Invicti Enterprise On-Premises 17 Jan 2023 v23-1-0

New features

  • Added a scan control center to suspend all scans, and pause and resume all scans when needed.
  • Added a feature to generate a report for vulnerabilities identified across a website group.
  • Added an API parameter to choose among agent groups to launch an incremental scan. [API-only]
  • Added an option to determine how long Invicti stores scan data.
  • Added auto-GraphQL test after endpoint is detected.

New Security Checks

Improvements

  • Improved the Jira integration.
  • Improved the ServiceNow Incident Management.
  • Added the report option to the Jenkins integration.
  • Improved the notification rule scope.
  • Updated embedded Chromium browser.
  • Updated the docker scanner agent.
  • Added an option to block navigation on SPAs pages.
  • Added an option to export the PCI DSS scan report even if it fails the scan.
  • Improved the scan report page’s performance.
  • Upgraded the TeamCity plugin.
  • Added an option to include the IAM Role to the Cloud Provider settings.
  • Improved the SSO to inform users about the expired SAML certificate.
  • Removed the target URL health check that lets the scan continue despite getting error messages such as 403.
  • Added URL validation check for the authentication verifier settings.
  • Added the information message when users want to delete the preferred agent configured to a scan.
  • Improved the scan profile to edit Basic, Digest, NTLM/Kerberos, and Negotiate Authentication while starting a new scan.
  • Updated the text on the GraphQL Instropection pop-up.
  • Updated the Basic Authentication message for the internal authentication verifier agent.
  • Improved the scan profile feature, so any updates on a scan profile are to be reflected on the scheduled scans, incremental scans, and retests.
  • Added information for stuck agents where the scan failed because of the agent’s deletion.
  • Improved the Activity Log page to list any changes on the general settings.
  • Improved the user agent to add custom user agents.
  • Improved the Basic, Digest, NTLM/Kerberos, Negotiate Authentication to inform users on the test credentials page whether this authentication is required or not.
  • Improved the required information for the Kafka integration.
  • Improved the raw scan file expired information message.
  • Added notification to warn users if they are creating a vulnerability profile that exists on the report policy.
  • Added content and return type to the scans/report and scans/downloadscanfile API endpoint.
  • Added the .gql to the supported file types for the import link.
  • Improved the Trend Matrix Report exporting to include the severity information as well.
  • Improved the HashiCorp integration to authenticate with user tokens, too.
  • Added a name validation for adding a new member’s name and editing a member’s name.
  • Improved the global dashboard performance.
  • Added an active scan check before deleting a scan profile related to that active scan.
  • Improved the importing link to parse the complex example value for RAML.
  • Added the support for browser flag.
  • Improved the website dashboard performance.
  • Added the attack option for Cross-site Request Forgery (CSRF).
  • Added the required tooltip for the Value field of the Kafka integration.
  • Added an explanation for the failed requests error.
  • Added name variable support for Passive and Singular Custom Security Checks.
  • Added auto responder for images to escape the onerror issue.

Fixes

  • Fixed the business logic recorder issue that prevented the recorder to play recorded steps during a scan.
  • Fixed the internal agent update issue that is stuck in the updating process.
  • Fixed the deserialization problem when importing the scan session.
  • Fixed the CSP analyzer Regex enumeration problem.
  • Fixed the stateless link uncrawled that is waiting for the resource finder.
  • Fixed the issue with updating Linux agents from versions older than 2.0.2.155.
  • Fixed the SQL timeout issue when the reporting date page is too large.
  • Fixed the retest issue.
  • Fixed the Shark validation issue that threw exceptions while validating.
  • Fixed the issue of adding emails with special characters to the Notification.
  • Fixed a bug that caused the scan session failure when the scan is paused and resumed.
  • Fixed a bug that causes server error when expired integration is cloned.
  • Fixed an issue where the Due Days for FreshService integration is displayed as required despite being optional.
  • Fixed an issue that prevented the Authentication Verifier Server from communicating with the web application when the IP Restriction is enabled.
  • Fixed a bug that disabled the Send To button on the All Issues page when users select edit but navigate back to the page.
  • Fixed a bug where DefectDojo automatic issue import is not working.
  • Fixed timeout issues during website DNS checking.
  • Fixed an issue where a JavaScript Setting option blocks inputs for the single-page applications to be reported in the Web Pages with Inputs node.
  • Fixed the improper path parsing when a postman collection file is imported.
  • Fixed a bug that caused the browse section to continue appearing on the Links/API definition page after the import process is canceled.
  • Fixed the null return upon the “GET /scans/list-scheduled” API call.
  • Fixed the late formation folder size issue.
  • Fixed a bug that does not show the status change drop-down on the scan report page when zoomed in.
  • Updated the Unfuddle Integration where optional fields have “required” text.
  • Improved the IP Restriction Infrastructure.
  • Fixed failed scans where the Target URL is IPv6 and starting with ::1
  • Fixed the null reference problem issue while using the 3-legged flow type for OAuth2.
  • Fixed the Chrome version number on the custom script editor while using an internal authentication agent.
  • Fixed the GraphQL retest bug that showed a different request count.
  • Fixed the single sign-on issue that prevented users from using SSO.
  • Fixed the Jenkins plug-in integration so that it can work after the Log4j update.
  • Fixed the maximum scan duration bug when set in the user interface and API endpoint.
  • Fixed the tooltip color on the scan status page.
  • Fixed the ServiceNow API endpoint issue.
  • Fixed the Nuget package version issue.
  • Fixed the required attribute for the category on the ServiceNow Incident Management integration.
  • Fixed the website’s exporting to CSV issue when sorted by description.
  • Improved the scan status that running scans will be set as Failed if their Scanner Agent is Not Available or Terminated.
  • Fixed the deleted vulnerability issue while creating a scan report.
  • Improved the site map and vulnerability synchronization.
  • Fixed the Exclude Authentication Pages option on the scan scope when configuring an authentication profile.
  • Fixed a bug that corrupts the header authentication credentials after updating the scheduled scan.
  • Fixed the status information showing different data on the Discovered Webpages page.
  • Fixed the Docker Agent build fail because of the compiler package.
  • Fixed the Total Elapsed and Average Time values displaying 00:00:00 on the Scan Performance tab of the Technical Report.
  • Fixed the time values displaying 00:00:00 on the Crawling Performance node of the Technical Report.
  • Improved the GraphQL scanning to include the separated comment lines in GraphQL files.
  • Fixed the Authentication Verifier Agent’s time zone bug.
  • Fixed an issue that results in false positive Cross-site Scripting (DOM-based).
  • Fixed the bug that duplicates the login page when users try to revalidate the login form.
  • Improved the Authentication Verifier Agent to work with self-signed SSL.
  • Fixed the bug on the user interface of ServiceNow Incident Management integration that caused issues with the On Hold status.
  • Fixed the bug on the user interface of ServiceNow Incident Management integration that caused issues with the Closed status.
  • Improved the Azure Pipeline Extension to generate a scan report on the release pipeline.
  • Fixed the Single Sign-on – encryption certification issue.
  • Fixed the web security issue for the origin header problem.
  • Fixed the sitemap bug that caused missing information when imported.
  • Fixed the bug that threw an error, as HTTP Requester deletes the whole body part of the request which contains the login credentials.
  • Fixed highlighting CSP Directives in different header issues.
  • Fixed duplicate bearer tokens for some requests.
  • Updated Liferay Portal signature & added a mapping for version conversion.
  • Fixed an issue that resulted in false positive Cross-site Scripting (DOM-based).
  • Fixed the bug that shows the previous version of VDB.
  • Updated Vulnerability Detection Logic in the JWT engine.
  • Fixed parseable false attack patterns place.
  • Fixed the comma issue that appeared when the scan is launched with the Header Authentication.
  • Fixed the internal agent issue in which the scan is stuck after the scan is canceled.
  • Fixed the issue that showed the wrong country flags for country phone codes.
  • Fixed the product name in lowercase for those customers using Turkish Windows OS.
  • Fixed the issue in which the authentication verifier agent is not listed after the time zone is changed.
  • Improved the authentication verifier configuration file to support using the plus (+) for space encoding.
  • Improved the log for the knowledge base report.
  • Fixed the mistaken information on the retestable vulnerabilities.
  • Fixed the fix calculation bug in the Issues API endpoint that occurred when scan(s) are deleted.
  • Fixed the issue that deleted the customization folder in the agent’s folder after the update.
  • Fixed the bug that displayed different method icons on the technical report page.
  • Fixed the bug in sending issues to Mattermost.
  • Fixed the Slack integration issue that failed to send notifications.
  • Fixed the inconsistent discovered website result by handling null values.
  • Fixed a bug that prevented the PCI scan from running ever again if any previous PCI scan failed to start.
  • Fixed the Business Logic Recorder issue that prevents login when there is a custom script for the form authentication.
  • Improved the creation of websites via the Discovery Service to include the port numbers and the URL.
  • Fixed a bug that displayed vulnerabilities without their id on the website and global dashboard page.
  • Fixed WSDL parse issue for non-defined object types.
  • Fixed the null reference exception on HTTP Requester.
  • Fixed the internal agent update issue that is stuck in the updating process.
  • Fixed the attribute issue that prevented the Discovery Service from running the discovery properly.
  • Fixed the agent stuck issue when the target link scan timeout is detected.
  • Fixed an issue that overwrote TLS settings available in the scan policy when the Ignore SSL Certificate Errors is set to True in the Appsetting.json file.