Home
/
Documentation
/
Invicti Enterprise On-Demand Release Notes
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
Release Notes

Invicti Enterprise On-Demand

RSS FEED
26-Aug-2021
COPY LINK

FEATURES

  • Introduced the tagging feature for websites, website groups, and scans: While this feature has been available for Issues since March, it is now available for scans, websites, and websites groups as well.

25 October 2022
COPY LINK

Improvements

  • Added information message to the AWS Discovery Connection that the results may take some time to appear on the discovered websites page.
  • Added a name validation for adding a new member’s name and editing a member’s name.
  • Added an option to export the PCI DSS scan report even if the scan fails.
  • Improved the global dashboard performance.

Fixes

  • Fixed the issue that showed the wrong country flags for country phone codes.
  • Fixed the product name in lowercase for those customers using Turkish Windows OS.
24-Mar-2021
COPY LINK

This update includes changes to Internal Agents.

FEATURE

  • Introduced tagging support for Issues.

IMPROVEMENT

  • Added options to specify Is Confirmed and Severity values while failing Jenkins builds.
  • [INTERNAL AGENT] Added auto-update support for Linux agents.
  • [INTERNAL AGENT] Added support for TLS 1.3 protocol.
  • [INTERNAL AGENT] Updated Debian docker image to version 10.8.

FIXES

  • Fixed the “Internal Server Error While Exporting Scan” error while exporting scans from Invicti Standard.
  • Fixed missing classification editors on report policy editor for recently added classification types.
  • [INTERNAL AGENT] Fixed an issue that causes the scan to stuck while trying to capture the website thumbnail image.
24-Feb-2022
COPY LINK

This update includes changes to internal scan agents. The internal scan agent's current version is 2.0.2.137.

NEW FEATURES

FIXES

  • Fixed an issue that prevents the Sitemap from populating correctly after a scan.
  • Fixed an issue that prevents the DeleteById field in the database from being updated.
24 February 2023
COPY LINK

Fixes

  • Fixed the bug that threw an error when the Require SAML assertions to be encrypted checkbox is not selected on the Single Sign-on page.
24 April 2023
COPY LINK

This update includes changes to the internal agents. The internal scan agent's current version is 23.4.0. The internal authentication verifier agent's current version is 23.4.0

New security checks

  • Added new patterns for GrapQL attack usage.
  • Added new attack pattern to CommandInjection.xml.
  • Implemented Bootstrap Libraries Detection.
  • Added Out-of-Date vulnerability for mod_ssl.
  • Added a report template and vulnerability type for Spring Framework Identified.
  • Added JavaMelody Interface Detected Signature.
  • Added the support for Nested objects for GraphQL attacks.

Improvements

  • Updated Invicti Enterprise with the new brand logo.
  • Added the discovery source option to filters on the discovered websites page.
  • Added the AWS badge to the Discovery Service to identify the assets identified via the AWS connection.
  • Improved the Linux agents to work in the FIPS-enabled environment.
  • Updated the IAST Bridge to improve the communication between the bridge and the scanner agent.
  • Added a null check for HAR files imported.
  • Improved the agent and web application communication to end it after three attempts if the internal agent has wrong information.
  • Updated IAST NuGet PHP package.
  • Updated StaticDetection.xml & StaticResourceFinder.xml.
  • Changed WAF Identification Signature for F5 Big IP.
  • Added external schema import to solve a WSDL file importing another WSDL file.
  • Added service worker request support for authentication, login simulation, and crawling.

Fixes

  • Fixed the issue with a folder name with blanks to prevent the Unquoted Service Path vulnerability.
  • Fixed the AWS connection issue to let customers add internal EC2 instances.
  • Fixed an issue that caused high memory usage while collecting form values.
  • Fixed the issue that caused the change in the date and time format during the Postman file importing.
  • Fixed the next scheduled scan execution time information on the user interface.
  • Fixed the issue that displayed "vulnerability not found" on the user interface although the vulnerability is identified.
  • Fixed the control issue that threw an “internal server error” when exporting a scan from Invicti Standard to the Enterprise.
  • Fixed the "Catastrophic Backtracking" in Whoops Debugging detection.
23 May 2023
COPY LINK

Improvements

  • Added an account ID control when querying the website with the root URL.
  • Improved the website importing when the CSV file has more than 1000 entries.
  • Added an information message for adding an AWS connection that appears when there is no running instance.
  • Improved the health check of websites discovered via the AWS connection.
  • Changed the Jira webhook settings, making the Exclude Body checkbox selection mandatory.
  • Fixed the importing website issue that threw an error when a user tries to add the website deleted from Invicti previously.
  • [Early Access] Improved the scan data by moving some information like attack and knowledge base data to the storage.
  • Improved the AWS discovery that can find private IPs in addition to the public IPs when the Include Unreachable Discovered Websites checkbox is selected.

Fixes

  • Fixed the issue in which a team’s name is deleted during the editing process.
  • Fixed the validation issue for the Kafta integration.
  • Fixed the password update issue for the authentication verifier process that failed to obtain the new password.
22-November-2022
COPY LINK

Improvements

  • [Early Access] Improved the AWS connection to scan only the top 10 most popular web framework ports from the AWS Security Group.
  • Improved the website dashboard performance.
  • Improved the discovered website page to customize columns based on your needs.
  • Added the attack option for Cross-site Request Forgery (CSRF).
  • Added the required tooltip for the Value field of the Kafka integration.

Fixes

  • Fixed the bug in sending issues to Mattermost.
  • Fixed the Slack integration issue that failed to send notifications.
  • Fixed the inconsistent discovered website result by handling null values.
  • Fixed a bug that prevented the PCI scan from running ever again if any previous PCI scan failed to start.
22-Mar-2022
COPY LINK

This update includes changes to internal scan and authentication verifier agents. The internal scan agent's current version is 2.0.2.139. The internal authentication verifier agent's current version is 2.0.2.139.

IMPROVEMENT

  • Added support for on-premises versions of CyberArk and HashiCorp Vault.
  • Updated the Splunk plug-in to prevent exporting unnecessary HTML information to the Splunk ticket.
  • Added 'Is Encoded' option to OAuth2 parameters.
  • Adding the Connection Timeout option to the scan policy.
  • Improved the Knowledge Base tab in the technical report section for the accessibility.
  • Added the Browser Settings to scan policy.
  • [Internal scan agent] Added report policy migration process while relaunching scan session to prevent launch scan issue.

FIXES

  • Fixed a bug with displaying cookie names in scan policy.
  • Fixed a Globally Unique Identifier bug that assigned zero to a custom vulnerability when identified.
  • Fixed a bug that prevents from editing an internal website.
22-Dec-2020
COPY LINK

IMPROVEMENTS

  • Improved the Basic, Digest, NTLM/Kerberos, Negotiate Authentication entry user interface.
  • Improved the performance of Technologies pages

FIXES

  • Removed the “SSO Email” field requirement for new member invitations on accounts where SSO is not enforced
  • Fixed a typo on the Bugzilla integration configuration page
  • Fixed the misleading error messages received when /websitegroups/update API endpoint is called with a missing or invalid “Id” values
  • Fixed a UTF8 encoding issue
22 February 2023
COPY LINK

This update includes changes to the internal agents. The internal scan agent's current version is 23.2.0. The internal authentication verifier agent's current version is 23.2.0

New features

  • Added the Maximum 404 Signatures field to scan policies.
  • Added an option to exclude issues' history from reports.

New security checks

  • Added the JSON Web Tokens detected check.
  • Added JWT Token Forgery through Kid by using static files.

Improvements

  • Improved the JSON Web Tokens' vulnerability logic.
  • Updated JWT Token Forgery check condition.
  • Extended excluded header names with new headers.
  • Improved the JWT Token Finder Regex in the JWT engine.
  • Updated embedded Chromium browser.
  • Added the permission check to download reports.
  • Added a parameter (ImportedLinks) for imported links to the /scanprofiles/new API endpoint.
  • Improved the global dashboard performance.
  • Added records limit to avoid Out-of-Memory exceptions on reports.
  • Added the link scope check for the user-controllable cookie vulnerability.
  • Improved the default browser settings to be reflected in the business logic recorder (BLR).

Fixes

  • Fixed an issue that caused unhandled exceptions when there is no service endpoint definition in the WSDL file.
  • Fixed accessibility issue in the scan optimizer pop-up.
  • Fixed special character problems in Crawled and Scanned URLs reports.
  • Fixed "file in use error" while archiving scan logs.
  • Fixed the OAuth 2.0 authentication problem caused by the failure to get code information and certification validation in out-of-scope links.
  • Fixed missing cookies for the JSON Web Tokens attack requests.
  • Fixed the text parser extension issue that caused agents stuck.
  • Fixed the vulnerability family issue that caused the Hawk not to detect issues.
21-Sep-2021
COPY LINK

IMPROVEMENTS

  • Improved the search for scan profiles on the Recent Scans page. Added the Scan Profile Default option to the column filters on the Recent Scans page to speed up the search for the default scan profiles.
  • Improved the error messages and code returned from the updating issue API endpoint.
  • Added unique IDs on the HTTP 500 Error page.
  • Updated a Docker agent library to run more security checks.

FIXES

  • Fixed a bug that prevents a website from being deleted if that website has tags.
  • Fixed a bug that non-register users receive the Out-of-Date technology notification although these users have no website responsibility.
  • Fixed a bug that shows a two-factor authentication page to some users with SSO login after their information is updated on the Team Member page.
  • Fixed typo in the All Issues' page filter drop-down.
  • Fixed a bug returning the 500 Error when an issue is updated.
  • Fixed a bug that led to duplicated records in a member's role.
  • Fixed a bug that ignored a member's time zone setting while generating a vulnerability list in XML format.
  • Fixed a bug that causes the private scan policies to appear in the Scan Policy drop-down at the New Scheduled Group Scan page.
  • Fixed a bug that did not convert the remaining time for the Next Execution Time of a scheduled scan properly.