Invicti Enterprise On-Premises 12 Oct 2022 v2.4

NEW FEATURES

  • Added the Business Logic Recorder feature in Invicti Enterprise, so you can scan web applications without extensive manual work or additional non-automated tools.
  • Added support for Azure Key Vault.
  • Added GraphQL Libraries detection support.
  • Added built-in DVWA policies to scan policies.
  • Added the feature to tag discovered websites.
  • Added Invicti Shark (IAST) to the Knowledge Base.

IMPROVEMENTS

  • Improved the Authentication Verifier to work with .NET 6.0.
  • [Breaking Change] Added support for on-premises versions of CyberArk, HashiCorp Vault, and Azure Key Vault. This requires an authentication verifier agent.
  • Improved the Late-Confirmation Storage Mechanism to lower disc usage.
  • Improved the rate limit for the All Issues API endpoint.
  • Improved the Cloud Provider setting to enable the Linux ID Image.
  • Added an API endpoint to better understand how many websites each user scanned.
  • Added raw scan file expired status to the Scan Failure Reasons.
  • Added the IsEnabled API endpoint for the OAuth2 setting.
  • Updated the icons on the Trend Matrix page.
  • Added logs to scheduled scans to identify the license issue when the scan couldn’t be launched.
  • Improved the internal agent to check whether OAuth2 is enabled or not.
  • Improved the agent’s language setting to prevent non-English texts from appearing on the scan results.
  • Improved the Activity Log to include information on vulnerability profile changes.
  • Improved the Scan Profiles API endpoint to include information on the imported URLs.
  • Added integration failed status for the Secrets and Encryption Management services.
  • Updated the scan agent update workflow. When there is a new update and users have more than one scan agent, the new version will be downloaded only once. Other scan agents will rely on this new package to update themselves.
  • Added a drop-down to determine how many results to be displayed on a page.
  • Added a new explanation for the api/1.0/scans/unschedule endpoint to clear any ambiguity
  • Added a filter that checks the number of issues being displayed on the global dashboard.
  • Improved the IP filtering on the discovered websites’ page.
  • Updated the Splunk plug-in to prevent exporting unnecessary HTML information to the Splunk ticket.
  • Added ‘Is Encoded’ option to OAuth2 parameters.
  • Adding the Connection Timeout option to the scan policy.
  • Improved the Knowledge Base tab in the technical report section for accessibility.
  • Added the Browser Settings to scan policy.
  • Added report policy migration process while relaunching scan session to prevent launch scan issue.
  • Added a discovered date column for websites detected by the Discovery Service.
  • Updated the Invicti Hawk’s redirection while validating the certificate.
  • Added a timeout for website import. The default value for timeout is 400 ms.
  • Improved the tooltip for security checks on the scan policy page to properly reflect the security policy selections.
  • Updated the SCIM integration for provisioning on Azure Active Directory’s marketplace.
  • Added the ability to bulk edit issues.
  • Added the scan policy header to the OAuth2 requests.
  • Improved JWT confirmation to avoid false positives.
  • Added a new IAST vulnerability: Overly Long Session Timeout.
  • Added new config vulnerabilities for the IAST Node.js sensor.
  • Added new config vulnerabilities for the IAST Java sensor.
  • Added support for detecting SQL Injections on HSQLDB.
  • Added support for detecting XSS through file upload.
  • Updated DISA STIG Classifications.
  • Updated Java and Node.js IAST sensors.
  • Improved the Content Security Policy Engine.
  • Updated XSS via File Upload vulnerability template.
  • Added Extract Resource default property to DOM simulation.
  • Added an option to discard certificate validation errors on the Enterprise Integration window during SSL/TLS connections.
  • Added the agent mode to the authentication request.
  • Added a default behavior to scan the login page.
  • Added a default behavior to disable TLS1.3.

FIXES

  • Fixed the issue that the advanced installer enabled the Windows authentication.
  • Fixed a bug with displaying cookie names in the scan policy.
  • Fixed a Globally Unique Identifier bug that assigned zero to a custom vulnerability when identified.
  • Fixed a bug that prevents editing an internal website.
  • Fixed a bug that caused a broken website-scan relationship as a result of an inconsistent update.
  • Fixed the inconsistent vulnerabilities listed in XML and CVS reports.
  • Fixed the bug that caused the issues’ status to stay the same in the case of bulk editing.
  • Fixed a bug on the user interface that showed incorrect scan status.
  • Fixed an issue with global servers in imported Swagger files.
  • Fixed a bug that adds duplicated users to a team when added using SCIM.
  • Fixed the Azure board integration webhook issue caused by the status codes.
  • Fixed a bug that prevents members with user-defined roles from being deleted.
  • Fixed a bug that prevents the information displayed when users select Jira on the user mapping.
  • Fixed a bug that prevents a notification from being sent to users when users filter the state.
  • Fixed a bug that does not request to verify website ownership when the website’s agent mode is changed from internal to Cloud.
  • Fixed a bug that causes showing an outdated vulnerability database version of an agent on the user interface.
  • Fixed a bug that shows different information between Invicti Standard and Invicti Enterprise on the Known Issues of the Out-of-Date Node when the software composition analysis is run.
  • Fixed a bug that does not show the website thumbnail when the scan is completed.
  • Fixed an issue that causes custom vulnerabilities not to be added to the Vulnerability Lookup table.
  • Changed filter for Groupable Custom vulnerabilities when creating vulnerability model.
  • Fixed a bug that prevents a scan profile from being updated when users add a client certificate.
  • Fixed a bug that threw an error when users tried to delete a scan policy.
  • Fix a bug that prevents exporting a vulnerability list report in CSV or XML when Invicti Shark (IAST) is enabled.
  • Fixed a bug while excluding cookies during the scan.
  • Fixed a bug that prevents websites from being deleted.
  • Fixed the Jazz Team Server multiple category issue.
  • Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
  • Fixed a bug that prevents editing the FreshService integration.
  • Fixed the link that throws an error on the SCIM API documentation page.
  • Fixed a bug that throws an exception when the agent is started in debug mode on IDE.
  • Removed the space on CVSS Scores that caused incorrect values to show up.
  • Fixed the parsing problem encountered when Burp and Postman files are imported via the Links/API Definition page.
  • Fixed imported links DLL mismatch problem for GraphQL.
  • Improved the scan agent to continue scanning in case of getting HTTP status errors like Forbidden, Unauthorized, and ProxyAuthenticationRequired for websites supporting TLS 1.3.
  • Fixed a bug that causes scan failures if the scan profile name includes the “/” character.
  • Fixed a bug that was caused by special characters that affected the Out of Scope node.
  • Fixed a bug that caused the OAuth2 settings to disappear after being saved in a scan profile following enabling and disabling operations.
  • Fixed a bug that throws errors on the summary page for technologies links.
  • Fixed the issue that IP Address Restriction is not working on API access.
  • Fixed an issue that shows the same vulnerabilities more than once in the scan summary reports.
  • Fixed a bug that shows the soft-deleted scan policies when their URL is entered.
  • Fixed a bug while excluding cookies during the scan.
  • Fixed a bug that prevents notifications from appearing on the user interface when data size is exceeded.
  • Fixed imported links DLL mismatch problem for Postman and GraphQL.
  • Fixed a bug that shows the empty list of possible GraphQL endpoints in the Security Checks list.
  • Fixed a bug that throws 500 Internal Server Error returns upon “GET issues/addressedissues” API call.
  • Fixed a bug that throws 500 Internal Server Error returns upon “GET /issues/todo” API call.
  • Fixed an issue that passive vulnerabilities were reported at out-of-scope links.
  • Fixed an issue that imports global servers at Swagger files.
  • Fixed an issue where the OK button disappears during interactive login.
  • Fixed an issue that adds interactive login buttons to iframes.
  • Fixed a null reference exception at the LFI exploit panel.
  • Fixed basic authorization over HTTP bug.
  • Fixed SQL Injection Vulnerability Family Reporting Bug.
  • Fixed a bug in that the custom script throws a null reference exception when a script is added to the paused scan.
  • Fixed a bug that deletes an authentication password when a new scan is started with a copied profile.
  • Fixed a bug that causes the Sitemap to disappear during scanning with IAST.
  • Fixed a bug that caused missing tables and values when a report policy is exported as an SQL file.
  • Fixed an issue that causes the attack process not to be completed for a security check when there is an error occurred while attacking a parameter with an attack pattern.
  • Fixed the LFI Exploiter null reference.
  • Fixed a bug that occurs when a detailed scan report does not report the CVSS scores for custom vulnerabilities.
  • Fixed a bug when the Log4J vulnerability profile is not migrated with the report policy migration.
  • Fixed a bug that prevents the WSDL files from being imported.
  • Fixed reporting “SSL/TLS not implemented” when scanning only TLS 1.3 supported site.
  • Fixed a bug that throws an error for NTML authentication when the custom username and password credentials are provided when the system proxy is entered into the appsetting.json
  • Fixed the bug that the passive vulnerabilities were reported from out-of-scope links.
  • Fixed the issue that does not terminate the Chromium instances although the max scan duration is exceeded.
  • Fixed the issue that automatically enables “Exclude Authentication Pages” after enabling form authentication.
  • Fixed the bug that throws a null reference exception at the link pool.
  • Fixed the bug that resulted in running many Chromium instances when a new scan is started.

REMOVED

  • Removed the agent platform selection option for the internal agents from the user interface.
  • Removed the Ignore these extensions field from the scan policies page.