Invicti Product Release Notes
24 Apr 2023
v23.4.0
New security checks
- Added package.json Configuration File attack pattern.
- Added new File Upload Injection pattern.
- Added SSRF (Equinix) vulnerability.Â
- Added Swagger user interface Out-of-Date vulnerability.
- Added a file upload injection pattern.
- Added StackPath CDN Identified vulnerability.
- Added Insecure Usage of Version 1 GUID vulnerability.
- Added JBoss Web Console JMX Invoker check.
- Added Windows Server check.Â
- Added Windows CE check.
- Added Cloudflare Identified, Cloudflare Bot Management, Cloudflare Browser Insights, and cdnjs checks.Â
- Added Varnish Version Disclosure vulnerability check.
- Added Stack Trace Disclosure (Apache Shiro) vulnerability check.
- Added Java Servlet Ouf-of-Date vulnerability check.
- Added AEM Detected vulnerability check.
- Added CDN Detected(JsDelivr) vulnerability check.
Improvements
- Updated Invicti Enterprise with the new brand logo.
- Added external schema import to solve a WSDL file importing another WSDL file.
- Added the Hawk URL configuration to the silent installation document.
- Improved the Authentication Verifier settings in the silent installation document to skip or not the verifier.
- Improved the On-Premises installation package to run as 64-bit if the platform support 64-bit.Â
- Improved the settings page for admins to change the Hawk URL.
- Improved the bulk update of those issues with the Fixed(Can’t Retest) status.
- Added a column on the Issues page to show users whether an issue is retestable.
- Improved the scan compression algorithm to lower the size of the scan data.
- Added a tooltip to show the full scan report name when it is too long.
- Added a progress indication while exporting a PCI scan report.
- Added an option to delete the stuck agents' commands.
- Fixed the business logic recorder issue while using the Basic, NTLM/Kerberos Configurations.
- Improved the descriptions for /api/1.0/issues/report endpoint and the integration parameter on the Allissues endpoint.Â
- Improved WS_FTP Log vulnerability test pattern.
- Improved X-XSS-Protection Header Issue vulnerability template.
- Improved MySQL Database Error Message attack pattern.
- Improved XML External Entity Injection vulnerability test pattern.
- Improved Forced Browsing List.Â
- Added CWE classification for Insecure HTTP Usage.
- Added GraphQL Attack Usage to existing test patterns by default.
- Added an option to ignore events that can break the JavaScript simulation script.
- Added version number information to internal agents on the Configure New Agent page.
- Added an option to set a timeout value for agents to be set as Unavailable if they are stuck.Â
- Improved Invicti Enterprise to clear all login files upon signing out of the application.
- Improved the Authentication Verifier settings in the silent installation document to skip or not the verifier.
- Created a queue to store scan results and register results asynchronously.
- Added the vulnerability database to the installation package.
Fixes
- Fixed Out-of-memory reason at CDPSession.
- Fixed the issue with the DefectDojo report submission.
- Fixed the Client Secret in raw text appearing in the scan report for OAuth2.
- Fixed the time zone issue for the authentication verifier agent.
- Fixed the IAST Bridge installation issue that ended prematurely.
- Fixed the issue that displayed "vulnerability not found" on the user interface although the vulnerability is identified.
- Fixed the scan duration limit issue that crashed the application.
- Fixed the issue with a folder name with blanks to prevent the Unquoted Service Path vulnerability.
- Fixed the control issue that threw an “internal server error” when exporting a scan from Invicti Standard to the Enterprise.
- Fixed the update issue in the Proof node in the Knowledge Base panel.Â
- Fixed the scan profile issue when exported from Invicti Standard to Invicti Enterprise.
- Fixed the API token reset issue for team members.
- Fixed the API documentation’s website that failed to show descriptions.
- Fixed the business logic recorder issue where the session is dropped because of a cookie.
- Fixed the default email address that appeared on the login page during the custom script window.Â
- Fixed the Out-of-Memory issue caused by the Text Parser when adding any extension to the parser.
- Fixed the Client Secret in raw text appearing in the scan report for OAuth2.Â
- Fixed the Hawk validation issue.
- Fixed the scan flow with different logic for incremental scans that are launched via CI/CD integrations and the user interface.
- Fixed the custom vulnerability deletion problem on the custom report policy.
- Fixed the vulnerability database issue that occurred because of a URL redirect problem.
- Fixed the internal server error on the Audit logs' list endpoint.Â
- Fixed the issue of email notifications when a new scan is launched.Â
- Fixed the typo on the OAuth2 settings page.
- Fixed the issue updating timeout issue.Â
- Fixed the issues API endpoint on the updating and sorting.
- Fixed the tagging issue with the Azure Boards integration that the tag appeared on the Azure board although there is no tag entered on the Invicti side.
- Improved the web app and agent communication.
- Updated the docker agent package for the 64-bit process.
- Fixed the bug that threw an object reference error while trying to end the scans that exceeded the max scan duration.
- Fixed the Classless Inter-Domain Routing (CIDR) transformation issue for the discovery service.
- Fixed the discovery service crawling issue.
- Fixed issues that caused erroneous reports.