Release Notes

Invicti Enterprise On-Premises

RSS FEED

15-Jan-2016

COPY LINK

FEATURES

Policy Settings Permission Change: In order to manage Policy Settings, "Start New Scan" permission is required now
Added Two Factor Authentication Support - Account admins can enforce 2FA to team members
Added weekly intervals support to trend report in the website dashboards
Added support for displaying pending tasks on the website dashboard
Mobile-friendly UI with a lot of design improvements

IMPROVEMENTS

Added weekly interval support to dashboard trend
Added pending vulnerability tasks to website dashboard
"Your account" page split into four pages
Team member disable support
Improved scan data cleanup to remove raw scan files
Improved email sending process to ensure emails are sent for correct actions
Added status change logs for vulnerability tasks
Added an email button to Team Invitation page
Users can resend invitations with this button
Improved error messages when email fails to send

FIXES

Fixed Browser Compatibility Warning shown in Chrome on iPhone.
Fixed an error which occurs while deleting a scan policy
Fixed target URL link on scan report page

14-May-2019

COPY LINK

NEW FEATURES

Added auto update support for scanner agents
Improved the Manage Agents page to support filtering and allow the running of commands
Added notifications section to top bar. It displays application specific notifications such as updates and background jobs
Added new API endpoints for managing issues
Added a Do not differentiate HTTP and HTTPS protocols option to the Scan Scope tab's settings
Added OAuth2 Authentication support
Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical
Added an option to report only confirmed issues while generating reports
Added an option to exclude addressed issues while generating reports
Added F5 WAF rule generation
Added RESTful API Modeling Language (RAML) link import support
Added the ability to exclude certain URLs from URL Rewrite Detection
Added support for importing links from WordPress REST API files
Added a Scan Policy for OWASP Top 10 vulnerabilities
Added a Scan Policy for PCI vulnerabilities

NEW SECURITY CHECKS

Added new XSS pattern that injects the attack payload into the HREF attribute
Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340)
Added a Unicode Transformation (Best-Fit Mapping) security check
Added detection for possible Header Injections
Added out-of-date detection for Oracle Database Server
Added out-of-date detection for Mithril
Added out-of-date detection for ef.js
Added out-of-date detection for Match.js
Added out-of-date detection for List.js
Added out-of-date detection for RequireJS
Added out-of-date detection for Riot.js
Added out-of-date detection for Inferno
Added out-of-date detection for Marionette.js
Added out-of-date detection for GSAP
Added a config.json check to the Resource Finder
Added detection support for TS Web access
Added detection support for .travis.yml

IMPROVEMENTS

Improved the Import Links section on the Imported Links tab on the New Scan page. Now imported links can be viewed immediately after the target file is uploaded.
Added CreatedAt and UpdatedAt fields to WebsiteGroup API endpoints
Improved the responsive design for several pages
Changed some wording for vulnerability details to use same wording as Invicti Standard
All clicked external links now open in a new window
The Target website URL cannot also be added as an Additional Website on the New Scan page
New logo has been added to the top bar
Improved Resource Finder step on the Scan Policy Optimization Wizard
Jira issues are now assigned to the person who started the scan
Improved the queue performance for scans running on cloud scanner agents
Improved the layout for reports where no vulnerabilities are detected
Added a new Manage Issues (Restricted) permission, which disallows marking issues as Accepted Risk or False Positive
Added Reporter (account id type) to the JIRA integration page
Updated SSRF ipv6 pattern names
Improved Scan performance by allocating computer resources better
Added XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families
Added a description that explains why only 10 pages are reported on the Slowest Pages node in the Knowledge Base
Updated Code Evaluation (PHP) attack patterns
Improved DOM Simulation performance and fixed several issues
Improved React JavaScript framework support on Form Authentication
HTML Select elements without event listeners are simulated in DOM Simulation
The File Upload engine searches newly discovered file names in the upload response and in the upload folders
Improved operating system detection by the Site Profile node in the Knowledge Base
Added support for attacking the name of POST parameters
Improved the External References for several vulnerabilities
Added ISO 27001 information to the Executive Summary Report
CSP vulnerabilities will no longer display a 'certainty' value if they are already marked as Confirmed
Fixed an issue in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework
Added support for exploiting XSS in text and XML content types
Out of Date SQL vulnerabilities are reported as Confirmed
Added a Cookie Whitepaper reference to cookie vulnerability templates
Added External References to ExpressJS, CakePHP and Possible Stored XSS templates
Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details
More commands are executed in the Code Evaluation exploitation to generate proofs
References to 'Manuscript' have been replaced with 'FogBugz'
Improved RFI confirmation for URL Rewrite parameters
Improved signatures of Nginx Version Disclosure patterns
Optimized the attack speed of XSS and LFI engines
Added extra information to Out-of-date vulnerability templates to explain the vulnerability reason
Cookie checks will analyze session cookie names to detect platform-specific default session names
Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved
Added a Jira Account ID field for Jira Send To Action to assign issues to a user, since the JIRA Api does not accept the username

BUG FIXES

Notifications tab appears empty when the Target URL is not selected on the New Scan page
Removed client side console logs from several pages
Fix the issue where the Preferred agent was not being set as expected for the selected scan profile on the New Scan page
Fixed an issue where the Discovery Settings page was not working properly for low resolution views
Fixed an issue where the Authentication Verifier was not capturing authentication settings
Fixed a bug where the default Scan Completed notification was overwriting the custom JIRA notification
Fixed a bug where PDF reports were not generated on the tryout console on the API docs page
Removed the Contains filter option for numeric fields
Fixed an issue where scans configured with a Scantime Window were blocking other scans
Removed the redundant ReportType parameter and added a ReportFormat parameter to the CustomReport API endpoint
Fixed a bug where ordering Issues using the Last Seen column was throwing an exception on the Issues page
Fixed a validation issue in the Header Authorization settings in the New Scan page
Fixed an issue where DOM simulation might conflict with some JavaScript frameworks
Fixed the garbled configuration sample in the Remedy section of the HSTS Policy Not Enabled vulnerability
Fixed an issue where an extra ampersand was appended to the query string while generating the URL of a Swagger imported link
Fixed an XmlException that was thrown while trying to parse a sitemap.xml response that is not found
Fixed a GZip decoding issue that occured while decoding a compressed sitemap.xml
Fixed a stuck scan issue on websites using the React JavaScript framework
Fixed a Postman file importing issue where the response was not base64 encoded
Fixed a NullReferenceException thrown while checking mutations on DOM
Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes
Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes
Fixed an issue where JavaScript file parsing was taking longer than expected on some occasions
Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie
Fixed HTTP 400 errors raised by the ServiceNow Send To integration
Fixed an issue in the CSP engine where the 'strict-dynamic' directive was reported as an unsupported hash
Fixed incorrect nonce detected without matching script block vulnerability
Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored
Fixed an issue that caused FP Insecure Reflected Content to be reported
Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type
Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server
Fixed the value of double encoded null byte in LFI and XSS attack patterns
Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized
Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload
Fixed the value of the double encoded null byte in the Header Injection pattern
Fixed the encoding of the % sign in the base64 payload in XSS attacks
Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern
Fixed the encoding issue in the SQL Injection confirmation attack
Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured
Fixed an issue where the Max Simulated Elements option was causing the simulation to hang
Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang
Fixed an issue where an incorrect Subresource Integrity (SRI) Hash Invalid vulnerability was reported because of a hash miscalculation

14-Jun-2019

COPY LINK

IMPROVEMENTS

Added scan owner information to scan results and reports
Improved Internet Explorer support on several pages
Added a new option for disabling the Long running scan notification to General Settings (On-Premises only)
No longer reporting Missing X-Frame-Options header in redirect responses
No longer reporting Missing X-XSS protection on redirect responses
No longer reporting CSP Not Implemented for redirect responses
No longer reporting Referrer Policy Not Implemented for redirect responses

BUG FIXES

Fixed an issue where the Target Website could not be deleted
Fixed an issue where the Preferred Agent in Scan Profile could not be changed
Added several fixes for OAuth2 Authentication
Fixed a bug where Invicti might mistakenly report some cookies as Not Secure
Fixed an issue where connection problems on the Target Website were causing high CPU usage

14-Dec-2017

COPY LINK

NEW FEATURES

Realtime scan results
Added out of the box integration support for: FogBugz, Github and TFS issue tracking systems.
Grouping of notifications so a single email or SMS alert is sent with a list of all alerts rather than multiple individual alerts.
New API endpoint for launching group scans.
Scheduling for incremental scans both from the web UI and API.
New API endpoint for generating custom scan reports.
New scan policy setting to define Web (Session and Local) Storage.
New Header Authentication settings to manually add request headers with authentication information.
Added support to import links from CSV files.
Added support for parsing of gzipped sitemaps.

NEW SECURITY CHECKS

Check for reflected Code Evaluation in Apache Struts 2 (CVE-2017-12611).
Check for Remote Code Execution in Apache Struts (CVE-2017-5638).

IMPROVEMENTS

Scan Time Window setting is now available to new group scans page.
Improved scan stability and performance.
Improved default Form Values settings.
Updated external references for several vulnerabilities.
Updated default User-Agent HTTP request header string.
Changed API endpoints to return 201-Created response status code for new resources.
Added several UI improvements for WCAG guidelines compliance.
Improved the email template that reports issues.
Added "Attack Parameters" information to Scanned URLs report.
Renamed the "Important" vulnerability severity to "High".
Added Form Authentication performance data to Scan Performance knowledge base node.
Improved Active Mixed Content vulnerability description.
Improved DOM simulation for events attached to document object.
Added parsing of "Alternates", "Content-Location" and "Refresh" response headers.
Improved CSP engine performance by checking CSP Nonce value per directory.
Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
Added --batch argument to sqlmap payloads.
Removed Markdown Injection XSS attack payloads.
Added ALL parameter type option to the Ignored Parameters settings.
Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
Updated the Accept HTTP header value for default scan policy.
Added CSS exclusion selector supports frames and iframes.
Added embedded space parsing for JavaScript code in HTML attribute values.
Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
Email disclosure will not be reported for email addresses used in form authentication credentials.
Added focus and blur event simulation for form authentication set value API calls.
Added more information about HTML forms and input for vulnerabilities found in HTML forms.
Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
Added Parameter Value column to the Vulnerabilities List report in CSV format.
Added match by HTML element id for form values.
Added "Ignore document events" to JavaScript settings to ignore triggering events attached to document object.
Improved Windows Short Filename vulnerability details Remedy section.
URL Rewrite parameters are now represented as asterisks in sqlmap payloads.

BUG FIXES

Fixed an issue where AutoSave filename is missing during resuming a scan.
Fixed an issue where "Test" button of authentication settings does not work as expected.
Fixed an issue where model binding does not work as expected for scan profile API endpoints.
Fixed CSRF vulnerability reporting on change password forms.
Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
Fixed various source code disclosure issues.
Fixed an escaping issue with CSS exclusion selectors.
Fixed the issue where the basic authentication credentials were not being sent on logout detection phase.
Fixed a random DOM simulation exception occurs when site creates popup windows.
Fixed a RemotingException occurs on Form Authentication Verifier.
Fixed a possible NullReferenceException on Form Authentication.
Fixed the broken form authentication custom script when the last line of the script is a single line comment.
Fixed huge parameter value deserialization memory usage.
Fixed the wrong URLs added with only extension values.
Fixed a NullReferenceException which may be thrown while importing a swagger file.
Fixed form authentication not triggered on retest.
Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
Fixed a swagger file parsing issue where target URL should be used when host field is missing.
Fixed swagger importer by ignoring any metadata properties.
Fixed a NullReferenceException occurs during DOM simulation.
Fixed the incorrect URLs parsed on attack responses.
Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
Fixed ignore parameter issue for parameters containing special characters.
Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
Fixed missing vulnerabilities requiring late confirmation for incremental scans.
Fixed a NullReferenceException may occur on iframe security checks.

13-Sep-2019

COPY LINK

NEW FEATURES

Added support for using internal agents along with AWS cloud integration (On-Premises only)
Added out of the box Issue tracking integration for Redmine, Bugzilla and Kafka
Added support for bulk operations on the Recent Scans page. It's now easier to cancel, pause, or delete multiple scans at the same time.
Added new API endpoints for managing agents
Added an option to change the Technical Contact for each website in a group in the Edit Website Group page
Added support for exporting data on Activity Logs and Manage Team pages
Added the ability to convert a completed scan into a Scheduled Scan
Upgraded the Invicti scanning engine to v5.3-hf7(5.3.0.24998)

NEW SECURITY CHECKS

Added a new security engine named Malware Analyzer which detects any web malware injected into websites (Scanner Agent's operation system should be Windows Server 2016 or above)

IMPROVEMENTS

Improved support for scenarios where OAuth2 is used in conjunction with Basic Authentication
Improved the status text displayed for delayed scans
Set the account owner's Data and Time Format as the default for new team members
Added Scan Owner information to various scan reports and API endpoints
Improved the response message for the /scans/delete API endpoint
Added all issue content to the /issues/allissues API endpoint
Added a Mark all as Read option for notifications that are shown inside the application on the Application Notifications page
Added Technical Contact information to files exported from the Websites page
Added Vulnerability Severity Level for the selected issue in the Technical Report
Upgraded Bootstrap, jQuery and Knockout.js dependencies to the latest versions
Added Create Invitation (team member invitations) into the Activity Log
Improved the API docs by adding sample values for request and response messages
Added support for filtering by Target URL to the /scans/listbywebsite API endpoint
Added a Clone option to the Scheduled Scans page

BUG FIXES

Fixed a bug where agents were sometimes hanging after failed API requests
Fixed an issue where the Technical Contact was not displayed for non-Admin users on the New Website page
Fixed an issue where an incorrect error message was shown during the configuration of a Scheduled Scan
Fixed a problem on the JIRA webhook where the JSON could not be serialized as expected
Fixed an issue where a Scan Policy could not be used on a scanner agent if it had a long name
Fixed a bug where the Authentication Verifier was sometimes hanging if an internal exception was thrown (On-Premises only)
Fixed the default value for the Agent Data Path setting (On-Premises only)
Fixed a bug where two-way Jira integration was not working as expected in retest scenarios
Fixed an issue where a cancelled PCI scan could not be deleted
Fixed an issue where a web application could not connect to a newly-created SQL Server database immediately (On-Premises only)
Fixed a bug where scans launched via JIRA integration were sometimes not starting with the configured Scan Policy
Fixed an issue where the temporary Scan Policy file was not deleted on scan completion on the scanner Agent

Known Issues

Automatic updates may fail for the On-Premises scan agents with an error message in the agent's log: 'Agent couldn't find AgentAutoUpdater.exe'. To resolve this issue, first upgrade the Invicti Enterprise Web Application and copy the '[Web App Installation Folder]App_DataAgentsAgentAutoUpdater.exe' file to the folder where the target Agent is installed. If you need further help, submit a ticket through our Help Center.

12-Aug-2020

COPY LINK

NEW FEATURES

Added IdP initiated SAML
Upgraded the Invicti scanning engine to version 5.8.2.27669
Added Pivotal Tracker integration
Added support for SAML Assertion Encryption while configuring SSO

NEW SECURITY CHECKS

Added an F5 Big IP LFI (CVE-2020-5902) attack pattern
Added out of date checks for Apache Traffic Server
Added version disclosure for Undertow Server
Added out of date checks for Undertow Server
Added version disclosure for Jenkins
Added out of date checks for Jenkins
Added signature detection for Kestrel
Added detection for Tableau Server
Added detection for Bomgar Remote Support Software
Added version disclosure for Apache Traffic Server

IMPROVEMENTS

A new Reset Agent Token button has been added to the Configure New Agent window
The Status field has been removed from the "api/1.0/discovery/ignorebyfilter" endpoint
Special characters (()[]#&%! " ') are now allowed in the Scan Policy name field
Windows and Linux Agent download buttons have been added to the Configure New Agent window
A Null check has been added for the ImporterType in the Update Scan Profile endpoint

FIXES

Fixed the Server Error that occured during the deletion of multiple websites
Fixed a bug where an optimized Scan Policy did not clone properly

11-Apr-2016

COPY LINK

New Features

Added the functionality to pause and resume scans.
Added support for automatic crawling and scanning of Parameter-Based Navigation websites.
Added a new option in the Scan Policy to allow users to add new extensions for the crawler to text parse.
Added support to allow users to select a scanning agent for a scan in an on-premises installation.

New Security Checks

Added Missing X-XSS-Protection Header vulnerability check.
Added Video.js JavaScript library detection.
Added Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability check.

Improvements

Added the Smart DFS feature to the Dom Parser which uses a similarity heuristic technology for DOM elements to avoid multiple scanning of the same or similar parameters.
Improved "Not Found Analyzer" to better handle binary responses and long strings.
Added a link to the proof URL for XSS vulnerabilities.
Added link generation to Text Parser for all select element options.
Improved DOM parser to skip redirect responses.
Improved the DOM parser to use the input value for auto-suggest simulation when input is not in a form.
Added support for modifying asynchronous javascript executions in order to increase DOM Parser coverage.
Improved relative link parsing on JavaScript files.
Improved the coverage of file upload security checks.
Improved the coverage of XSS security checks.
Improved UI of the scan policy optimized wizard.
API authentication method updated for backward compatibility.

Bug Fixes

Fixed an issue where LFI attack patterns were being reported as internal path disclosure.
Fixed the incorrect raw response representing SSL connections.
Fixed an issue where forms containing ignored parameters were not reported as a CSRF vulnerability.
Fixed a case where dynamically generated HTML option elements' change event were not being triggered.
Fixed cross-domain document access errors on DOM parser and XSS scanner.
Fixed an issue where a JSON request's method was incorrectly recognized as POST rather than GET.
Fixed a retest issue where a vulnerability fix is reported by mistake.
Fixed form values target setting to use Name as the default value when a Target is not selected.
Fixed a file extension parsing issue related with File Extension List knowledgebase item.
Fixed a hang issue that occurs while performing JavaScript library security checks.
Fixed a custom form authentication API issue where "ns" namespace was conflicting with a global variable on target website - auth API has been moved to "netsparker" namespace preserving the "ns" backward compatibility.
Fixed a DOM Parser and XSS scanner bug that incorrectly followed redirects.
Fixed a form values issue - empty form values should not set any default values for parameters.
Fixed an issue during which the setting of the Connection request header failed.

11 July 2023

COPY LINK

Improvements

Changed compression tool from 7zip to Tar

Fixes

Fixed lost license information in unstable network conditions

1-Apr-2021

COPY LINK

NEW FEATURES

Added Invicti Shark that enables Interactive Application Security Testing (IAST)
Added the ability to execute Custom Scripts for Security Checks
Added the ability to edit wordlist entries in the Forced Browsing
Added the integration with CyberArk Enterprise Password Vault
Added the Scan Profile column to the Recent Scans window

IMPROVEMENTS

Improved the visual elements of the dashboard
Improved the performance of the Technology Dashboard
Added the ability to create new SSO users via API
Added the ability to get a team member's last login timestamp via API
Added the Website URL filter to the Scheduled Scans page
Improved the performance of the Sitemap
Updated the Name Id Policy value for SAML as the email
Added the ability to delete the Website Groups with ID API Endpoint
Added the Next Execution Time tooltip to the scheduled scan
Added the Scan Profile Name information to the Scan Task Groups in the Website Dashboard
Added the ability to save the Privileged Access Management integrations without testing
Fixed the scan failed errors
Added the title fields for Vulnerability List items
The delete button is disabled for system notifications on the Notifications page
Added the ability to assign scans to internal agents via scheduling
Removed all (encrypted and cleartext) authentication credentials on the API responses
Minor revision changes will also trigger agent auto-updates
The downloaded agent log file is named agentlogs.zip
Improved the stabilization of the agent state transitions

FIXES

Added Script Engine Type to the Authentication Verifier
Fixed the request agent logs bug
Fixed handling authentication tokens while executing the form authentication
Fixed the issue where the wrong vulnerability database version was displayed in the agent info
Fixed the scan session null error
Fixed the bug in the scan policy optimizer wizard tree
Fixed the issue where users cannot create a custom script in a three-legged OAuth2 Authentication
Notification events require appropriate permission
Added Scan Profiles, Scans, and Scheduled Scans' links while deleting the scan policy
Fixed XSS for Jira and Pivotal Tracker integrations
Fixed NullReferenceException while exporting scans from Invicti Standard to Invicti Enterprise
Fixed an issue about a scan that is not matching with the agent which is in the selected agent group
Fixed the scan policy cloning bug
Fixed an issue where the View Scan Reports and Manage Issues (Restricted) options under the Scan Permission are not saved while creating new members
Fixed the text problem in the information of the Technologies Dashboard User Interface
Fixed an issue where users cannot save an empty Excluded URL field
Fixed an issue where scan policy and report policy drop-down appear blank while editing the scheduled group scan
Fixed a bug that occurs while deleting the scan profile
Fixed the form authentication fields encryption
Fixed the loading problem of default scan profile selection
Fixed the Pre-Request Script Error on Scheduling Scan
Fixed Exclude Addressed Issues on the Export Report
Fixed usage report page style problem