Release Notes

Invicti Enterprise On-Premises

RSS FEED

22-Jun-2020

COPY LINK

NEW FEATURES

Added Mattermost integration
Upgraded the Invicti scanning engine to version 5.8.1.27665
Added API support for the Discovery service

NEW SECURITY CHECKS

Added a new vulnerability for Same Site Cookies that are set to None and not marked as secure

IMPROVEMENTS

Added support for Admin users to log in with Invicti Enterprise credentials when SSO is enforced
Added extra information about issues to the Jira Integration
Added control for Target Url field to disable Scan Settings if it's empty
Added Timezone information to Scan Time Window section in the New Scan window
The Invicti API icon has been changed on the Integrations window
Added Manage Issues (Restricted) to the Permission Matrix
Added a Website Groups filter to the New Team Member window
Added a notification for Login Failed situation during scans
Added a Website Group filter to the Recent Technologies window

FIXES

Fixed the More information link in the New Website window
Fixed a bug where email notifications about Technologies were not being sent as expected
Fixed an issue where date filters were not working as expected
Fixed a bug in the website authentication process in the GitLab integration
Fixed an issue where the Internal Agent automatic update process was hanging
Fixed an issue in scans that are exported from Invicti Standard into Invicti Enterprise
Fixed an issue where Mark as Read was not working in Application Notifications
Fixed a bug where Imported Links and files were not returned for ongoing scans on the '/scans/list-scheduled' API endpoint
Fixed a bug that occurred when adding an internal website in the '/websites/new' API endpoint
Fixed an issue where Excluded Path was not saved in the Scan Profile save action
Fixed an issue where Preferred Agent was not saved in the Scan Profile save action
Fixed an issue where issue counts were duplicated in the Annual issue chart

28-Apr-2020

COPY LINK

NEW FEATURES

Added support for U2F (Universal 2nd Factor Authentication)
Added support for disabling API Access for a Team Member
Added issue synchronization support for Azure DevOps
Added a new Form Validation Errors node to the Knowledge Base panel, and to scan reports
Added CVSS 3.1 support, to help with vulnerability scores
Added a new Query Parameters checkbox to the Parameter-Based Navigation section of the Crawling tab in the Scan Policy Editor
Added support for sending scan reports as email attachments on scan completed notification
Upgraded the Invicti scanning engine to version 5.7.2.27798

IMPROVEMENTS

Improved Integration categories and New Integration pages to provide a better user experience
Added support for Windows Authentication (Integrated Security) for database connections (On-Premises only)
Updated the Terms of Service page
Added Technical Contact information to the 'websites/list' API endpoint
Added start-end date filters to the '/scans/listbystate' and '/auditlogs/export' API endpoints
Added an 'excludeAddressedIssues' filter to the '/scans/report/' API endpoint
Added a Failure Reason option to the Reason filter for failed scans
Added additional help text to the Issues' Detail window for groupable issues
Added support for Admin users to manage their Team Member's Report Policies
Added Profile ID information to the response of the '/scans/detail' API endpoint

NEW SECURITY CHECKS

Added a Login Page Identifier security check
Added a Content Delivery Networks (CDN) security check
Added a Reverse Proxies security check

BUG FIXES

Fixed a bug where issue counts were not returned for ongoing scans on the '/scans/detail' API endpoint
Fixed an issue where validation errors were shown for custom cookies
Fixed an issue where Technologies were not reported if a scan was completed in a short time
Fixed a browser compatibility issue that occurred while testing OAuth2 credentials
Fixed a bug where the Scan Time Window settings were not applied in Scheduled Incremental scans
Fixed an issue where pre-request scripts were not being sent to the scanner as expected
Fixed an issue where preferred Agent Group was not populated in the New Scan window
Fixed a bug where JavaScript settings were not set as expected for optimized Scan Policies

25-Feb-2020

COPY LINK

NEW FEATURES

Added a new Sitemap section to scan reports which shows crawled URLs and identified issues
Added a new in-app notification section called What's New which informs for important announcements
Added out of the box issue tracking integration for Freshservice, YouTrack, and Splunk
Added facility to send New Scan notifications using the Microsoft Teams integration
Added Pre-Request Script feature which helps to configure HMAC Authentication on New Scan page (On-Premises only)
Added new API endpoints for managing technologies
Upgraded the Invicti scanning engine to version 5.6.3.27318

IMPROVEMENTS

Redesigned Scan Summary section on Scan Report page
Improved scan queue scheduling process which prevents multiple scans with same settings to be queued
Improved Out-of-Date technologies email template for mobile clients
Improved rendering for large fields on the scan report template
Improved help text for Enable/Disable Agent actions on Manage Agents page
Security Check Groups are now arranged into sub-groups in the New Scan Policy
Set current user as the default technical contact on New Website page

NEW SECURITY CHECKS

Added version disclosure and out-of-date checks for Telerik Web UI
Added detection and out-of-date checks for Java and GlassFish

BUG FIXES

Fixed a bug where filtering is not working as expected on the Report Policies page
Fixed an error that was thrown during generating the Mod Security WAF Rules Report
Fixed an issue where testing basic authentication credentials were not working as expected

17-Jan-2020

COPY LINK

NEW FEATURES

Added out of the box issue tracking integration for Kenna
Added OTP support to the Form Authentication tab in the New Scan window
Added filtering support to the New Notification window, which means you can filter the issues that will be sent for a Scan Completed event
Upgraded the Invicti scanning engine to version 5.5.4.26863

IMPROVEMENTS

Added a new setting, Max Uploaded File Size, to the General Settings window (On-Premises only)
Improved the UI design of the Scan Summary section on the Report window
A Time Zone option has been added to the Scan Time Window tab
Improved the Azure DevOps integration to support email addresses for the Assigned To setting
Improved the Scan Completed event template's SMS notification text
Added an About page to display VDB and app versions, available by clicking your name (On-Premises only)
Added the ability to filter using Website Group names for various API endpoints
A detailed error message is now displayed if an imported file is invalid
Improved GitHub integration to support the GitHub Enterprise edition

BUG FIXES

Fixed an issue where Imported Links were not being saved when the Target URL was empty
Fixed an issue where all proofs were not displayed for Stored Cross-Site Scripting vulnerabilities
Fixed a bug where the 'Do not stop scan when maximum logout is exceeded' setting was not working as expected

2-Dec-2019

COPY LINK

NEW FEATURES

Introduced Technologies feature which finds and lists the technologies used in web applications and reports on problems
Added out of the box issue tracking integration for PagerDuty, Clubhouse, Trello, Asana, Webhook, Microsoft Teams, and CircleCI
Added new API endpoints for managing Team Members and listing Activity Logs
Added a new Scan Profiles page in the Scans menu
Added a new Comments box to the New Scan window, accessible while launching scans
Added facility to send New Scan notifications using the Slack integration
Upgraded the Invicti scanning engine to version 5.5.1.26518

NEW SECURITY CHECKS

Added a new Security Check – HTTP Parameter Pollution (HPP)
Added a new Security Check – BREACH Attack Detection
Added Out-of-Date checks for Ext JS
Added Oracle Cloud and Packet Cloud SSRF attack patterns
Added a Web Cache Deception engine to the list of Security Checks
Added a new XXE pattern for detecting the Axway SecureTransport 5.x XXE vulnerability
Added new attack patterns for DOM based XSS
Added new attack patterns for Remote Code Execution in Ruby
Added new attack patterns for Out-of-Band Remote Code Execution in Ruby
Added new attack patterns for Remote Code Execution in Python
Added new attack patterns for an Open Redirect security check
Added an email validation bypass payload for XSS
Added a header injection XSS pattern
Added a security check to determine whether an HTTP website has been implemented with SSL/TLS
Added a security check for File Content Disclosure in Ruby on Rails by exploiting an Accept header
Added mutation XSS patterns
Fixed the SSRF confirmation problem
Added Apple’s App-Site Association file detection
Added exploitation support for File Content Disclosure in Ruby On Rails, CVE-2019-5418
Added new LFI attack patterns for the access.log file
Added support for exploiting JSONP endpoints with the format parameter in Ruby On Rails
Added support for detecting Python Remote Code Execution
Added RFC compatible SSRF IPv6 patterns
Improved the Apache Struts (CVE-2013-2251) attack pattern
Added PHP Injection Fixed One Time Referrer attack
Updated the attack value of the PHP Injection Fixed One Time Attack pattern to use short notation instead of the print function
Improved the Regex pattern of the WebLogic Version Disclosure pattern
Added a PoC pattern for Apache Struts (CVE-2013-2251)
Added Out-of-Date checks for the Slick JavaScript library
Added Out-of-Date checks for the ScrollReveal JavaScript library
Added Out-of-Date checks for the MathJax JavaScript library
Added Out-of-Date checks for the Rickshaw JavaScript library
Added Out-of-Date checks for the Highcharts JavaScript library
Added Out-of-Date checks for the Snap.svg JavaScript library
Added Out-of-Date checks for the Flickity JavaScript library
Added Out-of-Date checks for the D3.js JavaScript library
Added Out-of-Date checks for the Google Charts JavaScript library
Added Out-of-Date checks for the Hiawatha and Cherokee server
Added Out-of-Date checks for the Oracle WebLogic server
Added Out-of-Date check for IIS
Added Version Disclosure detection for the Hiawatha Server
Added Version Disclosure detection for the Cherokee Server
Added Source Code Disclosure checks for Java Servlets
Added Source Code Disclosure checks for Java Server Pages
Added New Source Code Disclosure patterns for Java
Added detection for .htaccess file Identified
Added detection for Opensearch.xml files
Added detection for SQLite error messages
Added detection for security.txt files
Added detection for swagger.json files
Added detection for Open Search files

IMPROVEMENTS

Added the ability to create custom fields for ServiceNow integration
Added auto-detection of the Time zone during the sign up process
Improved Jira integration to support raw values for complex custom field types
Added a new format option to the Date and Time Format dropdown in the Change Account Settings window
Improved the text in Email Notifications
Improved the Category field's option names in the New ServiceNow Integration window
Improved the Issue template for Azure DevOps integrations
Added capability to add User Mapping for hosted Jira systems
Added more details to the CSV report which can be generated from the Activity Logs window
Added ongoing scan information for the target agent in the Manage Agents window
Added the capability to disable the Maximum Scan Duration field in the New Scan window (On-Premises only)

BUG FIXES

Fixed an inaccurate warning message that was displayed when canceling a scan
Fixed an issue where the Technical Contact was not set as expected in the Edit Website window
Fixed an issue where a website could not be added if the target URL contained a hyphen character
Fixed an issue where the configured Scan Profile was not used in Azure DevOps integrations
Fixed various browser compatibility issues with Safari
Fixed a bug where validation was not working as expected for the Hawk settings in the Scan Policy window

13-Sep-2019

COPY LINK

NEW FEATURES

Added support for using internal agents along with AWS cloud integration (On-Premises only)
Added out of the box Issue tracking integration for Redmine, Bugzilla and Kafka
Added support for bulk operations on the Recent Scans page. It's now easier to cancel, pause, or delete multiple scans at the same time.
Added new API endpoints for managing agents
Added an option to change the Technical Contact for each website in a group in the Edit Website Group page
Added support for exporting data on Activity Logs and Manage Team pages
Added the ability to convert a completed scan into a Scheduled Scan
Upgraded the Invicti scanning engine to v5.3-hf7(5.3.0.24998)

NEW SECURITY CHECKS

Added a new security engine named Malware Analyzer which detects any web malware injected into websites (Scanner Agent's operation system should be Windows Server 2016 or above)

IMPROVEMENTS

Improved support for scenarios where OAuth2 is used in conjunction with Basic Authentication
Improved the status text displayed for delayed scans
Set the account owner's Data and Time Format as the default for new team members
Added Scan Owner information to various scan reports and API endpoints
Improved the response message for the /scans/delete API endpoint
Added all issue content to the /issues/allissues API endpoint
Added a Mark all as Read option for notifications that are shown inside the application on the Application Notifications page
Added Technical Contact information to files exported from the Websites page
Added Vulnerability Severity Level for the selected issue in the Technical Report
Upgraded Bootstrap, jQuery and Knockout.js dependencies to the latest versions
Added Create Invitation (team member invitations) into the Activity Log
Improved the API docs by adding sample values for request and response messages
Added support for filtering by Target URL to the /scans/listbywebsite API endpoint
Added a Clone option to the Scheduled Scans page

BUG FIXES

Fixed a bug where agents were sometimes hanging after failed API requests
Fixed an issue where the Technical Contact was not displayed for non-Admin users on the New Website page
Fixed an issue where an incorrect error message was shown during the configuration of a Scheduled Scan
Fixed a problem on the JIRA webhook where the JSON could not be serialized as expected
Fixed an issue where a Scan Policy could not be used on a scanner agent if it had a long name
Fixed a bug where the Authentication Verifier was sometimes hanging if an internal exception was thrown (On-Premises only)
Fixed the default value for the Agent Data Path setting (On-Premises only)
Fixed a bug where two-way Jira integration was not working as expected in retest scenarios
Fixed an issue where a cancelled PCI scan could not be deleted
Fixed an issue where a web application could not connect to a newly-created SQL Server database immediately (On-Premises only)
Fixed a bug where scans launched via JIRA integration were sometimes not starting with the configured Scan Policy
Fixed an issue where the temporary Scan Policy file was not deleted on scan completion on the scanner Agent

Known Issues

Automatic updates may fail for the On-Premises scan agents with an error message in the agent's log: 'Agent couldn't find AgentAutoUpdater.exe'. To resolve this issue, first upgrade the Invicti Enterprise Web Application and copy the '[Web App Installation Folder]App_DataAgentsAgentAutoUpdater.exe' file to the folder where the target Agent is installed. If you need further help, submit a ticket through our Help Center.

14-Jun-2019

COPY LINK

IMPROVEMENTS

Added scan owner information to scan results and reports
Improved Internet Explorer support on several pages
Added a new option for disabling the Long running scan notification to General Settings (On-Premises only)
No longer reporting Missing X-Frame-Options header in redirect responses
No longer reporting Missing X-XSS protection on redirect responses
No longer reporting CSP Not Implemented for redirect responses
No longer reporting Referrer Policy Not Implemented for redirect responses

BUG FIXES

Fixed an issue where the Target Website could not be deleted
Fixed an issue where the Preferred Agent in Scan Profile could not be changed
Added several fixes for OAuth2 Authentication
Fixed a bug where Invicti might mistakenly report some cookies as Not Secure
Fixed an issue where connection problems on the Target Website were causing high CPU usage

14-May-2019

COPY LINK

NEW FEATURES

Added auto update support for scanner agents
Improved the Manage Agents page to support filtering and allow the running of commands
Added notifications section to top bar. It displays application specific notifications such as updates and background jobs
Added new API endpoints for managing issues
Added a Do not differentiate HTTP and HTTPS protocols option to the Scan Scope tab's settings
Added OAuth2 Authentication support
Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical
Added an option to report only confirmed issues while generating reports
Added an option to exclude addressed issues while generating reports
Added F5 WAF rule generation
Added RESTful API Modeling Language (RAML) link import support
Added the ability to exclude certain URLs from URL Rewrite Detection
Added support for importing links from WordPress REST API files
Added a Scan Policy for OWASP Top 10 vulnerabilities
Added a Scan Policy for PCI vulnerabilities

NEW SECURITY CHECKS

Added new XSS pattern that injects the attack payload into the HREF attribute
Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340)
Added a Unicode Transformation (Best-Fit Mapping) security check
Added detection for possible Header Injections
Added out-of-date detection for Oracle Database Server
Added out-of-date detection for Mithril
Added out-of-date detection for ef.js
Added out-of-date detection for Match.js
Added out-of-date detection for List.js
Added out-of-date detection for RequireJS
Added out-of-date detection for Riot.js
Added out-of-date detection for Inferno
Added out-of-date detection for Marionette.js
Added out-of-date detection for GSAP
Added a config.json check to the Resource Finder
Added detection support for TS Web access
Added detection support for .travis.yml

IMPROVEMENTS

Improved the Import Links section on the Imported Links tab on the New Scan page. Now imported links can be viewed immediately after the target file is uploaded.
Added CreatedAt and UpdatedAt fields to WebsiteGroup API endpoints
Improved the responsive design for several pages
Changed some wording for vulnerability details to use same wording as Invicti Standard
All clicked external links now open in a new window
The Target website URL cannot also be added as an Additional Website on the New Scan page
New logo has been added to the top bar
Improved Resource Finder step on the Scan Policy Optimization Wizard
Jira issues are now assigned to the person who started the scan
Improved the queue performance for scans running on cloud scanner agents
Improved the layout for reports where no vulnerabilities are detected
Added a new Manage Issues (Restricted) permission, which disallows marking issues as Accepted Risk or False Positive
Added Reporter (account id type) to the JIRA integration page
Updated SSRF ipv6 pattern names
Improved Scan performance by allocating computer resources better
Added XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families
Added a description that explains why only 10 pages are reported on the Slowest Pages node in the Knowledge Base
Updated Code Evaluation (PHP) attack patterns
Improved DOM Simulation performance and fixed several issues
Improved React JavaScript framework support on Form Authentication
HTML Select elements without event listeners are simulated in DOM Simulation
The File Upload engine searches newly discovered file names in the upload response and in the upload folders
Improved operating system detection by the Site Profile node in the Knowledge Base
Added support for attacking the name of POST parameters
Improved the External References for several vulnerabilities
Added ISO 27001 information to the Executive Summary Report
CSP vulnerabilities will no longer display a 'certainty' value if they are already marked as Confirmed
Fixed an issue in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework
Added support for exploiting XSS in text and XML content types
Out of Date SQL vulnerabilities are reported as Confirmed
Added a Cookie Whitepaper reference to cookie vulnerability templates
Added External References to ExpressJS, CakePHP and Possible Stored XSS templates
Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details
More commands are executed in the Code Evaluation exploitation to generate proofs
References to 'Manuscript' have been replaced with 'FogBugz'
Improved RFI confirmation for URL Rewrite parameters
Improved signatures of Nginx Version Disclosure patterns
Optimized the attack speed of XSS and LFI engines
Added extra information to Out-of-date vulnerability templates to explain the vulnerability reason
Cookie checks will analyze session cookie names to detect platform-specific default session names
Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved
Added a Jira Account ID field for Jira Send To Action to assign issues to a user, since the JIRA Api does not accept the username

BUG FIXES

Notifications tab appears empty when the Target URL is not selected on the New Scan page
Removed client side console logs from several pages
Fix the issue where the Preferred agent was not being set as expected for the selected scan profile on the New Scan page
Fixed an issue where the Discovery Settings page was not working properly for low resolution views
Fixed an issue where the Authentication Verifier was not capturing authentication settings
Fixed a bug where the default Scan Completed notification was overwriting the custom JIRA notification
Fixed a bug where PDF reports were not generated on the tryout console on the API docs page
Removed the Contains filter option for numeric fields
Fixed an issue where scans configured with a Scantime Window were blocking other scans
Removed the redundant ReportType parameter and added a ReportFormat parameter to the CustomReport API endpoint
Fixed a bug where ordering Issues using the Last Seen column was throwing an exception on the Issues page
Fixed a validation issue in the Header Authorization settings in the New Scan page
Fixed an issue where DOM simulation might conflict with some JavaScript frameworks
Fixed the garbled configuration sample in the Remedy section of the HSTS Policy Not Enabled vulnerability
Fixed an issue where an extra ampersand was appended to the query string while generating the URL of a Swagger imported link
Fixed an XmlException that was thrown while trying to parse a sitemap.xml response that is not found
Fixed a GZip decoding issue that occured while decoding a compressed sitemap.xml
Fixed a stuck scan issue on websites using the React JavaScript framework
Fixed a Postman file importing issue where the response was not base64 encoded
Fixed a NullReferenceException thrown while checking mutations on DOM
Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes
Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes
Fixed an issue where JavaScript file parsing was taking longer than expected on some occasions
Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie
Fixed HTTP 400 errors raised by the ServiceNow Send To integration
Fixed an issue in the CSP engine where the 'strict-dynamic' directive was reported as an unsupported hash
Fixed incorrect nonce detected without matching script block vulnerability
Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored
Fixed an issue that caused FP Insecure Reflected Content to be reported
Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type
Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server
Fixed the value of double encoded null byte in LFI and XSS attack patterns
Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized
Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload
Fixed the value of the double encoded null byte in the Header Injection pattern
Fixed the encoding of the % sign in the base64 payload in XSS attacks
Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern
Fixed the encoding issue in the SQL Injection confirmation attack
Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured
Fixed an issue where the Max Simulated Elements option was causing the simulation to hang
Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang
Fixed an issue where an incorrect Subresource Integrity (SRI) Hash Invalid vulnerability was reported because of a hash miscalculation

20-Feb-2019

COPY LINK

BUG FIXES

Fixed an issue with setting up a new Team Member when SSO was enforced.
Fixed an issue which was occurring during re-installing previously terminated agent.

5-Feb-2019

COPY LINK

NEW FEATURES

Added support for merging accounts (On-Premises only). This will move all resources (Users, Websites, etc.) into the selected master account and delete all other accounts.

IMPROVEMENTS

Account Owner or users with Administrator permission can now delete other Team Members' policies.
Updated some third-party libraries to the latest version.
Added OWASP 2017 classification data to the Executive Summary report.
SSO Enforcement has been disabled for users with Administrator permission (On-Premises only).

BUG FIXES

Fixed an issue where a JavaScript setting was not set as expected on the New Scan Policy page.
Fixed an issue that was thrown when deleting an account.
Fixed a bug where it was not possible to configure country code top-level domain (co.uk, com.tr, etc.) on the Discovery Settings page.

17-Jan-2019

COPY LINK

NEW FEATURES

Added issue synchronization support for Jira and Manuscript issue trackers
Added notification support for Fixed, Revived, False Positive and Accepted Risk Issues to Slack integration
Upgraded the Invicti scanning engine to v5.2-hf2 (5.2.0.22027)
Added a new Vulnerability Families feature, where similar types of vulnerabilities are no longer reported separately
Added out of the box Issue tracking integration for GitLab, Bitbucket, Unfuddle, Zapier, and Azure DevOps
Added support for Swagger 3/OpenAPI link import
Added support for importing links in the IOdocs file format
Added Retest support for several Cookie vulnerabilities
Added a new Knowledge Base item for Not Found pages
Added ISO 27001 vulnerability classifications and report template
Added custom field support for Issue tracking integrations
Added Azure DevOps Continuous Integration system integration
Added PowerShell support to the Gitlab Continuous Integration system integration. The Gitlab page now has Integration Script Generator information for Gitlab PowerShell scripts.
Added Pipeline Script Generation support to Jenkins Continuous Integration system informtion. The Jenkins page now has Integration Script Generation information for Jenkins Pipeline scripts.

NEW SECURITY CHECKS

Added a new pattern for CherryPy Version Disclosure
Added an LFI attack pattern for WEB-INF/web.xml
Added Ruby Error Disclosure detection
Added WP Engine Configuration File detection
Added CherryPy Stack Trace Disclosure detection
Added Intro.js Out-of-date Version detection
Added Axios Out-of-date Version detection
Added Fingerprintjs2 Out-of-date Version detection
Added XRegExp Out-of-date Version detection
Added DataTables Out-of-date Version detection
Added Lazy.js Out-of-date Version detection
Added FancyBox Out-of-date Version detection
Added Underscore.js Out-of-date Version detection
Added Lightbox Out-of-date Version detection
Added JBoss application server Out-of-date Version detection
Added SweetAlert2 Out-of-date Version detection
Added Lodash Out-of-date Version detection
Added Bluebird Out-of-date Version detection
Added Polymer Out-of-date Version detection

IMPROVEMENTS

Added Content Security Policy (CSP) to the Invicti Enterprise web application
Changed enum values to display in alphabetical order in the Value column in the Filter popup
Added an Audit Log for Rate Limited requests
Highlighted selected option for JavaScript section on the New Scan Policy page
Highlighted relevant tabs for validation errors on the New Scan Policy page
Improved the Report Policy page to make it more responsive and added a scroll bar
Improved help text for Application and Service Discovery pages
Added a Check/Uncheck by Severity filtering option on the Report Policy page
Added PHP extension attack for Nginx vulnerability to the File Upload engine
Added File Upload patterns for the Nginx Parsing vulnerability
Added settings to the File Upload engine for configuring upload folders
Added errorlog.axd detection support
Improved elmah.axd detection
The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
Improved SSTI PHP Smarty attack detection
Improved the Swagger link importer to handle additional properties with integer and string value types
Improved the Expect-CT engine by only reporting a vulnerability once for each host
Improved RSA key confirmation by handling OpenPGP format
Increased the HSTS Not Enabled vulnerability severity from Information to Low
Improved HTTP 407 Proxy Authentication error handling
Added classifications to the HSTS Not Enabled vulnerability
Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
Improved JSON format detection
Replaced Unicode replacement characters with question marks in responses
Added a Scan Policy option to attack cookies
Improved element click DOM simulation for various element types
SRI Not Implemented will no longer be reported for localhost URLs
Improved ASP.NET error message detection
Added descriptions to PCI categories in the PCI Compliance Report
Improved Boolean SQL Injection detection
Improved the Blind Command Injection attack patterns
Improved the representation of Report Template compilation errors
Misconfigured X-Frame-Options Header is now reported separately
Improved Source Code Disclosure checks to prevent the reporting of JavaScript template pages
Status Code, Status Description and Content Length information have been added to the Slowest Pages node in the Knowledge Base
Improved WADL document parsing by ignoring DTDs
Improved Open Redirect DOM based confirmation performance
Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
Cookie vulnerabilities report where the cookie is set from
Improved Swagger Document Format detection
The file upload engine now detects new links in the response after the file is uploaded

BUG FIXES

Fixed the issue where Authentication did not work when retesting
Fixed the issue where the Swagger importer generated an invalid JSON request body
Fixed the ArgumentException thrown while performing Heartbleed security checks
Fixed the issue where the wrong version was identified for Drupal
Fixed a disallowed HTTP method issue where some methods were still being allowed
Fixed a typo in the CSP Not Implemented vulnerability details
Fixed a Form Authentication issue that occured on some React-based websites
Fixed signature detection for links found via the crawler
Fixed an issue in the CSP engine where it reported an incorrect vulnerability
Fixed a URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
Fixed duplicate parsing source field values reported for IFrame vulnerabilities
Fixed an issue where Apache MultiViews could not be detected in the target server
Fixed the incorrect Cookie Expire Date set during Form Authentication
Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
Fixed a Content-Type parsing issue in Form Authentication
Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
Fixed a bug in cookie handling code during Form Authentication
Fixed the incorrect severity reported for the Cookie not Marked as Secure vulnerability on some scans
Fixed an ArgumentOutOfRangeException thrown on some long scans

26-Nov-2018

COPY LINK

NEW FEATURES

Added Application/Service Discovery feature
Added out of the box integration for GitLab CI
Added custom recurrence options to Scheduled Scans to support advanced scheduling scenarios
Added support for downloading internal scanner agents on Manage Agents page (On-Demand only)
Added raw text option to Import Websites page

IMPROVEMENTS

Improved colors for the app menu to follow WCAG guidelines
New scheduled scans are not added to the queue if a delayed one already exists
Improved validatation for SSO configuration pages
Updated EULA and TOS pages
Added support for deleting agents on the Manage Agents page
Readjusted API rate limits
Added a Data Protection Policy page
Account admins can now disable other team members' 2FA settings
Improved the wording on several pages
Improved JIRA integration to prevent reopening the same issue twice in JIRA
Added support for running concurrent scans on a single Enterprise computing instance (ondemand only)
Attack Pattern' renamed as 'Payload' in the Send To integration templates
Added tooltip for Scan and Report Policies options on the New Scan page

BUG FIXES

Fixed the problem where Severity Trends displayed global severity numbers even if a Scan Group was selected on the Website Dashboard page
Fixed an issue where the Manage Websites page, where the Last Scanned column was displaying the last scan's initiation time
Fixed a bug where the severity order was wrong for the Retest Summary section on the Scan Report page

19-Sep-2018

COPY LINK

NEW FEATURES

Added support to save and re-use filters on the list pages (Recents Scans, Websites, Issues etc)
Added out of the box integration for Slack and ServiceNow
Introduced Report Policy Editor which allows to customize Scan Report results
Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

Added Out of Band Server Side Template Injection security checks
Added signature detection check for Caddy web server
Added signature detection check for aah Go server
Added signature detection check for JBoss application server
Added CakePHP framework detection
Added CakePHP version disclosure detection
Added CakePHP out-of-date version detection
Added CakePHP Stack Trace Disclosure
Added CakePHP default page detection
Added Out of Date checks for CKEditor 5

IMPROVEMENTS

Configured scanner agent's service options to recover automatically if it stops
Improved display order of vulnerabilities in several reports
Improved the wording in OWASP and Trend Matrix reports
Updated the licensing model
Allowed team members to manage their IP restrictions (previously only account administrators were allowed)
Scheduled Scans will not be queued if a delayed one already exists in scan queue
Improved Agent List page to display unavailable agents
Improved the wording in Website and Global Dashboard pages
Improved '/websites/get' API endpoint to allow filtering by URL
Improved validation messages for SSO settings
Improved styling of Permission Matrix on New Team Member page
Fixed error where Scheduled Scans were disabled by the system on license expiry (they're now available again on license renewal)
Updated .NET Framework version requirement to 4.7.2
All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into a single vulnerability
Added Label field for JIRA Send To actions
Added Tags field for Manuscript (FogBugz) Send To actions
Improved SQL Injection proof data by stripping HTML tags
Improved CSRF token detection in cookie values

BUG FIXES

Fixed wrong PDF scaling issue which causes fonts to be rendered very small for Report templates
Fixed pagination problem on Scheduled Scans and Website Group pages
Fixed a bug where screenshots are displayed for Scans run by Internal Agents
Fixed the incorrect Content-Type header sent during Form Authentication requests
Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were blocking the other HTTP methods too
Fixed the URL encoding issue for vulnerabilities that are send to Manuscript (formerly FogBugz)
Fixed the error where the ExpectCT header was reported as an interesting header
Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
Fixed the incorrect response displayed for Server Side Request Forgery (SSRF) vulnerabilities when the request was redirected to another page
Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
Fixed an incorrect possible LFI vulnerability when the response was redirected
Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
Fixed broken case sensitivity check for crawled links
Fixed FormatException that occurred while parsing cookies
Fixed a JsonReaderException that occured while trying to parse a Swagger document
Fixed parsing URLs with encoded chars
Fixed hanging Open Redirect checks caused by binary responses
Fixed the issue where a Swagger YAML file cannot be imported
Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie's HttpOnly flag
Fixed the Weak Signature Algorithm that is not reported for a self-signed root certificate

25-Jul-2018

COPY LINK

IMPROVEMENT

Updated terms of services document

BUG FIXES

Fixed a bug where XML reports can not be exported
Fixed a bug where Jenkins integration was not working as expected
Fixed an issue where "Check for Updates" was not displaying correct result for team member users
Fixed a bug where sorting was not working on Scheduled Scans page

23-Jul-2018

COPY LINK

NEW FEATURE

Added SSO (Single Sign-On) support for Netparker Enterprise On-Demand

IMPROVEMENTS

Improved text shown after deleting a website
Improved text shown on Authentication Verifier Settings page
Improved help text for Recaptcha setting shown on Service Settings page
Removed 2FA disable button for users who do not have required access permission (previously displayed as disabled)
Improved timer behaviour of validation code shown on SMS Settings page
Improved order of vulnerabilities in several reports
Response content will not be rendered if it's higher than 10MB, instead response data can be downloaded from scan results page
Refactored and improved performance of reports which can be exported from Scan Results page
Added market place links for Jenkins, TeamCity and Bamboo plugins shown on Integrations page
Improved validation messages for JIRA integration
Improved samples for new website API documentation
Changed wording on General Settings page
Simplified endpoint format for Authentication Verifier settings

BUG FIXES

Fixed a bug where if previous scan failed with domain resolution error, subsequent scans failed unexpectedly with the same error
Fixed a bug where imported Swagger file was not parsed during scanning
Fixed a bug where multiple SAML configurations might be configured with same configuration identifier
Fixed an issue where Agent could not be disabled on Manage Agents page
Fixed an issue where Jenkins icon was not displaying properly on IE
Fixed a bug where sorting was not working for Next Execution Time on Scheduled Scans page
Fixed a bug where product update links were not displaying correctly
Fixed a bug where configured Scan Policies' user agent was not used in Authentication Verifier
Fixed documentation links for SSO providers
Fixed API authorization error thrown on notification endpoints for Team Members
Fixed an issue where custom reports were not displayed on Scan Results page
Fixed an issue where Knowledge Base data was not saved properly

2-Jul-2018

COPY LINK

BUG FIXES

Fixed a database connectivity issue which was occurring when pool size was not sufficient (onpremises only)
Fixed an issue where installation wizard was shown when database connectivity was lost (onpremises only)
Fixed an issue in agent endpoint where scan file names were not set as expected (onpremises only)

7-Jun-2018

COPY LINK

IMPROVEMENTS

Improved audit logs' contents.

BUG FIXES

Fixed an issue in "/scans/new" API endpoint.
Fixed an issue where SMTP settings was not persisted as expected.
Fixed an issue in IP restriction settings.
Fixed an issue where vulnerabilities' request/response details were not displayed properly.

29-May-2018

COPY LINK

NEW FEATURES

Added SSO (Single Sign-On) support (onpremises only)
Added an option to "Scan Policy > HTTP Request" settings to capture HTTP Requests
Added installation wizard for onpremises installation (onpremises only)
New plugin for integration with Bamboo
Added code highlighting support for vulnerability request and response
Added "Scans per Website Group" report type to Reporting page
Added an option to general settings to configure retention period for raw scan files (onpremises only)
Invicti Desktop integration: ability to import and export scans between the scanners.
Added Server-Side Template Injection (SSTI) vulnerability checks.
Added the OWASP 2017 Top Ten classifications report template.

NEW SECURITY CHECKS

Expect-CT security checks.
Added various new web applications in the application version database.
Added out of date checks for Hammer.JS., Phaser., Chart.js., Ramda., reveal.js., Fabric.js., Semantic UI., Leaflet., Foundation., three.js., PDF.js., Polymer.

IMPROVEMENTS

Added elapsed time information for ongoing scans
Added an option to scan reports page for hiding addressed issues
Improved Agents page to display configured agents' versions (onpremises only)
Added CVSS score to JSON vulnerabilities report
Improved user profile to display trial expiration date
Improved response status messages on the API documentation
Added Invicti Enterprise issue link to created tickets for supported issue tracking systems (JIRA, TFS, GitHub and FogBugz)
Improved help text for schedule scan's license errors
Allowed team members to manage their own notification settings
Added "Copy to Clipboard" functionality for API settings
Improved Incremental Scan page to configure maximum scan duration
Added an icon for scans launched by continuous integration systems
Added "LookupId" unique identifier for vulnerabilities to "/scans/report" API endpoint
Added "FirstSeenDate" and "LastSeenDate" fields for vulnerabilities to "/scans/report" API endpoint
Added "CreatedAt" and "UpdatedAt" fields for "/websites/list" API endpoint
Added "/vulnerability/list" API endpoint to list vulnerability templates
Improved logs for client certificate validation errors
Crawler can now parse multiple sitemaps in a robots.txt file.
Added support for parsing swagger documents in yaml format.
Added support for parsing relative meta refresh URLs.
Improved parsing of websites using React framework.
Content-Security-Policy-Report-Only header is not reported as an interesting header.
Variations are retested before starting an incremental scan.
Improved JavaScript content check performance while detecting out of date versions.
Renamed FogBugz send to action to its new name Manuscript.
GitHub Send to action now works with organization accounts and private repositories.
Added support for handling HTTP 307 redirects.
DS_STORE files are discovered and parsed.
Added WAF (Mod Security) rule generation support for out of band vulnerabilities.
Improved MySQL double encoded string attacks.
New Extensions scan policy settings to specify which extensions should be crawled and attacked.
Added "Disallowed HTTP Methods" settings to scope options on the new scan page.

BUG FIXES

Fixed an issue where empty value was not accepted for Excluded URLs
Fixed an issue where invitation was not deleted after an account deleted
Fixed font size for highlighted fields on vulnerability details
Fixed an issue where validation was not working as expected for Invicti Hawk settings
Fixed an issue where VDB update date was not persisted as expected
Fixed some possible vulnerabilities missing [Possible] indicator in title.
Fixed highlighting problem for "Password Transmitted over HTTP" vulnerability.
Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
Fixed incorrect "[Possible] WS_FTP Log File Detected" vulnerability.
Fixed Hawk validation error by not following redirects.
Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
Fixed the SSL check hang on HTTP only hosts.
Fixed LFI engine by not analyzing source code disclosure on binary responses.
Fixed a validation issue for some Swagger documents.
Fixed the issue where CSP keywords are not reported when used without single quotes.
Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
Fixed incorrect source code disclosures reported in binary responses.
Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
Fixed out of date version reporting behavior when no ordinal is found in version database.
Fixed Lighttpd version disclosure detection signatures.
Fixed a Swagger parsing issue.

18-Apr-2018

COPY LINK

BUG FIXES

Fixed a bug where crawling is not working as expected.
Fixed a security vulnerability in form authentication verification.

6-Mar-2018

COPY LINK

NEW FEATURES

New plugin for integration with TeamCity
New plugin for integration with Jenkins
Added IP Address Restrictions

IMPROVEMENTS

Improved XML and date samples displayed in API documentation.
Improved input validation in the reporting page.
Improved on-premises installation document for customers using load balancer.
Renamed FogBugz integration to Manuscript.
Improved validation of custom cookies.
New scans launched outside scan window will be automatically queued
Increased character limit for website name.
Added more details to scanner agent's startup log.
Improved installation error message of internal scanner agent.
Improved vulnerability request/response data page performance.
Improved the navigation of issues and scans.
Improved validation of custom 404 settings in the Scan Policy.
Added a "Copy to Clipboard" button for cURL samples in API documentation.
Improved API documentation to show request details.
Changed date/time format from 24-hour clock to 12-hour clock.

BUG FIXES

Fixed HTTP response data that was not displayed correctly for stored XSS vulnerability.
Fixed the Github integration which ws not working due to TLS 1.2 connectivity problem.
Fixed an issue where loading icon does not rendering correctly in IE11.
Fixed a font size problem in the PCI DSS reports.
Fixed the info messages that were not fitting in the screen on small resolutions.
Fixed an issue in which scan profiles could be created with same name.
Fixed a bug with website verification emails which were not being sent.
Fixed a bug with vulnerability counts in HIPAA and PCI DSS compliance reports.

31-Jan-2018

COPY LINK

NEW FEATURES

Added agent grouping support which allows to launch scans in specified agent group. This feature is only available for on-premises standard agents.
New API endpoints for getting website and website group details.

IMPROVEMENTS

Changed Netpsparker Enterprise application's loading icon.
Added an icon to indicate external links.

BUG FIXES

Fixed an issue where scans are not launched on on-premises AWS scanner agents.
Fixed an issue where realtime scan results are not displayed correctly in IE11.
Fixed an issue where proofs are not displayed correctly on vulnerability details section.

14-Dec-2017

COPY LINK

NEW FEATURES

Realtime scan results
Added out of the box integration support for: FogBugz, Github and TFS issue tracking systems.
Grouping of notifications so a single email or SMS alert is sent with a list of all alerts rather than multiple individual alerts.
New API endpoint for launching group scans.
Scheduling for incremental scans both from the web UI and API.
New API endpoint for generating custom scan reports.
New scan policy setting to define Web (Session and Local) Storage.
New Header Authentication settings to manually add request headers with authentication information.
Added support to import links from CSV files.
Added support for parsing of gzipped sitemaps.

NEW SECURITY CHECKS

Check for reflected Code Evaluation in Apache Struts 2 (CVE-2017-12611).
Check for Remote Code Execution in Apache Struts (CVE-2017-5638).

IMPROVEMENTS

Scan Time Window setting is now available to new group scans page.
Improved scan stability and performance.
Improved default Form Values settings.
Updated external references for several vulnerabilities.
Updated default User-Agent HTTP request header string.
Changed API endpoints to return 201-Created response status code for new resources.
Added several UI improvements for WCAG guidelines compliance.
Improved the email template that reports issues.
Added "Attack Parameters" information to Scanned URLs report.
Renamed the "Important" vulnerability severity to "High".
Added Form Authentication performance data to Scan Performance knowledge base node.
Improved Active Mixed Content vulnerability description.
Improved DOM simulation for events attached to document object.
Added parsing of "Alternates", "Content-Location" and "Refresh" response headers.
Improved CSP engine performance by checking CSP Nonce value per directory.
Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
Added --batch argument to sqlmap payloads.
Removed Markdown Injection XSS attack payloads.
Added ALL parameter type option to the Ignored Parameters settings.
Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
Updated the Accept HTTP header value for default scan policy.
Added CSS exclusion selector supports frames and iframes.
Added embedded space parsing for JavaScript code in HTML attribute values.
Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
Email disclosure will not be reported for email addresses used in form authentication credentials.
Added focus and blur event simulation for form authentication set value API calls.
Added more information about HTML forms and input for vulnerabilities found in HTML forms.
Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
Added Parameter Value column to the Vulnerabilities List report in CSV format.
Added match by HTML element id for form values.
Added "Ignore document events" to JavaScript settings to ignore triggering events attached to document object.
Improved Windows Short Filename vulnerability details Remedy section.
URL Rewrite parameters are now represented as asterisks in sqlmap payloads.

BUG FIXES

Fixed an issue where AutoSave filename is missing during resuming a scan.
Fixed an issue where "Test" button of authentication settings does not work as expected.
Fixed an issue where model binding does not work as expected for scan profile API endpoints.
Fixed CSRF vulnerability reporting on change password forms.
Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
Fixed various source code disclosure issues.
Fixed an escaping issue with CSS exclusion selectors.
Fixed the issue where the basic authentication credentials were not being sent on logout detection phase.
Fixed a random DOM simulation exception occurs when site creates popup windows.
Fixed a RemotingException occurs on Form Authentication Verifier.
Fixed a possible NullReferenceException on Form Authentication.
Fixed the broken form authentication custom script when the last line of the script is a single line comment.
Fixed huge parameter value deserialization memory usage.
Fixed the wrong URLs added with only extension values.
Fixed a NullReferenceException which may be thrown while importing a swagger file.
Fixed form authentication not triggered on retest.
Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
Fixed a swagger file parsing issue where target URL should be used when host field is missing.
Fixed swagger importer by ignoring any metadata properties.
Fixed a NullReferenceException occurs during DOM simulation.
Fixed the incorrect URLs parsed on attack responses.
Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
Fixed ignore parameter issue for parameters containing special characters.
Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
Fixed missing vulnerabilities requiring late confirmation for incremental scans.
Fixed a NullReferenceException may occur on iframe security checks.

26-Sep-2017

COPY LINK

NEW SECURITY CHECK

Added "Out of Band Code Evaluation (Apache Struts 2)" security check (CVE-2017-9805).

19-Sep-2017

COPY LINK

NEW FEATURES

Added scan policy settings for CSRF security checks.
Added ability to use custom HTTP headers during scan.
Added attacking optimization option for recurring parameters on different pages.
Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.
Redesigned the Basic, NTLM, Digest and Kerberos authentication settings which now supports multiple credentials for different URL paths.

NEW SECURITY CHECKS

Added Referrer Policy security checks.
Added markdown injection XSS patterns.
Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
Added Database Name Disclosure security checks for MS SQL and MySQL.
Added Out of Date security checks for several JavaScript libraries.
Added Remote Code Evaluation (Node.js) security checks.
Added SSRF detection with server-status.
Added user controllable cookie detection.
Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.
Added Default Page checks for IIS 7.0, 7.5, 8.5 and 10.0.
Added IIS 10.0 Version Disclosure checks.
Added WordPress Setup Configuration File checks.

IMPROVEMENTS

Improved design of the group scan email template.
Improved accessibility of several pages to follow WCAG guidelines.
Optimized compression time while archiving the raw scan files.
Added support for allowing users to launch scheduled scans manually.
Disabled scheduled scans if the license is expired.
Updated the links to several external references.
Improved JavaScript and CSS resource parsing.
Added DOM simulation options to scan policy optimizer wizard.
Improved Mixed Content vulnerability reporting by separating them according to resource types.
Improved boolean SQL injection detection for redirect responses.
Improved WSDL parsing for files that contain optional extensions.
Improved .sql file detection signature.
Added extra confirmation for weak credentials detection.
Added scan policy option to allow XHR requests during DOM simulation.
Added form value for password input types to default scan policy.
Increased the maximum response size limit for JavaScript resources.
Improved the send to JIRA error message.
Added maximum number of option elements per select element to simulate scan policy setting.
Added filter 'colon' events scan policy option to filter events that contain colon character in its name during DOM simulation.
Improved error based SQLi exploitation by generating prefix/suffix dynamically.
Improved command injection vulnerability detection by prepending original parameter value to attack payload.
Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.
Improved LFI attack patterns.
Improved DOM XSS attack patterns.
Improved DOM/JavaScript simulation.
Improved the performance of email address disclosure detection.
Improved the performance of database connection string disclosure detection.
Improved the performance of JavaScript library detection.
Improved the performance of RoR database configuration detection.
Improved Blind Command Injection detection on Linux systems.
Improved resource finder to find more hidden resources.
Improved support for simulating customized select elements.
Improved NTLM, Digest and Kerberos authentication support.
Improved DOM simulation stability and performance.
Improved the default parameter name list for Parameter Based Navigation.
Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
Improved boolean and blind SQL injection checks for MySQL databases.
Improved blind SQL injection checks for PostgreSQL databases.
Improved reflected and stored XSS detection.
HSTS checks now reports missing preload directives.
Updated Korean translation.
Improved JSON response parsing.
Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
Improved email disclosure checks by checking host names against to public suffix list.

BUG FIXES

Fixed a NullReferenceException which may have been thrown while editing settings of an user.
Fixed an issue where email notifications are not sent for unconfirmed phone numbers.
Fixed an issue which may have been thrown while deleting an account.
Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
Fixed the duplicate import link issue.
Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
Fixed crawling of URLs on pages where base element points to some other URL.
Fixes an issue where blacklisted Invicti attacks prevent further source code disclosures in HTML response.
Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
Fixed an issue where signature fails to match MS SQL username in error messages.
Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.
Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
Fixed an incorrect "Password Transmitted over HTTP" issue for relative URLs on pages redirected to HTTPS addresses.
Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
Fixed incorrect "Interesting Header" report for Content-Security-Policy header.
Fixed directory listing is not reported issues on some IIS versions.
Fixed the issue where comments in CSS files are not parsed.
Fixed the incorrect URL found in CSS comments.
Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
Fixed an IndexOutOfRangeException caused by CSP checks.
Fixed the signature pattern which fails to match "Programming Error Message (PHP)" in multiple lines.
Fixed markdown XSS attack patterns causing incorrect findings.
Fixed incorrect "Interesting Header" reports for some headers.
Fixed the incorrect http protocol displayed for SSL vulnerabilities.
Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
Fixed the maximum crawled URL limit exceeded issue.
Fixed duplicate resource finder requests.
Fixed the WADL import issue where the operation fails for responses with no status codes.
Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
Fixed the incorrect missing object-src report on CSP checks.
Fixed an issue where default crawled value is double-encoded instead of single.
Fixed the missing content for Site Profile section of Knowledge Base report.

21-Jul-2017

COPY LINK

NEW FEATURES

Added support for integrating Invicti Enterprise with JIRA issue tracking system.
(BETA) Added support for scanning internal websites in Invicti Enterprise
Added proxy support for on-premises scanner agents.

IMPROVEMENTS

Decreased scan results' registration time by optimazing database queries.
Added several improvements for running Invicti Enterprise on-premises on AWS.
Added more information (such as Total Requests and Average Speed) to the detailed scan report.
Improved code samples used in API documentation.
Improved help text and messages.
Added delete button to website edit page.
Improved scanner agent's startup script to ensure agent is started properly.
Improved sign-in/logout flow to make user sessions more secure.
Reviewed and fixed duplicate IDs in HTML elements.
Improved design of the email templates.
Updated AWS SDK to the latest version.
Added Korean support to scan report API endpoint.
Added support for setting preferred agent name via API.
Added status information to preferred agent section on the new scan page.

FIXES

Fixed an issue with the archiving of raw scan files.
Fixed the total website count which was incorrect on manage website groups page.
Fixed the user's date format that was not used while selecting dates on account settings page.
Fixed the account settings page which was not displayed properly in high-DPI screens.
Fixed a bug where issue counts were not displayed correctly on website dashboard page.
"JavaScript - Elements To Skip" setting was is now set properly in new scan policy page.
Expired license error is now returned properly in API endpoints.
Fixed issues with the order of the websites in the "Websites That Have Shortest Fix Time" widget.
Fixed an error which was being thrown when adding a website via API in Invicti Enterprise on-premises.
Fixed CVE links in scan report page.
Fixed a bug in website verification API endpoint.
Fixed a NRE which was being thrown during exporting CSV reports.
Fixed a bug where CSV comma separator is not remembered on Export to CSV pages.
Fixed an error which was being thrown during deleting a scan profile.
Fixed a bug in website verification API endpoint.