Invicti Enterprise On-Demand 06 Sep 2023 v23.9.0

New features

  • Now you can enter multiple IP addresses and IP ranges into the IP Address Restrictions setting. Previously, only single-entry IP addresses were permitted. 
  • Added TLS certificate authentication as an option when integrating with HashiCorp Vault. Previously, we only supported token authentications. 
  • The default compression format for log files is now .tar instead of 7zip


  • Disabled caching from the boolean-based MongoDB security engine to avoid possible false positives
  • Improved the content-type exemption for non-HTML content types in the CSP engine
  • Improved the typehead.js check to increase stability 
  • Removed the X-XSS-Protection header check because it is deprecated by modern browsers
  • Added functionalities to prevent bot detection and fixed an issue that was causing cookie loss after authentication
  • Improved the remediation part for the JetBrains .idea detected vulnerability


  • Fixed a bug that was stopping the certificate authentication process from working correctly for Authverifiers
  • Fixed a boolean-based MongoDB Injection that was causing false positives in scan reports
  • Fixed the incorrect display of vulnerabilities when importing scan results from Invicti Standard to Invicti Enterprise
  • Fixed a bug that was preventing the editing of internal website URLs
  • Fixed the character validity issue so that user names with Danish characters can now be edited in the UI
  • Fixed a bug that was allowing access to the UI via the back button after the user had signed out
  • Fixed the Discovery Main Domains Filter Expression that was not working properly for some domains
  • Fixed an issue that was causing tags to be duplicated when a website was imported using a CSV file
  • Fixed the update agent command that was not working correctly
  • Fixed the internal Linux v23.7 AV agent that wasn’t sending header configurations
  • Encrypted the proxy password used in the scan policy file
  • Fixed a scan coverage issue
  • Fixed the external SOAP web service import problem
  • Fixed a custom script issue so that now passwords written to the logs are encrypted
  • Fixed an issue where vulnerabilities could not be generated as CloudFlare WAF rules via API
  • Fixed a problem that was causing default values to be filled incorrectly, resulting in false negatives