
Fixed the incorrect API documentation of roles/listpermissions endpoint.
Fixed an issue where form authentication may fail because of credentials being modified when the scan profile is updated.
Fixed missing state field on the member API endpoint.
Fixed the incorrect email displayed on the audit log when a failed login attempt is logged.
Fixed a bug where a team with the same name tried to be provisioned when SCIM integration is used with SSO providers.
Fixed the team member APIs by adding the missing CreatedAt field.
Fixed an issue where some users with the default View Reports rule cannot see the global dashboard page.
Fixed a memory leak happens while generating PDF reports.
Fixed a bug preventing sending PDF and HTML reports via notifications.
Fixed a NullReferenceException thrown while calling the scans/new API endpoint.
Fixed an error occurs when a website that has tagged issue is deleted.
Fixed a page loading issue on the authentication verifier.
Fixed the clipped user interface elements on the New User Mapping page when the page widths get narrow.
Fixed an issue where the Exclude Authentication Page checkbox does not get updated.
Fixed the overlapping logo on reports.
Fixed an issue where incremental scans started from CI/CD integrations are using the default profile if there are no scans performed to that website previously.
Fixed the Not Found error displayed while testing notifications for Azure Boards integration.
Fixed the empty PCI report issue.
Fixed random HTTP 500 error thrown from scans/report API endpoint.
Fixed missing agent groups when queried using agentgroups/list API endpoint.
Fixed an issue where old VDB results are displayed on the known issues tab.
Fixed a NullReferenceException.
Fixed connection timeout issues.
Fixed an issue where an exception was thrown if the agent Helper Service is set to use a different port on Linux machines.
Fixed an issue where the issues of a custom security check are incorrectly listed under a different vulnerability on reports.
Fixed a scan stuck issue.
Fixed scans failing on some systems while scanning TLS 1.3 websites.
Fixed an issue where incorrect scan profiles and policies were used while performing group scans.
Fixed an issue where the State field of an issue is converted to a numeric value when the state of a revived issue is set to some other state through API.
Fixed an issue where an incorrect Affected Version value is reported for an out-of-date vulnerability.
Fixed an issue where editing a scheduled scan displays incorrect scan policy, report policy, and agent data.
Fixed an issue where a custom vulnerability profile data of a report policy is not retrieved correctly when called from vulnerability/template API endpoint.
Fixed the missing LastLoginDate field by adding it back to member API call responses.
Fixed pipeline script in Jenkins where two installed scripts do not work together.
Fixed notification grouping for persons that are outside of the organization.
Fixed integration links under the Continous Integration System in the New Integration page.
Fixed the Linux Auto Updater Version Checking.
Fixed SSO login conditions.
Fixed a bug that prevents editing report policies.
Fixed a bug that the SSO email field appears although the Alternate Email is not selected.
Fixed a bug that prevents some users from tagging issues.

Update to the new version

If you want to update the latest version of Netsparker Enterprise On-Premises, see Updating Netsparker Enterprise On-Premises.

v2.0.2 25-Jun-2021

COPY LINK

NEW FEATURES

Added GitHub Actions CI/CD integration.
Added Authentication Profiles feature to be able to define shared authentication once and utilize them on many scans without explicitly configuring Form Authentication for websites utilizing the same authentication procedure.
Added UrbanCode Deploy
Added Azure Pipeline Extensions
Added the ability to tag issues
Added a new Scope option for Scan Groups of Websites while configuring notifications to be able to better scope notifications for web applications/APIs under a website.
Added State filter to notifications which you can use issue states like Fixed, Revived, New, etc. as filtering options.
Added Choose Scan Profile while scheduling from API
Added support for TLS 1.3 protocol

IMPROVEMENTS

Removed the scan report selection from notification events that do not produce any reports.
Added account-based option to display authentication credentials on API responses.
Improved time zone calculations to handle new time zones.
Improved configuration validation error messages for Privileged Access Management integrations.
Added an option to specify a scan profile while scheduling scans through API.
Added support for Form Authentication Custom Scripts for cases when a Privileged Access Management integration is used.
Added support for 11 digit phone numbers while inviting a new member.
Added a field to specify the user’s Single Sign-On email address while creating a new team member using the API.
Improved configuration options for Jenkins.
Added the option to fail Jenkins build for only confirmed vulnerabilities
The login process redirects the Single Sign-On users to their providers
Added NIST, DISA STIG, and ASVS classifications to Report Policy
Added support for importing links from multiple RAML files from a ZIP file (include directive support).
Improved Azure AD Single Sign-On in-app help text.
Removed the Current Password field for admin users (logged in with Single Sign-On) while editing a member.
Added “Maximum URL Rewrite Signature” Scan Policy Crawling option.
Improved role assignment for website groups while inviting new members
Added IgnoreSslCertificateErrors option to Docker agent.
Improved GitLab CI/CD script failure conditions.

FIXES

Adding a title to the API field in the edit team member page
Fixed an issue that occurs with updating scan profile
Fixed an issue with Imported Links getting updated to Null while using Update ScanProfiles API
Fixed the validation problem
Fixed some bugs for the Sitemap
Fixed an issue that getting an error which caused by connection problem with authentication verification hub on scheduled scan
Fixed the problem of not being able to delete the scan with a profile
Fixed the forgot password issue for Single Sign-On
Fixed an issue where the Launch button does not get enabled on the New Scan page after you enable the IAST scanning and download the sensor files.
Fixed an issue where a notification that is sent to an external email address was not displayed on the audit logs.
Fixed an issue where starting a PCI scan via using API could not start the scan.
Fixed an issue where a new notification created via API does not add the specified integration(s) to the new notification.
Fixed an issue where a team member was not created in API if the auto-generated password is enabled.
Fixed an issue where the custom value of FormAuthPageLoadTimeout was being overridden by its default value.
Fixed validation error messages on the Email Settings page.
Fixed some of the swagger API validation errors reported for the REST API
Fixed an agent scan stuck issue while archiving
Fixed a retest problem where some issues could not be retested
Fixed an agent auto-update issue
Fixed an issue with the GitLab integration script where builds were not failing when they were supposed to fail
Fixed an issue where the “Add Attachment Report” section was missing while adding a new notification
Fixed a mismatching type issue on /scanprofiles/list API response model
Fixed an issue where a failed scan sends an excessive amount of email notifications
Fixed an issue where Exclude Authentication Page configuration resets when another scan is performed
Fixed agent auto-update issues
Fixed an unhandled ArgumentNullException which causes some authenticated scans to fail
Fixed an error that occurs while trying to mark an issue as false positive
Fixed an internal server error that happens while using the /api/1.0/scanprofiles/update API endpoint for some profiles
Fixed an issue where a deleted issue tracker integration was still keeping the old issues IDs referenced
Fixed an issue where the helper NHS service is unexpectedly terminated on environments with multiple agents running

7-Jun-2018

COPY LINK

IMPROVEMENTS

Improved audit logs' contents.

BUG FIXES

Fixed an issue in "/scans/new" API endpoint.
Fixed an issue where SMTP settings was not persisted as expected.
Fixed an issue in IP restriction settings.
Fixed an issue where vulnerabilities' request/response details were not displayed properly.

7-Apr-2017

COPY LINK

New Features

A wizard to assist first time users add a new website and setup a web security scan
Late confirmation of vulnerabilities (vulnerabilities can be confirmed after the scan has finished with Invicti Hawk)

New Security Checks

New security check that detects insecure targets in Content Security Policy.
Added checks for exposure of trace.axd in ASP.NET applications.
New security check for Time Based Server-Side Request Forgery.
Added Markdown Injection attack pattern to XSS engine.
Added a Code Evaluation check for Apache Struts framework.

Improvements

Improved Boolean SQL Injection detection.
Updated the Local File Inclusion vulnerability classifications.
Improved Trace/Track security checks.
Improved coverage of XSS engine in redirects.
Added policy optimization support for SSRF security checks.
Added exploit generation support for "Cross-site Scripting via Remote File Inclusion" vulnerability.
Added a specialized parser to parse JavaScript responses better to reduce discovering incorrect links.
Improved form authentication logout detection by ignoring the responses of some attacks to prevent incorrect logout detections.
Added VDB support to Blind & Boolean SQLi post exploitation.
Added support for checking Open Redirection vulnerability on Refresh response header.
Added the XPath information of the element that causes the DOM XSS vulnerability.
Added "Sub Path Max Dynamic Signatures" setting for Heuristic URL Rewrite detection.
Added a JavaScript scan policy option to reduce triggered event count during the simulation.
Added a JavaScript scan policy option to exclude HTML elements such as logout buttons from event simulation by CSS selectors.
Added checks for vulnerabilities which sink into window.name capability for DOM XSS security checks.
Improved the coverage of the Local File Inclusion engine so the vulnerability can be found in a full url attack.
Changed severity numbers' style on scan result pages.
Added support for editing scan time window settings for running scans.
Highlighted special fields of vulnerability notes on the scan report page.
Settings of completed scans are automatically applied to new scans when a user launches a new scan from the recent scans page or scan report page.
Improved notifications email templates.
Improved help text by adding netsparker.com article links to relevant sections.
Improved input validation for request rate limit settings on the scan policy page.
Added support for remembering previously entered filters on list pages.
Allowing users to select CSV separator while export scan reports.
Added support to allow users to re-verify logout settings on the form authentication verification dialog.

Bug Fixes

Fixed several issues related to DOM parsing and simulation.
Fixed a NullReferenceException thrown by HTTP Methods checks.
Fixed a StackOverflowException caused by JSON responses with too many nested elements.
Fixed Proof of Concept generation during post exploitation for time based SQLi checks.
Fixed a NullReferenceException while confirming a Boolean SQLi vulnerability.
Fixed an issue where scan is paused when an additional host is unreachable.
Fixed typos in CSP vulnerability templates.
Fixed an issue where ignored emails are still reported as knowledge base issue.
Fixed an issue where source code disclosure is reported in JS and CSS files.
Fixed an SQL exploitation issue where executing a SQL query which expected an integer result is no longer giving failure for PostgreSQL database.
Fixed a Text Parser issue where single quote characters were being captured as part of links.
Fixed the incorrect path disclosure caused by the Shellshock attack.
Fixed missing SSRF proofs under Proofs knowledge base.
Fixed incorrect encoded parameter names for multipart/form-data forms.
Fixed the performance recrawling for DOM XSS checks on websites with lots of links.
Fixed the incorrect CR LF encoding issues on proof URLs.
Fixed DOM Parser clearInterval JavaScript function simulation.
Fixed an issue where stored XSS vulnerability is reported in an XHR response rather than in the page itself which makes XHR request.
Fixed an issue where Boolean SQL Injection vulnerability is missed due to crawled parameter value.
Fixed an issue where reflected XSS vulnerability is missed because the reflected payload is HTML encoded in an attribute.
Fixed an issue where Text Parser does not handle the same referenced JavaScript in different files.
Fixed an issue where timezone is not being set correctly when a validation error occurs on the signup page.
Fixed a filtering issue on the Manage Team page.

6-Mar-2018

COPY LINK

NEW FEATURES

New plugin for integration with TeamCity
New plugin for integration with Jenkins
Added IP Address Restrictions

IMPROVEMENTS

Improved XML and date samples displayed in API documentation.
Improved input validation in the reporting page.
Improved on-premises installation document for customers using load balancer.
Renamed FogBugz integration to Manuscript.
Improved validation of custom cookies.
New scans launched outside scan window will be automatically queued
Increased character limit for website name.
Added more details to scanner agent's startup log.
Improved installation error message of internal scanner agent.
Improved vulnerability request/response data page performance.
Improved the navigation of issues and scans.
Improved validation of custom 404 settings in the Scan Policy.
Added a "Copy to Clipboard" button for cURL samples in API documentation.
Improved API documentation to show request details.
Changed date/time format from 24-hour clock to 12-hour clock.

BUG FIXES

Fixed HTTP response data that was not displayed correctly for stored XSS vulnerability.
Fixed the Github integration which ws not working due to TLS 1.2 connectivity problem.
Fixed an issue where loading icon does not rendering correctly in IE11.
Fixed a font size problem in the PCI DSS reports.
Fixed the info messages that were not fitting in the screen on small resolutions.
Fixed an issue in which scan profiles could be created with same name.
Fixed a bug with website verification emails which were not being sent.
Fixed a bug with vulnerability counts in HIPAA and PCI DSS compliance reports.