Invicti Standard

Improvements

• Enhanced technology version identification from URI
• Improved reporting of multiple technology detections on the same file

Resolved issues

• Implemented a fallback mechanism to mitigate Chrome-related issues
• Updated OpenSSL from version 3.3.1 to 3.3.2
• Implemented a fix for an import issue caused by gRPC backward compatibility failure

Improvements

• Improved importing GraphQL queries
• Added the option to select US2 in the Enterprise Integration section, enabling IS connectivity for US2 instance customers
  

Resolved issues

• Resolved issue preventing the use of the Chromium Extension in Scanner and Verifier Agent
• Fixed the issue which was causing exports from Invicti Standard to Acunetix 360 to fail
  

New features

• Added single-tab crawling for websites that do not allow multiple-tab browsing (Read more)
• Upgraded the Shortcut integration API endpoint to v3

Improvements

• Improved payload for Log4j detection
• Added a feature to automatically override some headers in MFA cases
  

Resolved issues

• Resolved scan authentication issues for multiple pages
• Resolved issues related to screenshots and login processes
• Fixed security check for popper.js detection
• Added control for URLs that should not be included in the scope
  

New security checks

• Added detection of cookieconsent2 as a technology in the Vulnerability Database (VDB)

Improvements

• Added the ability to replace placeholders in browser for Authorization Headers
• Improved report template of JWT Signature is not verified vulnerability
  

Resolved issues

• Fixed tar file import error by addressing the invalid HAR file syntax, which was causing the web app to disclose the local path of the OnDemand web app machine in the error message
• Fixed duplicated links issue while proto file import
  

Improvements

• Redirected support email addresses to the http://support.invicti.com/ link
• Updated Chromium from version 121 to version 131 for enhanced performance and compatibility
• Enhanced detection accuracy for Weak Ciphers Enabled by analyzing false positives

Resolved issues

• Resolved the “Internal Server Error” encountered on the Invicti scans/report API endpoint after enabling the “Prevent any sensitive information showing within the product” setting
• Resolved the issue where the Agent Verifier was encountering errors when using certificates in a Linux environment
• Resolved a coverage issue where the login page reappeared during scans

Improvements

• Added new paths to forced browsing
• Updated the vulnerability template for the Internal Server Error vulnerability
• Improved Insecure HTTP Usage detection

New Security Checks

• Added detection of Google Tag Manager as a technology in the Vulnerability Database (VDB)

Improvements

• Invicti Standard Agent upgraded to .NET 8 for improved performance and compatibility
• Improved analysis and remediation capabilities for [Possible] Server-Side Template Injection vulnerabilities

Fixes

• Fixed a missing proxy implementation for ICBD and Puppeteer
• Fixed an issue where Retest-type scans did not identify the same vulnerabilities detected during full scans
• Fixed high CPU usage in some agents caused by Chromium
• Fixed an issue where the Misconfigured Access-Control-Allow-Origin Header vulnerability was not detected
• Improved detection of the [Possible] Password Transmitted over Query String vulnerability.
  

Improvements

• Multiple .proto files can now be used for scanning gRPC API Web Services

Fixes

• Fixed an issue where uploading a .proto file caused a “No links found in the file” error
• Fixed missing request/response details for some out-of-band vulnerabilities

New Security Checks

• Added detection for multiple JavaScript libraries
• Added detection for Masa CMS (CVE-2022-47002 and CVE-2021-42183)

Fixes

• Fixed a bug that was disabling the skip scan phase option

New Security Checks

• Updated detection for ActiveMQ – Remote Code Execution (CVE-2023-46604) and TorchServe Management API SSRF (CVE-2023-43654)

Improvements

• Added ‘save as new’ and ‘overwrite’ options when importing scans
• Reporting improvements for the “Unknown Option Used In Referrer-Policy” vulnerability
• Added the ability to export/import scan profiles and scan policies between different instances of Invicti Standard

Fixes

• Various fixes for the verifiers
• Out-of-date version for Boolean Based MongoDB Injection is now reported correctly

New Security Checks

• Added XWiki version disclosure vulnerability and attack patterns.

Fixes

• Fixed the false negative issue related to Polyfill.io.
• Fixed an issue related to creating a custom script for a web application using the OIDC method with a login pop-up.

New Security Checks

• Adjusted the severity of SSLv3 and TLS 1.0 vulnerabilities to reflect their security risks
• Added support for CSP frame-ancestors
• Added detection for CVE-2024-6297, affecting several WordPress plugins

Improvements

• Pre-request script now works in DOM as well

Fixes

• Resolved an issue with a pre-request script that was affecting crawling functionality