Invicti Enterprise On-Demand 13 Oct 2022
This update includes changes to the internal agents. The internal scan agent’s current version is 2.0.2.154. The internal authentication verifier agent’s current version is 2.0.2.154.
NEW FEATURES
- Added auto-GraphQL simulated attack after endpoint is detected.
NEW SECURITY CHECKS
- Added MongoDB Time-based (Blind) Injection.
- Added SQLite Boolean SQL Injection.
- Added MongoDB Error-based Injection.
IMPROVEMENTS
- Improved the Trend Matrix Report exporting to include the severity information as well.
- Improved the HashiCorp integration to authenticate with user tokens, too.
- Updated Vulnerability Detection Logic in the JWT engine.
- Improved the GraphQL scanning to include the separated comment lines in GraphQL files.
- Improved the Authentication Verifier Agent to work with self-signed SSL.
- Improved the Azure Pipeline Extension to generate a scan report on the release pipeline.
- Updated Liferay Portal signature & added a mapping for version conversion.
FIXES
- Fixed a bug that corrupts the header authentication credentials after updating the scheduled scan.
- Fixed the status information showing different data on the Discovered Webpages page.
- Fixed the Docker Agent build fail because of the compiler package.
- Fixed the Total Elapsed and Average Time values displaying 00:00:00 on the Scan Performance tab of the Technical Report.
- Fixed the time values displaying 00:00:00 on the Crawling Performance node of the Technical Report.
- Fixed the Authentication Verifier Agent’s time zone bug.
- Fixed an issue that results in false positive Cross-site Scripting (DOM-based).
- Fixed the bug that duplicates the login page when users try to revalidate the login form.
- Fixed the Single Sign-on – encryption certification issue.
- Fixed the web security issue for the origin header problem.
- Fixed the sitemap bug that caused missing information when imported.
- Fixed the bug that threw an error, as HTTP Requester deletes the whole body part of the request which contains the login credentials.
- Fixed highlighting CSP Directives in different header issues.
- Fixed duplicate bearer tokens for some requests.
- Fixed an issue that resulted in false positive Cross-site Scripting (DOM-based).
- Fixed the bug that shows the previous version of VDB.
- Fixed parseable false attack patterns place.