Invicti Enterprise On-Demand 09 Nov 2021
This update includes changes to Internal Agents. The internal agent’s current version is 18.104.22.168.
- Added Node.js sensor for Invicti Shark (IAST).
NEW SECURITY CHECKS
- Added signature matching to Web app fingerprint checker.
- Added patterns for Base64 encoded DOM Cross-site Scripting.
- Added phpMyAdmin Version Disclosure security check.
- Added Atlassian Confluence Version disclosure and Out-of-date security checks.
- Added PHP Version Detection via phpinfo() call.
- Added the Shopify Identified security check.
- Added the Bridge URL and Shark token support for Invicti Shark (IAST).
- Added the “not contains” filter to exclude specific titles, such as Out-of-Date.
- Added the notification on the Reporting page when the time start predates the time end.
- Added setting to configure Session Cookie Names.
- Updated CWE classification category orders for Out-of-date templates.
- Improved Cross-site Scripting attack pattern.
- Added support for exploiting local storage and session storage in the DOM XSS security checks.
- Added highlighting support for custom scripts.
- Added Web Application Firewall to the site profile.
- Changed the default ignored parameter comparison to case insensitive.
- Added ‘Is Encoded’ option to OAuth2 parameters.
- Added JWT Token pre-request script template.
- Added the CSP Not Implemented that will be reported as confirmed.
- Added the Subresource integrity not implemented that will be reported as confirmed.
- Marked weak TLS ciphers.
- Fixed the issue that Content-Type header missing was reported when there was no content in the response.
- Fixed the issue that false positive JSON Web Token (JWT) was reported in a not found response.
- Fixed the issue possible and confirmed vulnerabilities reported in the same URL.
- Fixed the issue proof that was generated even when the proof generation option was disabled in the scan policy.
- Fixed FP Waf Identified.
- Fixed the issue vulnerability count in root node is not updated when a vulnerability is removed and Blind XSS was prioritized over the Reflected Cross-site Scripting.
- Fixed the issue source code disclosure is reported in binary responses.
- Fixed the issue JWT JKU vulnerabilities are not reported in Invicti Enterprise because of Null Reference Exception.
- Fixed the issue fingerprint checker crashes when an applications file could not be found.
- Fixed the issue object-src missing was reported when default-src is provided in CSP security checks.
- Fixed the issue that some cipher suites are not reported as weak.
- Fixed the issue classification links were not rendered correctly when there are multiple values.
- Fixed the issue proof prefix was added when there were no more characters to be found.