Home
/
Documentation
/
Invicti Enterprise On-Premises Release Notes
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
Release Notes

Invicti Enterprise On-Premises

RSS FEED
6-Jan-2021
COPY LINK

NEW FEATURES

  • Added the Stop the Scan if the Build fails option in GitLab CI/CD
  • Added the Fail the Build if one of the selected scan severity is detected option in GitLab CI/CD
  • Upgraded the Invicti scanning engine to version 5.9.1.27722.

NEW SECURITY CHECKS

  • Added Oracle WebLogic Server Remote Code Execution (CVE-2020-14882)
  • Added Oracle WebLogic Server Authentication Bypass (CVE-2020-14883)

IMPROVEMENTS

  • Added the Scan Group selection combo box to Trend Matrix Report
  • Added WASC Threat Classification Report
  • Added the Export Unconfirmed option in the report generation screen
  • Added the info box to Custom Scripts window for the Form Authentication
  • Added URL Rewrite Rules while a file is being imported
  • Added Uniqueness Controls on the new integration wizard
  • Added validations of new integration wizard
  • Added Swagger JSON link API document's index
  • Added the Exclude Authentication Pages checkbox when the Form Authentication option is enabled
  • Improved the Discovery Page’s performance
  • Improved the performance of generating reports that contain a large number of vulnerabilities
  • Improved the custom script’s performance
  • Improved the website preview image resolution on the Verify Login & Logout screen
  • Refactored the Report Policy Migrator
  • Disabled auto-complete in the login page inputs.
  • Changed the data protection policy link
  • Changed the issue email template's website URL
  • Admin users can now set the maximum number of websites a member can add
  • Excluded usage tracker list can now be added from the new scan page

FIXES

  • Fixed a bug when scheduled scan with an imported file is edited by a different user
  • Fixed a bug in the Custom Cookie process
  • Fixed imported file bug on scan profile saving
  • Added minimum agent selection control for Agent Group
  • Fixed Agents Scanning tooltip
  • Fixed the auto-scaling problem that occurred while using Cloud Provider in Invicti Enterprise On-Premises
  • Fixed the First Seen Date parameter in the Kenna integration
  • Fixed Burp XML file import problem. Users can import Burp XML file
  • Fixed report validation export problem. Users will not get an empty file
  • Fixed the error related to exporting for customers who have many websites.
  • The websites belonging to the filtered website group have been provided to be exported.
  • Users can now add a new URL Rewrite Rule without losing the existing ones

5-May-2016
COPY LINK

NEW SECURITY CHECKS

5-Feb-2019
COPY LINK

NEW FEATURES

  • Added support for merging accounts (On-Premises only). This will move all resources (Users, Websites, etc.) into the selected master account and delete all other accounts.

IMPROVEMENTS

  • Account Owner or users with Administrator permission can now delete other Team Members' policies.
  • Updated some third-party libraries to the latest version.
  • Added OWASP 2017 classification data to the Executive Summary report.
  • SSO Enforcement has been disabled for users with Administrator permission (On-Premises only).

BUG FIXES

  • Fixed an issue where a JavaScript setting was not set as expected on the New Scan Policy page.
  • Fixed an issue that was thrown when deleting an account.
  • Fixed a bug where it was not possible to configure country code top-level domain (co.uk, com.tr, etc.) on the Discovery Settings page.
4-May-2016
COPY LINK

New Features

NEW SECURITY CHECKS

  • Detection of SQLite Database files.
  • Detection of Microsoft Outlook Personal Folders File (.pst) files.
  • Detection of DS_Store files.
  • Detection of SVN files, supporting the latest version of SVN.

IMPROVEMENTS

  • Improved LFI "Long attack - boot.ini" attack.
  • Added Internet Explorer 10, 11 and Microsoft Edge browser user agent values.
  • Improved the performance of the scan session auto saves.
  • Improved link importing to better handle relative URLs.
  • Improved the "MIME Types" knowledge base list by ordering items alphabetically.
  • Added "Extract static resources" option to JavaScript scan policy settings.
  • Improved coverage of XML External Entity engine.

FIXES

  • Fixed an attacking issue that occurs when retesting a vulnerability in an incremental scan.
  • Fixed a link parsing issue in the text parser where links were incorrectly split.
  • Fixed a form authentication "Override Target URL with authenticated page" issue which caused a wrong URL to be identified as the "Target URL".
  • Fixed a highlighting issue where the URL for "Insecure Frame (External)" vulnerability is partially highlighted.
  • Fixed an incorrect "Source Code Disclosure" vulnerability report when the response contained an ASP.NET event validation code sample.
  • Fixed a broken link in XSS vulnerability templates.
4-Jul-2016
COPY LINK

NEW FEATURES

NEW SECURITY CHECKS

  • Added Samesite cookie attribute check.
  • Added Reverse Tabnabbing check.
  • Added Subresource Integrity (SRI) Not Implemented check.
  • Added Subresource Integrity (SRI) Hash Invalid check.

IMPROVEMENTS

  • Various memory usage improvements to better handle large websites.
  • Improved vulnerability templates by adding product information when a 3rd party web application (WordPress, Drupal, Joomla, etc.) is discovered.
  • Improved DOM simulation by supporting HTTP responses that is translated to HTML web pages using XSLT.
  • Improved coverage of Local File Inclusion security check engine.
  • Improved the automatic form authentication script to click the "button" HTML elements if no suitable button is found.
  • Improved the "HTML Base Tag Hijacking" vulnerability template.
  • Improved the long-term memory usage of the DOM simulation and cross-site scripting (XSS) scanning.
  • DOM simulation smart filtering now prunes unnecessary DOM branches.
  • Improved the detection of "Redirect Body Too Large" vulnerability.

BUG FIXES

  • Fixed the "Cross-site Scripting via Remote File Inclusion" vulnerability, which was not being confirmed automatically.
  • Fixed the incorrect form value issue when the #DEFAULT# form value is removed.
  • Fixed an HTTP Archive Importer issue during which the POST method was parsed as GET when postData is empty.
  • Fixed a bug in which a GWT parameter that contained a Base64 encoded value was not detected.
  • Fixed a time span parsing bug in Knowledge base report templates.
  • Fixed an issue in which some vulnerabilities are treated as fixed while retesting.
  • Fixed an issue in which XSS proof URL was missing alert function call.
  • Fixed the broken "Generate Debug Info" function of JavaScript simulation feature.
  • Fixed a NullReferenceException that can be thrown by the Subresource integrity security checks.
  • Fixed cURL login sample in API documentation.
31-Jan-2018
COPY LINK

NEW FEATURES

  • Added agent grouping support which allows to launch scans in specified agent group. This feature is only available for on-premises standard agents.
  • New API endpoints for getting website and website group details.

IMPROVEMENTS

  • Changed Netpsparker Enterprise application's loading icon.
  • Added an icon to indicate external links.

BUG FIXES

  • Fixed an issue where scans are not launched on on-premises AWS scanner agents.
  • Fixed an issue where realtime scan results are not displayed correctly in IE11.
  • Fixed an issue where proofs are not displayed correctly on vulnerability details section.
3-Nov-2016
COPY LINK

New Technical Check

  • Added "Cookie Header Contains Multiple Cookies" check

Improvements

  • Improved the Content Security Policy (CSP) and "Misconfigured Access-Control-Allow-Origin Header" vulnerability templates.
  • Improved CSP vulnerability detection by only reporting vulnerabilities on HTML resources.
  • Improved the coverage of the boolean SQL injection vulnerability engine.

Fixes

  • Fixed an issue which was preventing the deletion of multiple websites.
  • Fixed the External CSS, Script and Frame Knowledge Base items which were not considering the port during checks.
  • Fixed an issue in the Open Redirect detection where incorrect URLs may also be reported.
  • Fixed an issue related to the form authentication which prevents logout detection during attacking phase.
  • Fixed an Local File Inclusion (LFI) vulnerability detection issue when attacked with a FullUrl payload.
  • Fixed an incorrect retest result which occurs when the target website is not reachable.
  • Fixed a CSP vulnerability issue for deprecated CSP header name on meta tags.
29-Nov-2016
COPY LINK

New Feature

Improvements

  • Description in Scan Status have been improved to give a better overview.
  • Added a new crawling option Find and Follow New Links. Previously it was hidden and always enabled.
  • Improved the names of the exported reports by adding the report type as prefix in filename.

Bug Fixes

  • Fixed an issue where the target website screenshot was not being captured.
  • Fixed the CSS styles in some knowledge base items in the scan report page.
  • Fixed an issue where the Upload client certificate button was not working.
29-May-2018
COPY LINK

NEW FEATURES

  • Added SSO (Single Sign-On) support (onpremises only)
  • Added an option to "Scan Policy > HTTP Request" settings to capture HTTP Requests
  • Added installation wizard for onpremises installation (onpremises only)
  • New plugin for integration with Bamboo
  • Added code highlighting support for vulnerability request and response
  • Added "Scans per Website Group" report type to Reporting page
  • Added an option to general settings to configure retention period for raw scan files (onpremises only)
  • Invicti Desktop integration: ability to import and export scans between the scanners.
  • Added Server-Side Template Injection (SSTI) vulnerability checks.
  • Added the OWASP 2017 Top Ten classifications report template.

NEW SECURITY CHECKS

  • Expect-CT security checks.
  • Added various new web applications in the application version database.
  • Added out of date checks for Hammer.JS., Phaser., Chart.js., Ramda., reveal.js., Fabric.js., Semantic UI., Leaflet., Foundation., three.js., PDF.js., Polymer.

IMPROVEMENTS

  • Added elapsed time information for ongoing scans
  • Added an option to scan reports page for hiding addressed issues
  • Improved Agents page to display configured agents' versions (onpremises only)
  • Added CVSS score to JSON vulnerabilities report
  • Improved user profile to display trial expiration date
  • Improved response status messages on the API documentation
  • Added Invicti Enterprise issue link to created tickets for supported issue tracking systems (JIRA, TFS, GitHub and FogBugz)
  • Improved help text for schedule scan's license errors
  • Allowed team members to manage their own notification settings
  • Added "Copy to Clipboard" functionality for API settings
  • Improved Incremental Scan page to configure maximum scan duration
  • Added an icon for scans launched by continuous integration systems
  • Added "LookupId" unique identifier for vulnerabilities to "/scans/report" API endpoint
  • Added "FirstSeenDate" and "LastSeenDate" fields for vulnerabilities to "/scans/report" API endpoint
  • Added "CreatedAt" and "UpdatedAt" fields for "/websites/list" API endpoint
  • Added "/vulnerability/list" API endpoint to list vulnerability templates
  • Improved logs for client certificate validation errors
  • Crawler can now parse multiple sitemaps in a robots.txt file.
  • Added support for parsing swagger documents in yaml format.
  • Added support for parsing relative meta refresh URLs.
  • Improved parsing of websites using React framework.
  • Content-Security-Policy-Report-Only header is not reported as an interesting header.
  • Variations are retested before starting an incremental scan.
  • Improved JavaScript content check performance while detecting out of date versions.
  • Renamed FogBugz send to action to its new name Manuscript.
  • GitHub Send to action now works with organization accounts and private repositories.
  • Added support for handling HTTP 307 redirects.
  • DS_STORE files are discovered and parsed.
  • Added WAF (Mod Security) rule generation support for out of band vulnerabilities.
  • Improved MySQL double encoded string attacks.
  • New Extensions scan policy settings to specify which extensions should be crawled and attacked.
  • Added "Disallowed HTTP Methods" settings to scope options on the new scan page.

BUG FIXES

  • Fixed an issue where empty value was not accepted for Excluded URLs
  • Fixed an issue where invitation was not deleted after an account deleted
  • Fixed font size for highlighted fields on vulnerability details
  • Fixed an issue where validation was not working as expected for Invicti Hawk settings
  • Fixed an issue where VDB update date was not persisted as expected
  • Fixed some possible vulnerabilities missing [Possible] indicator in title.
  • Fixed highlighting problem for "Password Transmitted over HTTP" vulnerability.
  • Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
  • Fixed incorrect "[Possible] WS_FTP Log File Detected" vulnerability.
  • Fixed Hawk validation error by not following redirects.
  • Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
  • Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
  • Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
  • Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
  • Fixed the SSL check hang on HTTP only hosts.
  • Fixed LFI engine by not analyzing source code disclosure on binary responses.
  • Fixed a validation issue for some Swagger documents.
  • Fixed the issue where CSP keywords are not reported when used without single quotes.
  • Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
  • Fixed incorrect source code disclosures reported in binary responses.
  • Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
  • Fixed out of date version reporting behavior when no ordinal is found in version database.
  • Fixed Lighttpd version disclosure detection signatures.
  • Fixed a Swagger parsing issue.
29-Jan-2016
COPY LINK

New Features

  • Added "Fixed Vulnerabilities" chart to website and global dashboard
  • Added vulnerability list to website dashboard

Improvements

  • Improved support for Single Page Applications (SPA) and dynamic web applications by rewriting the DOM parser
  • Improved DOM Parser and DOM XSS performance
  • Added trend report support for all scan groups
  • Improved cookie validation on the new scan page
  • Removed web application fingerprint step from the Scan Policy Optimizer wizard
  • Added tooltips for URL rewrite settings on the new scan page
  • Added automatic exploitation for Boolean and Blind SQL Injection vulnerabilities
  • Added proof of concept for the blind SQLi vulnerabilities
  • Added "Proofs" knowledge base nodes
  • Improved "Remember Me" functionality on the login page
  • Removed out of scope links from URL rewrite report
  • Added HTTP response status code 308 to list of redirect status codes
  • Added Crawling and Scan Performance knowledge base nodes
  • Eliminated web application fingerprinter's meta tag requests by re-using crawled link response
  • Improved performance of the email disclosure detection pattern significantly
  • Added .svg to default set of ignored extensions on the policy settings

Bug Fixes

  • Fixed documentation of conditionally required fields in API
  • Fixed editing issues on collective editor of vulnerability tasks
  • Disabled website verification for on-premises installations
  • Fixed a bug which could occur while taking a screenshot during the scan
  • Fixed a bug that occurs when a proof of concept is empty
  • Fixed a FileNotFoundException occurs while caching DOM requests
  • Fixed the explanation text for Entered Path and Below scope
  • Fixed the SSL/TLS fall back code to cover more HTTPS web sites
  • Fixed an out of date JavaScript library version issue where identified version was bigger than Invicti’s latest version
  • Fixed the slow performance issue which occurs when "Automatically Detect Settings" proxy setting is enabled
  • Fixed an out of date JavaScript library version issue where version value cannot be captured
  • Fixed a not found detection issue where redirect analysis fails on redirect cases
28-Oct-2020
COPY LINK

IMPROVEMENTS

  • Added a 'Generate optimized CSS code path' feature to the Authentication Verifier
  • Improved the Minimum Security Level area on the Reporting page
  • HIPAA will be displayed instead of OWASP in the scan summary
  • Added scan folder path change option for internal agents

FIXES

  • Fixed the issue where the IP addresses of websites listed on the Discovered Website page were ignored
  • Fixed the issue where SAML files failed to download on MAC devices
  • Fixed the problem that occurred during verification of the form authentication API endpoint where it returned the same result after the first request
  • Fixed the problem that occurred while configuring email notifications
  • Fixed the problem that occurred while canceling stalled scans
  • Fixed the connection problem that occurred while using a proxy in internal agents
  • Fixed the autoscale problem in internal agents
28-Apr-2020
COPY LINK

NEW FEATURES

  • Added support for U2F (Universal 2nd Factor Authentication)
  • Added support for disabling API Access for a Team Member
  • Added issue synchronization support for Azure DevOps
  • Added a new Form Validation Errors node to the Knowledge Base panel, and to scan reports
  • Added CVSS 3.1 support, to help with vulnerability scores
  • Added a new Query Parameters checkbox to the Parameter-Based Navigation section of the Crawling tab in the Scan Policy Editor
  • Added support for sending scan reports as email attachments on scan completed notification
  • Upgraded the Invicti scanning engine to version 5.7.2.27798

IMPROVEMENTS

  • Improved Integration categories and New Integration pages to provide a better user experience
  • Added support for Windows Authentication (Integrated Security) for database connections (On-Premises only)
  • Updated the Terms of Service page
  • Added Technical Contact information to the 'websites/list' API endpoint
  • Added start-end date filters to the '/scans/listbystate' and '/auditlogs/export' API endpoints
  • Added an 'excludeAddressedIssues' filter to the '/scans/report/' API endpoint
  • Added a Failure Reason option to the Reason filter for failed scans
  • Added additional help text to the Issues' Detail window for groupable issues
  • Added support for Admin users to manage their Team Member's Report Policies
  • Added Profile ID information to the response of the '/scans/detail' API endpoint

NEW SECURITY CHECKS

  • Added a Login Page Identifier security check
  • Added a Content Delivery Networks (CDN) security check
  • Added a Reverse Proxies security check

BUG FIXES

  • Fixed a bug where issue counts were not returned for ongoing scans on the '/scans/detail' API endpoint
  • Fixed an issue where validation errors were shown for custom cookies
  • Fixed an issue where Technologies were not reported if a scan was completed in a short time
  • Fixed a browser compatibility issue that occurred while testing OAuth2 credentials
  • Fixed a bug where the Scan Time Window settings were not applied in Scheduled Incremental scans
  • Fixed an issue where pre-request scripts were not being sent to the scanner as expected
  • Fixed an issue where preferred Agent Group was not populated in the New Scan window
  • Fixed a bug where JavaScript settings were not set as expected for optimized Scan Policies