Invicti Enterprise On-Premises

New features

• Added the option to set a Custom HTTP Authorization Header under Scan policy > HTTP > Request
• Adjusted agent download parameters to allow installation of internal scanner agents using the Docker client via the Invicti registry service
• Changed the compression tool and default compression format for log files from 7zip to Tar
• Added functionality to enable entering of multiple IP addresses and IP ranges into the IP Address Restrictions setting. Previously, only single-entry IP addresses were permitted.
• Added TLS certificate authentication as an option when integrating with HashiCorp Vault. Previously, we only supported token authentications.

New security checks

• Added new patterns to detect XSS

Improvements

• Improved notification delivery with integration services
• [Closed Beta] Protected visibility of passwords within custom scripts 
• Improved detection and reporting of File Inclusion vulnerabilities 
• Improved detection and reporting of Sensitive Data Exposure vulnerabilities
• Improved detection and reporting of Dockerfiles
• Disabled caching from the boolean-based MongoDB security engine to avoid possible false positives
• Improved the content-type exemption for non-HTML content types in the CSP engine
• Improved the typehead.js check to increase stability
• Removed the X-XSS-Protection header check because it is deprecated by modern browsers
• Added functionalities to prevent bot detection and fixed an issue that was causing cookie loss after authentication
• Improved the remediation part for the JetBrains .idea detected vulnerability
• Added information to the UI about the functionality of the 'Edit My Team's Role' permission
• Added bypass list functionality for scan policies

Fixes

• Fixed a bug in the date filter that was causing incorrect information to display on the dashboard
• Fixed the external SOAP web service import problem
• Fixed a problem that was causing default values to be filled incorrectly, resulting in false negatives
• Fixed Vulnerabilities visible from the UI but not via API in certain failed scan situations
• Fixed inconsistent scan states in rare deleted scan scenarios
• Fixed missing Next Execution Time for certain scheduled scans
• Fixed an issue that prevented saving scheduled scans in some scenarios
• Fixed inconsistencies in the Resource Finder with certain hidden files and backup files
• Improved updating of groups in Azure Provisioning scenarios
• Fixed a problem with converting scan data while the CloudProvider Settings page is open
• Fixed a database update exception when a large number of scans are launched simultaneously
• Fixed the incorrect reporting of outdated technology versions
• Fixed a bug that was preventing reports from being saved
• Fixed a bug that can cause too much browser user data to be left in the temp folder
• Fixed a bug that was stopping the certificate authentication process from working correctly for Authverifiers
• Fixed a boolean-based MongoDB Injection that was causing false positives in scan reports
• Fixed the incorrect display of vulnerabilities when importing scan results from Invicti Standard to Invicti Enterprise
• Fixed a bug that was preventing the editing of internal website URLs
• Fixed a character validity issue so that user names with Danish characters can now be edited in the UI
• Fixed a bug that was allowing access to the UI via the back button after the user had signed out
• Fixed the Discovery Main Domains Filter Expression that was not working properly for some domains
• Fixed an issue that was causing tags to be duplicated when a website was imported using a CSV file
• Fixed the update agent command that was not working correctly
• Fixed the internal Linux v23.7 AV agent that wasn’t sending header configurations
• Encrypted the proxy password used in the scan policy file
• Fixed a scan coverage issue
• Fixed a custom script issue so that now passwords written to the logs are encrypted
• Fixed an issue where vulnerabilities could not be generated as CloudFlare WAF rules via API

NEW SECURITY CHECK

• Added "Out of Band Code Evaluation (Apache Struts 2)" security check (CVE-2017-9805).

NEW FEATURES

• Added Application/Service Discovery feature
• Added out of the box integration for GitLab CI
• Added custom recurrence options to Scheduled Scans to support advanced scheduling scenarios
• Added support for downloading internal scanner agents on Manage Agents page (On-Demand only)
• Added raw text option to Import Websites page

IMPROVEMENTS

• Improved colors for the app menu to follow WCAG guidelines
• New scheduled scans are not added to the queue if a delayed one already exists
• Improved validatation for SSO configuration pages
• Updated EULA and TOS pages
• Added support for deleting agents on the Manage Agents page
• Readjusted API rate limits
• Added a Data Protection Policy page
• Account admins can now disable other team members' 2FA settings
• Improved the wording on several pages
• Improved JIRA integration to prevent reopening the same issue twice in JIRA
• Added support for running concurrent scans on a single Enterprise computing instance (ondemand only)
• Attack Pattern' renamed as 'Payload' in the Send To integration templates
• Added tooltip for Scan and Report Policies options on the New Scan page

BUG FIXES

• Fixed the problem where Severity Trends displayed global severity numbers even if a Scan Group was selected on the Website Dashboard page
• Fixed an issue where the Manage Websites page, where the Last Scanned column was displaying the last scan's initiation time
• Fixed a bug where the severity order was wrong for the Retest Summary section on the Scan Report page

NEW FEATURES

• Added resetting token support for agents

FIXES

• Fixed an issue where Authentication Verification was failing to verify in the Scan Profile

New Features

• Authentication & session verification for form based authentication.
• Credentials test for Basic and NTLM/Kerberos authentication mechanisms.
• Support for the Invicti Hawk infrastructure, used for detecting SSRF and out-of-band vulnerabilities.
• Added HTTP request rate limiting options to Scan Policy.
• Added "Ignored Email Addresses" section in Scan Policy.
• Added accept and reject options for untrusted SSL certificates.
• Added an option to disable automatic detection of 404 error pages.
• Support for importation of Postman files.

New Security Checks

• New security checks for Server Side Request Forgery (SSRF) vulnerability
• New security checks for out-of-band vulnerabilities such as OOB SQL Injection, OOB XXE, Blind XSS, OOB RCE, OOB RFI etc.
• New security check for Stored DOM based XSS
• Added "Missing object-src in CSP Declaration" vulnerability detection.
• Added "Apache Multiple Choices" vulnerability detection.

Improvements

• Improved the performance of several link importers.
• Added "Bearer Token" support for form authentication.
• Added confirmation for Frame Injection vulnerabilities.
• Added http: and https: checks for CSP vulnerability detection.
• Improved link importers - redundant CONNECT requests are now excluded.
• Optimized attacker performance for links containing single parameter.
• Optimized crawling parser by skipping DOM simulation on pages with static content.
• Improved coverage of CORS security check with extra attacks.
• Removed GWT attacks from file upload security checks.
• Improved DOM simulation performance.
• Improved CSS parsing which now follows CSS import directives.
• Improved coverage of open redirect security checks by adding/updating attacks patterns.
• Improved logout detection by skipping JavaScript responses.
• Added support for "HTTP 410 Gone" and "HTTP 451 Unavailable For Legal Reasons" response status codes.
• Added CVSS information to more vulnerabilities.
• Updated vulnerability database.
• Added URL Rewrite mode to Detailed Scan Report.
• Added support for configuring websites on manage groups page.
• Improved the UI & UX of several pages.

Bug Fixes

• Fixed an issue where a “multiple cookies issue” should not be reported.
• Fixed a JSON parsing issue with text parser.
• Fixed an HTTP response issue where the response could not be read because only BOM bytes are sent on first read attempt.
• Fixed an issue where a false positive file upload vulnerability might be reported.
• Fixed several DOM simulation issues on pages that have many iframe elements.
• Fixed a NullReferenceException while performing an internal MD5 encoding operation.
• Fixed an encoding issue on a proof URL of an XSS vulnerability.
• Fixed an issue where "Shell Script Identified" vulnerability is not found when retested.
• Fixed URL parsing on pages where the URLs were containing whitespace characters like carriage return and line feeds.
• Fixed a text parsing issue where absolute URLs were converted to invalid relative URLs.
• Fixed incorrect protocol detection for protocol-relative URLs.
• Fixed an issue which occurs during importing websites with unix line endings.
• Fixed a retest issue which occurs if vulnerable URL contains a dash character.
• Fixed an issue where SSL details were not shown properly on knowledge base report.

IMPROVEMENT

• Updated terms of services document

BUG FIXES

• Fixed a bug where XML reports can not be exported
• Fixed a bug where Jenkins integration was not working as expected
• Fixed an issue where "Check for Updates" was not displaying correct result for team member users
• Fixed a bug where sorting was not working on Scheduled Scans page

NEW FEATURES

• Added a new Sitemap section to scan reports which shows crawled URLs and identified issues
• Added a new in-app notification section called What's New which informs for important announcements
• Added out of the box issue tracking integration for Freshservice, YouTrack, and Splunk
• Added facility to send New Scan notifications using the Microsoft Teams integration
• Added Pre-Request Script feature which helps to configure HMAC Authentication on New Scan page (On-Premises only)
• Added new API endpoints for managing technologies
• Upgraded the Invicti scanning engine to version 5.6.3.27318

IMPROVEMENTS

• Redesigned Scan Summary section on Scan Report page
• Improved scan queue scheduling process which prevents multiple scans with same settings to be queued
• Improved Out-of-Date technologies email template for mobile clients
• Improved rendering for large fields on the scan report template
• Improved help text for Enable/Disable Agent actions on Manage Agents page
• Security Check Groups are now arranged into sub-groups in the New Scan Policy
• Set current user as the default technical contact on New Website page

NEW SECURITY CHECKS

• Added version disclosure and out-of-date checks for Telerik Web UI
• Added detection and out-of-date checks for Java and GlassFish

BUG FIXES

• Fixed a bug where filtering is not working as expected on the Report Policies page
• Fixed an error that was thrown during generating the Mod Security WAF Rules Report
• Fixed an issue where testing basic authentication credentials were not working as expected

Improvements

• Increased severity of the Insecure Transportation Security Protocol Supported (SSLv2) vulnerability to Important
• Added support for adding several more request HTTP headers including the "Host" header

NEW FEATURE

• Added SSO (Single Sign-On) support for Netparker Enterprise On-Demand

IMPROVEMENTS

• Improved text shown after deleting a website
• Improved text shown on Authentication Verifier Settings page
• Improved help text for Recaptcha setting shown on Service Settings page
• Removed 2FA disable button for users who do not have required access permission (previously displayed as disabled)
• Improved timer behaviour of validation code shown on SMS Settings page
• Improved order of vulnerabilities in several reports
• Response content will not be rendered if it's higher than 10MB, instead response data can be downloaded from scan results page
• Refactored and improved performance of reports which can be exported from Scan Results page
• Added market place links for Jenkins, TeamCity and Bamboo plugins shown on Integrations page
• Improved validation messages for JIRA integration
• Improved samples for new website API documentation
• Changed wording on General Settings page
• Simplified endpoint format for Authentication Verifier settings

BUG FIXES

• Fixed a bug where if previous scan failed with domain resolution error, subsequent scans failed unexpectedly with the same error
• Fixed a bug where imported Swagger file was not parsed during scanning
• Fixed a bug where multiple SAML configurations might be configured with same configuration identifier
• Fixed an issue where Agent could not be disabled on Manage Agents page
• Fixed an issue where Jenkins icon was not displaying properly on IE
• Fixed a bug where sorting was not working for Next Execution Time on Scheduled Scans page
• Fixed a bug where product update links were not displaying correctly
• Fixed a bug where configured Scan Policies' user agent was not used in Authentication Verifier
• Fixed documentation links for SSO providers
• Fixed API authorization error thrown on notification endpoints for Team Members
• Fixed an issue where custom reports were not displayed on Scan Results page
• Fixed an issue where Knowledge Base data was not saved properly

New Features

• Completely revamped the Invicti Enterprise vulnerability tracking system.

Improvements

• Improved the users' permissions as explained in Understanding and configuring Invicti Enterprise users permissions.
• Added several tooltips in the UI.

Bug Fixes

• Fixed wrong websites threat levels (they were just representing the last scan's threat level).
• Fixed the security overview chart which was showing only the last scan's threat level for each website.

NEW FEATURES

• Added Mattermost integration
• Upgraded the Invicti scanning engine to version 5.8.1.27665
• Added API support for the Discovery service

NEW SECURITY CHECKS

• Added a new vulnerability for Same Site Cookies that are set to None and not marked as secure

IMPROVEMENTS

• Added support for Admin users to log in with Invicti Enterprise credentials when SSO is enforced
• Added extra information about issues to the Jira Integration
• Added control for Target Url field to disable Scan Settings if it's empty
• Added Timezone information to Scan Time Window section in the New Scan window
• The Invicti API icon has been changed on the Integrations window
• Added Manage Issues (Restricted) to the Permission Matrix
• Added a Website Groups filter to the New Team Member window
• Added a notification for Login Failed situation during scans
• Added a Website Group filter to the Recent Technologies window

FIXES

• Fixed the More information link in the New Website window
• Fixed a bug where email notifications about Technologies were not being sent as expected
• Fixed an issue where date filters were not working as expected
• Fixed a bug in the website authentication process in the GitLab integration
• Fixed an issue where the Internal Agent automatic update process was hanging
• Fixed an issue in scans that are exported from Invicti Standard into Invicti Enterprise
• Fixed an issue where Mark as Read was not working in Application Notifications
• Fixed a bug where Imported Links and files were not returned for ongoing scans on the '/scans/list-scheduled' API endpoint
• Fixed a bug that occurred when adding an internal website in the '/websites/new' API endpoint
• Fixed an issue where Excluded Path was not saved in the Scan Profile save action
• Fixed an issue where Preferred Agent was not saved in the Scan Profile save action
• Fixed an issue where issue counts were duplicated in the Annual issue chart

NEW FEATURES

• Added support for integrating Invicti Enterprise with JIRA issue tracking system.
• (BETA) Added support for scanning internal websites in Invicti Enterprise
• Added proxy support for on-premises scanner agents.

IMPROVEMENTS

• Decreased scan results' registration time by optimazing database queries.
• Added several improvements for running Invicti Enterprise on-premises on AWS.
• Added more information (such as Total Requests and Average Speed) to the detailed scan report.
• Improved code samples used in API documentation.
• Improved help text and messages.
• Added delete button to website edit page.
• Improved scanner agent's startup script to ensure agent is started properly.
• Improved sign-in/logout flow to make user sessions more secure.
• Reviewed and fixed duplicate IDs in HTML elements.
• Improved design of the email templates.
• Updated AWS SDK to the latest version.
• Added Korean support to scan report API endpoint.
• Added support for setting preferred agent name via API.
• Added status information to preferred agent section on the new scan page.

FIXES

• Fixed an issue with the archiving of raw scan files.
• Fixed the total website count which was incorrect on manage website groups page.
• Fixed the user's date format that was not used while selecting dates on account settings page.
• Fixed the account settings page which was not displayed properly in high-DPI screens.
• Fixed a bug where issue counts were not displayed correctly on website dashboard page.
• "JavaScript - Elements To Skip" setting was is now set properly in new scan policy page.
• Expired license error is now returned properly in API endpoints.
• Fixed issues with the order of the websites in the "Websites That Have Shortest Fix Time" widget.
• Fixed an error which was being thrown when adding a website via API in Invicti Enterprise on-premises.
• Fixed CVE links in scan report page.
• Fixed a bug in website verification API endpoint.
• Fixed a NRE which was being thrown during exporting CSV reports.
• Fixed a bug where CSV comma separator is not remembered on Export to CSV pages.
• Fixed an error which was being thrown during deleting a scan profile.
• Fixed a bug in website verification API endpoint.