Invicti Product Release Notes
17 Jan 2023
v23.1.0
New features
- Added a scan control center to suspend all scans, and pause and resume all scans when needed.
- Added a feature to generate a report for vulnerabilities identified across a website group.
- Added an API parameter to choose among agent groups to launch an incremental scan. [API-only]
- Added an option to determine how long Invicti stores scan data.
- Added auto-GraphQL test after endpoint is detected.
New Security Checks
- Added MongoDB Time-based (Blind) Injection.
- Added SQLite Boolean SQL Injection.
- Added MongoDB Error-based Injection.
- Added the Text4Shell (CVE-2022-42889) check.
Improvements
- Improved the Jira integration.
- Improved the ServiceNow Incident Management.
- Added the report option to the Jenkins integration.
- Improved the notification rule scope.
- Updated embedded Chromium browser.
- Updated the docker scanner agent.
- Added an option to block navigation on SPAs pages.
- Added an option to export the PCI DSS scan report even if it fails the scan.
- Improved the scan report page’s performance.
- Upgraded the TeamCity plugin.
- Added an option to include the IAM Role to the Cloud Provider settings.
- Improved the SSO to inform users about the expired SAML certificate.
- Removed the target URL health check that lets the scan continue despite getting error messages such as 403.
- Added URL validation check for the authentication verifier settings.
- Added the information message when users want to delete the preferred agent configured to a scan.
- Improved the scan profile to edit Basic, Digest, NTLM/Kerberos, and Negotiate Authentication while starting a new scan.
- Updated the text on the GraphQL Instropection pop-up.
- Updated the Basic Authentication message for the internal authentication verifier agent.
- Improved the scan profile feature, so any updates on a scan profile are to be reflected on the scheduled scans, incremental scans, and retests.
- Added information for stuck agents where the scan failed because of the agent’s deletion.
- Improved the Activity Log page to list any changes on the general settings.
- Improved the user agent to add custom user agents.
- Improved the Basic, Digest, NTLM/Kerberos, Negotiate Authentication to inform users on the test credentials page whether this authentication is required or not.
- Improved the required information for the Kafka integration.
- Improved the raw scan file expired information message.
- Added notification to warn users if they are creating a vulnerability profile that exists on the report policy.
- Added content and return type to the scans/report and scans/downloadscanfile API endpoint.
- Added the .gql to the supported file types for the import link.
- Improved the Trend Matrix Report exporting to include the severity information as well.
- Improved the HashiCorp integration to authenticate with user tokens, too.
- Added a name validation for adding a new member’s name and editing a member’s name.
- Improved the global dashboard performance.
- Added an active scan check before deleting a scan profile related to that active scan.
- Improved the importing link to parse the complex example value for RAML.
- Added the support for browser flag.
- Improved the website dashboard performance.
- Added the attack option for Cross-site Request Forgery (CSRF).
- Added the required tooltip for the Value field of the Kafka integration.
- Added an explanation for the failed requests error.
- Added name variable support for Passive and Singular Custom Security Checks.
- Added auto responder for images to escape the onerror issue.
Fixes
- Fixed the business logic recorder issue that prevented the recorder to play recorded steps during a scan.
- Fixed the internal agent update issue that is stuck in the updating process.
- Fixed the deserialization problem when importing the scan session.
- Fixed the CSP analyzer Regex enumeration problem.
- Fixed the stateless link uncrawled that is waiting for the resource finder.
- Fixed the issue with updating Linux agents from versions older than 2.0.2.155.
- Fixed the SQL timeout issue when the reporting date page is too large.
- Fixed the retest issue.
- Fixed the Shark validation issue that threw exceptions while validating.
- Fixed the issue of adding emails with special characters to the Notification.
- Fixed a bug that caused the scan session failure when the scan is paused and resumed.
- Fixed a bug that causes server error when expired integration is cloned.
- Fixed an issue where the Due Days for FreshService integration is displayed as required despite being optional.
- Fixed an issue that prevented the Authentication Verifier Server from communicating with the web application when the IP Restriction is enabled.
- Fixed a bug that disabled the Send To button on the All Issues page when users select edit but navigate back to the page.
- Fixed a bug where DefectDojo automatic issue import is not working.
- Fixed timeout issues during website DNS checking.
- Fixed an issue where a JavaScript Setting option blocks inputs for the single-page applications to be reported in the Web Pages with Inputs node.
- Fixed the improper path parsing when a postman collection file is imported.
- Fixed a bug that caused the browse section to continue appearing on the Links/API definition page after the import process is canceled.
- Fixed the null return upon the "GET /scans/list-scheduled" API call.
- Fixed the late formation folder size issue.
- Fixed a bug that does not show the status change drop-down on the scan report page when zoomed in.
- Updated the Unfuddle Integration where optional fields have "required" text.
- Improved the IP Restriction Infrastructure.
- Fixed failed scans where the Target URL is IPv6 and starting with ::1
- Fixed the null reference problem issue while using the 3-legged flow type for OAuth2.
- Fixed the Chrome version number on the custom script editor while using an internal authentication agent.
- Fixed the GraphQL retest bug that showed a different request count.
- Fixed the single sign-on issue that prevented users from using SSO.
- Fixed the Jenkins plug-in integration so that it can work after the Log4j update.
- Fixed the maximum scan duration bug when set in the user interface and API endpoint.
- Fixed the tooltip color on the scan status page.
- Fixed the ServiceNow API endpoint issue.
- Fixed the Nuget package version issue.
- Fixed the required attribute for the category on the ServiceNow Incident Management integration.
- Fixed the website's exporting to CSV issue when sorted by description.
- Improved the scan status that running scans will be set as Failed if their Scanner Agent is Not Available or Terminated.
- Fixed the deleted vulnerability issue while creating a scan report.
- Improved the site map and vulnerability synchronization.
- Fixed the Exclude Authentication Pages option on the scan scope when configuring an authentication profile.
- Fixed a bug that corrupts the header authentication credentials after updating the scheduled scan.
- Fixed the status information showing different data on the Discovered Webpages page.
- Fixed the Docker Agent build fail because of the compiler package.
- Fixed the Total Elapsed and Average Time values displaying 00:00:00 on the Scan Performance tab of the Technical Report.
- Fixed the time values displaying 00:00:00 on the Crawling Performance node of the Technical Report.
- Improved the GraphQL scanning to include the separated comment lines in GraphQL files.
- Fixed the Authentication Verifier Agent’s time zone bug.
- Fixed an issue that results in false positive Cross-site Scripting (DOM-based).
- Fixed the bug that duplicates the login page when users try to revalidate the login form.
- Improved the Authentication Verifier Agent to work with self-signed SSL.
- Fixed the bug on the user interface of ServiceNow Incident Management integration that caused issues with the On Hold status.
- Fixed the bug on the user interface of ServiceNow Incident Management integration that caused issues with the Closed status.
- Improved the Azure Pipeline Extension to generate a scan report on the release pipeline.
- Fixed the Single Sign-on - encryption certification issue.
- Fixed the web security issue for the origin header problem.
- Fixed the sitemap bug that caused missing information when imported.
- Fixed the bug that threw an error, as HTTP Requester deletes the whole body part of the request which contains the login credentials.
- Fixed highlighting CSP Directives in different header issues.
- Fixed duplicate bearer tokens for some requests.
- Updated Liferay Portal signature & added a mapping for version conversion.
- Fixed an issue that resulted in false positive Cross-site Scripting (DOM-based).
- Fixed the bug that shows the previous version of VDB.
- Updated Vulnerability Detection Logic in the JWT engine.
- Fixed parseable false attack patterns place.
- Fixed the comma issue that appeared when the scan is launched with the Header Authentication.
- Fixed the internal agent issue in which the scan is stuck after the scan is canceled.
- Fixed the issue that showed the wrong country flags for country phone codes.
- Fixed the product name in lowercase for those customers using Turkish Windows OS.
- Fixed the issue in which the authentication verifier agent is not listed after the time zone is changed.
- Improved the authentication verifier configuration file to support using the plus (+) for space encoding.
- Improved the log for the knowledge base report.
- Fixed the mistaken information on the retestable vulnerabilities.
- Fixed the fix calculation bug in the Issues API endpoint that occurred when scan(s) are deleted.
- Fixed the issue that deleted the customization folder in the agent’s folder after the update.
- Fixed the bug that displayed different method icons on the technical report page.
- Fixed the bug in sending issues to Mattermost.
- Fixed the Slack integration issue that failed to send notifications.
- Fixed the inconsistent discovered website result by handling null values.
- Fixed a bug that prevented the PCI scan from running ever again if any previous PCI scan failed to start.
- Fixed the Business Logic Recorder issue that prevents login when there is a custom script for the form authentication.
- Improved the creation of websites via the Discovery Service to include the port numbers and the URL.
- Fixed a bug that displayed vulnerabilities without their id on the website and global dashboard page.
- Fixed WSDL parse issue for non-defined object types.
- Fixed the null reference exception on HTTP Requester.
- Fixed the internal agent update issue that is stuck in the updating process.
- Fixed the attribute issue that prevented the Discovery Service from running the discovery properly.
- Fixed the agent stuck issue when the target link scan timeout is detected.
- Fixed an issue that overwrote TLS settings available in the scan policy when the Ignore SSL Certificate Errors is set to True in the Appsetting.json file.