Invicti Enterprise On-Premises 29 May 2018

NEW FEATURES

  • Added SSO (Single Sign-On) support (onpremises only)
  • Added an option to “Scan Policy > HTTP Request” settings to capture HTTP Requests
  • Added installation wizard for onpremises installation (onpremises only)
  • New plugin for integration with Bamboo
  • Added code highlighting support for vulnerability request and response
  • Added “Scans per Website Group” report type to Reporting page
  • Added an option to general settings to configure retention period for raw scan files (onpremises only)
  • Invicti Desktop integration: ability to import and export scans between the scanners.
  • Added Server-Side Template Injection (SSTI) vulnerability checks.
  • Added the OWASP 2017 Top Ten classifications report template.

NEW SECURITY CHECKS

  • Expect-CT security checks.
  • Added various new web applications in the application version database.
  • Added out of date checks for Hammer.JS., Phaser., Chart.js., Ramda., reveal.js., Fabric.js., Semantic UI., Leaflet., Foundation., three.js., PDF.js., Polymer.

IMPROVEMENTS

  • Added elapsed time information for ongoing scans
  • Added an option to scan reports page for hiding addressed issues
  • Improved Agents page to display configured agents’ versions (onpremises only)
  • Added CVSS score to JSON vulnerabilities report
  • Improved user profile to display trial expiration date
  • Improved response status messages on the API documentation
  • Added Invicti Enterprise issue link to created tickets for supported issue tracking systems (JIRA, TFS, GitHub and FogBugz)
  • Improved help text for schedule scan’s license errors
  • Allowed team members to manage their own notification settings
  • Added “Copy to Clipboard” functionality for API settings
  • Improved Incremental Scan page to configure maximum scan duration
  • Added an icon for scans launched by continuous integration systems
  • Added “LookupId” unique identifier for vulnerabilities to “/scans/report” API endpoint
  • Added “FirstSeenDate” and “LastSeenDate” fields for vulnerabilities to “/scans/report” API endpoint
  • Added “CreatedAt” and “UpdatedAt” fields for “/websites/list” API endpoint
  • Added “/vulnerability/list” API endpoint to list vulnerability templates
  • Improved logs for client certificate validation errors
  • Crawler can now parse multiple sitemaps in a robots.txt file.
  • Added support for parsing swagger documents in yaml format.
  • Added support for parsing relative meta refresh URLs.
  • Improved parsing of websites using React framework.
  • Content-Security-Policy-Report-Only header is not reported as an interesting header.
  • Variations are retested before starting an incremental scan.
  • Improved JavaScript content check performance while detecting out of date versions.
  • Renamed FogBugz send to action to its new name Manuscript.
  • GitHub Send to action now works with organization accounts and private repositories.
  • Added support for handling HTTP 307 redirects.
  • DS_STORE files are discovered and parsed.
  • Added WAF (Mod Security) rule generation support for out of band vulnerabilities.
  • Improved MySQL double encoded string attacks.
  • New Extensions scan policy settings to specify which extensions should be crawled and attacked.
  • Added “Disallowed HTTP Methods” settings to scope options on the new scan page.

BUG FIXES

  • Fixed an issue where empty value was not accepted for Excluded URLs
  • Fixed an issue where invitation was not deleted after an account deleted
  • Fixed font size for highlighted fields on vulnerability details
  • Fixed an issue where validation was not working as expected for Invicti Hawk settings
  • Fixed an issue where VDB update date was not persisted as expected
  • Fixed some possible vulnerabilities missing [Possible] indicator in title.
  • Fixed highlighting problem for “Password Transmitted over HTTP” vulnerability.
  • Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
  • Fixed incorrect “[Possible] WS_FTP Log File Detected” vulnerability.
  • Fixed Hawk validation error by not following redirects.
  • Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
  • Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
  • Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
  • Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
  • Fixed the SSL check hang on HTTP only hosts.
  • Fixed LFI engine by not analyzing source code disclosure on binary responses.
  • Fixed a validation issue for some Swagger documents.
  • Fixed the issue where CSP keywords are not reported when used without single quotes.
  • Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
  • Fixed incorrect source code disclosures reported in binary responses.
  • Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
  • Fixed out of date version reporting behavior when no ordinal is found in version database.
  • Fixed Lighttpd version disclosure detection signatures.
  • Fixed a Swagger parsing issue.