Changelogs

Invicti Enterprise On-Premises

RSS Feed

14 Jun 2019

IMPROVEMENTS Added scan owner information to scan results and reports Improved Internet Explorer support on several pages Added a new option for disabling the Long running scan notification to General Settings (On-Premises only) No longer reporting Missing X-Frame-Options header in redirect responses No longer reporting Missing X-XSS protection on redirect responses No longer reporting CSP …

IMPROVEMENTS

  • Added scan owner information to scan results and reports
  • Improved Internet Explorer support on several pages
  • Added a new option for disabling the Long running scan notification to General Settings (On-Premises only)
  • No longer reporting Missing X-Frame-Options header in redirect responses
  • No longer reporting Missing X-XSS protection on redirect responses
  • No longer reporting CSP Not Implemented for redirect responses
  • No longer reporting Referrer Policy Not Implemented for redirect responses

BUG FIXES

  • Fixed an issue where the Target Website could not be deleted
  • Fixed an issue where the Preferred Agent in Scan Profile could not be changed
  • Added several fixes for OAuth2 Authentication
  • Fixed a bug where Invicti might mistakenly report some cookies as Not Secure
  • Fixed an issue where connection problems on the Target Website were causing high CPU usage

14 May 2019

NEW FEATURES Added auto update support for scanner agents Improved the Manage Agents page to support filtering and allow the running of commands Added notifications section to top bar. It displays application specific notifications such as updates and background jobs Added new API endpoints for managing issues Added a Do not differentiate HTTP and HTTPS …

NEW FEATURES

  • Added auto update support for scanner agents
  • Improved the Manage Agents page to support filtering and allow the running of commands
  • Added notifications section to top bar. It displays application specific notifications such as updates and background jobs
  • Added new API endpoints for managing issues
  • Added a Do not differentiate HTTP and HTTPS protocols option to the Scan Scope tab’s settings
  • Added OAuth2 Authentication support
  • Added a new Best Practice severity level for vulnerabilities that are recommended practices but not critical
  • Added an option to report only confirmed issues while generating reports
  • Added an option to exclude addressed issues while generating reports
  • Added F5 WAF rule generation
  • Added RESTful API Modeling Language (RAML) link import support
  • Added the ability to exclude certain URLs from URL Rewrite Detection
  • Added support for importing links from WordPress REST API files
  • Added a Scan Policy for OWASP Top 10 vulnerabilities
  • Added a Scan Policy for PCI vulnerabilities

NEW SECURITY CHECKS

  • Added new XSS pattern that injects the attack payload into the HREF attribute
  • Added support for exploiting Drupal Remote Code Execution (CVE-2019-6340)
  • Added a Unicode Transformation (Best-Fit Mapping) security check
  • Added detection for possible Header Injections
  • Added out-of-date detection for Oracle Database Server
  • Added out-of-date detection for Mithril
  • Added out-of-date detection for ef.js
  • Added out-of-date detection for Match.js
  • Added out-of-date detection for List.js
  • Added out-of-date detection for RequireJS
  • Added out-of-date detection for Riot.js
  • Added out-of-date detection for Inferno
  • Added out-of-date detection for Marionette.js
  • Added out-of-date detection for GSAP
  • Added a config.json check to the Resource Finder
  • Added detection support for TS Web access
  • Added detection support for .travis.yml

IMPROVEMENTS

  • Improved the Import Links section on the Imported Links tab on the New Scan page. Now imported links can be viewed immediately after the target file is uploaded.
  • Added CreatedAt and UpdatedAt fields to WebsiteGroup API endpoints
  • Improved the responsive design for several pages
  • Changed some wording for vulnerability details to use same wording as Invicti Standard
  • All clicked external links now open in a new window
  • The Target website URL cannot also be added as an Additional Website on the New Scan page
  • New logo has been added to the top bar
  • Improved Resource Finder step on the Scan Policy Optimization Wizard
  • Jira issues are now assigned to the person who started the scan
  • Improved the queue performance for scans running on cloud scanner agents
  • Improved the layout for reports where no vulnerabilities are detected
  • Added a new Manage Issues (Restricted) permission, which disallows marking issues as Accepted Risk or False Positive
  • Added Reporter (account id type) to the JIRA integration page
  • Updated SSRF ipv6 pattern names
  • Improved Scan performance by allocating computer resources better
  • Added XXE, File Upload, SSL, RFI, ELI, XSS via RFI vulnerabilities into vulnerability families
  • Added a description that explains why only 10 pages are reported on the Slowest Pages node in the Knowledge Base
  • Updated Code Evaluation (PHP) attack patterns
  • Improved DOM Simulation performance and fixed several issues
  • Improved React JavaScript framework support on Form Authentication
  • HTML Select elements without event listeners are simulated in DOM Simulation
  • The File Upload engine searches newly discovered file names in the upload response and in the upload folders
  • Improved operating system detection by the Site Profile node in the Knowledge Base
  • Added support for attacking the name of POST parameters
  • Improved the External References for several vulnerabilities
  • Added ISO 27001 information to the Executive Summary Report
  • CSP vulnerabilities will no longer display a ‘certainty’ value if they are already marked as Confirmed
  • Fixed an issue in DOM Simulation where the change of select elements was not being properly dispatched to the underlying JavaScript framework
  • Added support for exploiting XSS in text and XML content types
  • Out of Date SQL vulnerabilities are reported as Confirmed
  • Added a Cookie Whitepaper reference to cookie vulnerability templates
  • Added External References to ExpressJS, CakePHP and Possible Stored XSS templates
  • Improve grammar in Insecure Transportation Security Protocol Supported (TLS 1.0) vulnerability details
  • More commands are executed in the Code Evaluation exploitation to generate proofs
  • References to ‘Manuscript’ have been replaced with ‘FogBugz’
  • Improved RFI confirmation for URL Rewrite parameters
  • Improved signatures of Nginx Version Disclosure patterns
  • Optimized the attack speed of XSS and LFI engines
  • Added extra information to Out-of-date vulnerability templates to explain the vulnerability reason
  • Cookie checks will analyze session cookie names to detect platform-specific default session names
  • Stored XSS and Insecure Frame Default Report Policy vulnerability descriptions have been improved
  • Added a Jira Account ID field for Jira Send To Action to assign issues to a user, since the JIRA Api does not accept the username

BUG FIXES

  • Notifications tab appears empty when the Target URL is not selected on the New Scan page
  • Removed client side console logs from several pages
  • Fix the issue where the Preferred agent was not being set as expected for the selected scan profile on the New Scan page
  • Fixed an issue where the Discovery Settings page was not working properly for low resolution views
  • Fixed an issue where the Authentication Verifier was not capturing authentication settings
  • Fixed a bug where the default Scan Completed notification was overwriting the custom JIRA notification
  • Fixed a bug where PDF reports were not generated on the tryout console on the API docs page
  • Removed the Contains filter option for numeric fields
  • Fixed an issue where scans configured with a Scantime Window were blocking other scans
  • Removed the redundant ReportType parameter and added a ReportFormat parameter to the CustomReport API endpoint
  • Fixed a bug where ordering Issues using the Last Seen column was throwing an exception on the Issues page
  • Fixed a validation issue in the Header Authorization settings in the New Scan page
  • Fixed an issue where DOM simulation might conflict with some JavaScript frameworks
  • Fixed the garbled configuration sample in the Remedy section of the HSTS Policy Not Enabled vulnerability
  • Fixed an issue where an extra ampersand was appended to the query string while generating the URL of a Swagger imported link
  • Fixed an XmlException that was thrown while trying to parse a sitemap.xml response that is not found
  • Fixed a GZip decoding issue that occured while decoding a compressed sitemap.xml
  • Fixed a stuck scan issue on websites using the React JavaScript framework
  • Fixed a Postman file importing issue where the response was not base64 encoded
  • Fixed a NullReferenceException thrown while checking mutations on DOM
  • Fixed the incorrect URLs that were added during the DOM simulation for forms without action attributes
  • Fixed the issue where the SameSite cookie vulnerability was reported for cookies that were missing Lax or Strict attributes
  • Fixed an issue where JavaScript file parsing was taking longer than expected on some occasions
  • Fixed the issue where the incorrect severity was reported for the Cookie not Marked as Secure vulnerability of a non-session cookie
  • Fixed HTTP 400 errors raised by the ServiceNow Send To integration
  • Fixed an issue in the CSP engine where the ‘strict-dynamic’ directive was reported as an unsupported hash
  • Fixed incorrect nonce detected without matching script block vulnerability
  • Fixed a DOM simulation issue where the passed element to call the setTimeout function was being ignored
  • Fixed an issue that caused FP Insecure Reflected Content to be reported
  • Fixed the issue where brute-force attacks were carried out regardless of the Authentication Type
  • Fixed the issue where the LFI vulnerability confirmation patterns did not match the response returned from a Linux server
  • Fixed the value of double encoded null byte in LFI and XSS attack patterns
  • Fixed an issue in the Swagger importer where the parameter declared on the path level was not recognized
  • Fixed an issue in the LFI engine where the confirmation payload was appended to the attack payload
  • Fixed the value of the double encoded null byte in the Header Injection pattern
  • Fixed the encoding of the % sign in the base64 payload in XSS attacks
  • Fixed the attack payload in the PHP Injection Fixed One Time Attack pattern
  • Fixed the encoding issue in the SQL Injection confirmation attack
  • Fixed an issue where the cookies that were set in the JavaScript context during Form Authentication were not properly captured
  • Fixed an issue where the Max Simulated Elements option was causing the simulation to hang
  • Fixed an uncaught TypeError that was caused by Max Option Elements checks and causing the simulation to hang
  • Fixed an issue where an incorrect Subresource Integrity (SRI) Hash Invalid vulnerability was reported because of a hash miscalculation

20 Feb 2019

BUG FIXES Fixed an issue with setting up a new Team Member when SSO was enforced. Fixed an issue which was occurring during re-installing previously terminated agent.

BUG FIXES

  • Fixed an issue with setting up a new Team Member when SSO was enforced.
  • Fixed an issue which was occurring during re-installing previously terminated agent.

05 Feb 2019

NEW FEATURES Added support for merging accounts (On-Premises only). This will move all resources (Users, Websites, etc.) into the selected master account and delete all other accounts. IMPROVEMENTS Account Owner or users with Administrator permission can now delete other Team Members’ policies. Updated some third-party libraries to the latest version. Added OWASP 2017 classification data …

NEW FEATURES

  • Added support for merging accounts (On-Premises only). This will move all resources (Users, Websites, etc.) into the selected master account and delete all other accounts.

IMPROVEMENTS

  • Account Owner or users with Administrator permission can now delete other Team Members’ policies.
  • Updated some third-party libraries to the latest version.
  • Added OWASP 2017 classification data to the Executive Summary report.
  • SSO Enforcement has been disabled for users with Administrator permission (On-Premises only).

BUG FIXES

  • Fixed an issue where a JavaScript setting was not set as expected on the New Scan Policy page.
  • Fixed an issue that was thrown when deleting an account.
  • Fixed a bug where it was not possible to configure country code top-level domain (co.uk, com.tr, etc.) on the Discovery Settings page.

17 Jan 2019

NEW FEATURES Added issue synchronization support for Jira and Manuscript issue trackers Added notification support for Fixed, Revived, False Positive and Accepted Risk Issues to Slack integration Upgraded the Invicti scanning engine to v5.2-hf2 (5.2.0.22027) Added a new Vulnerability Families feature, where similar types of vulnerabilities are no longer reported separately Added out of the …

NEW FEATURES

NEW SECURITY CHECKS

  • Added a new pattern for CherryPy Version Disclosure
  • Added an LFI attack pattern for WEB-INF/web.xml
  • Added Ruby Error Disclosure detection
  • Added WP Engine Configuration File detection
  • Added CherryPy Stack Trace Disclosure detection
  • Added Intro.js Out-of-date Version detection
  • Added Axios Out-of-date Version detection
  • Added Fingerprintjs2 Out-of-date Version detection
  • Added XRegExp Out-of-date Version detection
  • Added DataTables Out-of-date Version detection
  • Added Lazy.js Out-of-date Version detection
  • Added FancyBox Out-of-date Version detection
  • Added Underscore.js Out-of-date Version detection
  • Added Lightbox Out-of-date Version detection
  • Added JBoss application server Out-of-date Version detection
  • Added SweetAlert2 Out-of-date Version detection
  • Added Lodash Out-of-date Version detection
  • Added Bluebird Out-of-date Version detection
  • Added Polymer Out-of-date Version detection

IMPROVEMENTS

  • Added Content Security Policy (CSP) to the Invicti Enterprise web application
  • Changed enum values to display in alphabetical order in the Value column in the Filter popup
  • Added an Audit Log for Rate Limited requests
  • Highlighted selected option for JavaScript section on the New Scan Policy page
  • Highlighted relevant tabs for validation errors on the New Scan Policy page
  • Improved the Report Policy page to make it more responsive and added a scroll bar
  • Improved help text for Application and Service Discovery pages
  • Added a Check/Uncheck by Severity filtering option on the Report Policy page
  • Added PHP extension attack for Nginx vulnerability to the File Upload engine
  • Added File Upload patterns for the Nginx Parsing vulnerability
  • Added settings to the File Upload engine for configuring upload folders
  • Added errorlog.axd detection support
  • Improved elmah.axd detection
  • The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
  • Improved SSTI PHP Smarty attack detection
  • Improved the Swagger link importer to handle additional properties with integer and string value types
  • Improved the Expect-CT engine by only reporting a vulnerability once for each host
  • Improved RSA key confirmation by handling OpenPGP format
  • Increased the HSTS Not Enabled vulnerability severity from Information to Low
  • Improved HTTP 407 Proxy Authentication error handling
  • Added classifications to the HSTS Not Enabled vulnerability
  • Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
  • Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
  • Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
  • Improved JSON format detection
  • Replaced Unicode replacement characters with question marks in responses
  • Added a Scan Policy option to attack cookies
  • Improved element click DOM simulation for various element types
  • SRI Not Implemented will no longer be reported for localhost URLs
  • Improved ASP.NET error message detection
  • Added descriptions to PCI categories in the PCI Compliance Report
  • Improved Boolean SQL Injection detection
  • Improved the Blind Command Injection attack patterns
  • Improved the representation of Report Template compilation errors
  • Misconfigured X-Frame-Options Header is now reported separately
  • Improved Source Code Disclosure checks to prevent the reporting of JavaScript template pages
  • Status Code, Status Description and Content Length information have been added to the Slowest Pages node in the Knowledge Base
  • Improved WADL document parsing by ignoring DTDs
  • Improved Open Redirect DOM based confirmation performance
  • Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
  • Cookie vulnerabilities report where the cookie is set from
  • Improved Swagger Document Format detection
  • The file upload engine now detects new links in the response after the file is uploaded

BUG FIXES

  • Fixed the issue where Authentication did not work when retesting
  • Fixed the issue where the Swagger importer generated an invalid JSON request body
  • Fixed the ArgumentException thrown while performing Heartbleed security checks
  • Fixed the issue where the wrong version was identified for Drupal
  • Fixed a disallowed HTTP method issue where some methods were still being allowed
  • Fixed a typo in the CSP Not Implemented vulnerability details
  • Fixed a Form Authentication issue that occured on some React-based websites
  • Fixed signature detection for links found via the crawler
  • Fixed an issue in the CSP engine where it reported an incorrect vulnerability
  • Fixed a URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
  • Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
  • Fixed duplicate parsing source field values reported for IFrame vulnerabilities
  • Fixed an issue where Apache MultiViews could not be detected in the target server
  • Fixed the incorrect Cookie Expire Date set during Form Authentication
  • Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
  • Fixed a Content-Type parsing issue in Form Authentication
  • Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
  • Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
  • Fixed a bug in cookie handling code during Form Authentication
  • Fixed the incorrect severity reported for the Cookie not Marked as Secure vulnerability on some scans
  • Fixed an ArgumentOutOfRangeException thrown on some long scans

26 Nov 2018

NEW FEATURES Added Application/Service Discovery feature Added out of the box integration for GitLab CI Added custom recurrence options to Scheduled Scans to support advanced scheduling scenarios Added support for downloading internal scanner agents on Manage Agents page (On-Demand only) Added raw text option to Import Websites page IMPROVEMENTS Improved colors for the app menu …

NEW FEATURES

IMPROVEMENTS

  • Improved colors for the app menu to follow WCAG guidelines
  • New scheduled scans are not added to the queue if a delayed one already exists
  • Improved validatation for SSO configuration pages
  • Updated EULA and TOS pages
  • Added support for deleting agents on the Manage Agents page
  • Readjusted API rate limits
  • Added a Data Protection Policy page
  • Account admins can now disable other team members’ 2FA settings
  • Improved the wording on several pages
  • Improved JIRA integration to prevent reopening the same issue twice in JIRA
  • Added support for running concurrent scans on a single Enterprise computing instance (ondemand only)
  • Attack Pattern’ renamed as ‘Payload’ in the Send To integration templates
  • Added tooltip for Scan and Report Policies options on the New Scan page

BUG FIXES

  • Fixed the problem where Severity Trends displayed global severity numbers even if a Scan Group was selected on the Website Dashboard page
  • Fixed an issue where the Manage Websites page, where the Last Scanned column was displaying the last scan’s initiation time
  • Fixed a bug where the severity order was wrong for the Retest Summary section on the Scan Report page

19 Sep 2018

NEW FEATURES Added support to save and re-use filters on the list pages (Recents Scans, Websites, Issues etc) Added out of the box integration for Slack and ServiceNow Introduced Report Policy Editor which allows to customize Scan Report results Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities NEW SECURITY CHECKS Added Out of …

NEW FEATURES

  • Added support to save and re-use filters on the list pages (Recents Scans, Websites, Issues etc)
  • Added out of the box integration for Slack and ServiceNow
  • Introduced Report Policy Editor which allows to customize Scan Report results
  • Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

  • Added Out of Band Server Side Template Injection security checks
  • Added signature detection check for Caddy web server
  • Added signature detection check for aah Go server
  • Added signature detection check for JBoss application server
  • Added CakePHP framework detection
  • Added CakePHP version disclosure detection
  • Added CakePHP out-of-date version detection
  • Added CakePHP Stack Trace Disclosure
  • Added CakePHP default page detection
  • Added Out of Date checks for CKEditor 5

IMPROVEMENTS

  • Configured scanner agent’s service options to recover automatically if it stops
  • Improved display order of vulnerabilities in several reports
  • Improved the wording in OWASP and Trend Matrix reports
  • Updated the licensing model
  • Allowed team members to manage their IP restrictions (previously only account administrators were allowed)
  • Scheduled Scans will not be queued if a delayed one already exists in scan queue
  • Improved Agent List page to display unavailable agents
  • Improved the wording in Website and Global Dashboard pages
  • Improved ‘/websites/get’ API endpoint to allow filtering by URL
  • Improved validation messages for SSO settings
  • Improved styling of Permission Matrix on New Team Member page
  • Fixed error where Scheduled Scans were disabled by the system on license expiry (they’re now available again on license renewal)
  • Updated .NET Framework version requirement to 4.7.2
  • All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into a single vulnerability
  • Added Label field for JIRA Send To actions
  • Added Tags field for Manuscript (FogBugz) Send To actions
  • Improved SQL Injection proof data by stripping HTML tags
  • Improved CSRF token detection in cookie values

BUG FIXES

  • Fixed wrong PDF scaling issue which causes fonts to be rendered very small for Report templates
  • Fixed pagination problem on Scheduled Scans and Website Group pages
  • Fixed a bug where screenshots are displayed for Scans run by Internal Agents
  • Fixed the incorrect Content-Type header sent during Form Authentication requests
  • Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were blocking the other HTTP methods too
  • Fixed the URL encoding issue for vulnerabilities that are send to Manuscript (formerly FogBugz)
  • Fixed the error where the ExpectCT header was reported as an interesting header
  • Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
  • Fixed the incorrect response displayed for Server Side Request Forgery (SSRF) vulnerabilities when the request was redirected to another page
  • Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
  • Fixed an incorrect possible LFI vulnerability when the response was redirected
  • Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
  • Fixed broken case sensitivity check for crawled links
  • Fixed FormatException that occurred while parsing cookies
  • Fixed a JsonReaderException that occured while trying to parse a Swagger document
  • Fixed parsing URLs with encoded chars
  • Fixed hanging Open Redirect checks caused by binary responses
  • Fixed the issue where a Swagger YAML file cannot be imported
  • Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie’s HttpOnly flag
  • Fixed the Weak Signature Algorithm that is not reported for a self-signed root certificate

25 Jul 2018

IMPROVEMENT Updated terms of services document BUG FIXES Fixed a bug where XML reports can not be exported Fixed a bug where Jenkins integration was not working as expected Fixed an issue where “Check for Updates” was not displaying correct result for team member users Fixed a bug where sorting was not working on Scheduled …

IMPROVEMENT

  • Updated terms of services document

BUG FIXES

  • Fixed a bug where XML reports can not be exported
  • Fixed a bug where Jenkins integration was not working as expected
  • Fixed an issue where “Check for Updates” was not displaying correct result for team member users
  • Fixed a bug where sorting was not working on Scheduled Scans page

23 Jul 2018

NEW FEATURE Added SSO (Single Sign-On) support for Netparker Enterprise On-Demand IMPROVEMENTS Improved text shown after deleting a website Improved text shown on Authentication Verifier Settings page Improved help text for Recaptcha setting shown on Service Settings page Removed 2FA disable button for users who do not have required access permission (previously displayed as disabled) …

NEW FEATURE

IMPROVEMENTS

  • Improved text shown after deleting a website
  • Improved text shown on Authentication Verifier Settings page
  • Improved help text for Recaptcha setting shown on Service Settings page
  • Removed 2FA disable button for users who do not have required access permission (previously displayed as disabled)
  • Improved timer behaviour of validation code shown on SMS Settings page 
  • Improved order of vulnerabilities in several reports
  • Response content will not be rendered if it’s higher than 10MB, instead response data can be downloaded from scan results page
  • Refactored and improved performance of reports which can be exported from Scan Results page
  • Added market place links for Jenkins, TeamCity and Bamboo plugins shown on Integrations page
  • Improved validation messages for JIRA integration
  • Improved samples for new website API documentation
  • Changed wording on General Settings page
  • Simplified endpoint format for Authentication Verifier settings

BUG FIXES

  • Fixed a bug where if previous scan failed with domain resolution error, subsequent scans failed unexpectedly with the same error
  • Fixed a bug where imported Swagger file was not parsed during scanning
  • Fixed a bug where multiple SAML configurations might be configured with same configuration identifier
  • Fixed an issue where Agent could not be disabled on Manage Agents page
  • Fixed an issue where Jenkins icon was not displaying properly on IE
  • Fixed a bug where sorting was not working for Next Execution Time on Scheduled Scans page
  • Fixed a bug where product update links were not displaying correctly
  • Fixed a bug where configured Scan Policies’ user agent was not used in Authentication Verifier
  • Fixed documentation links for SSO providers
  • Fixed API authorization error thrown on notification endpoints for Team Members
  • Fixed an issue where custom reports were not displayed on Scan Results page
  • Fixed an issue where Knowledge Base data was not saved properly

02 Jul 2018

BUG FIXES Fixed a database connectivity issue which was occurring when pool size was not sufficient (onpremises only) Fixed an issue where installation wizard was shown when database connectivity was lost (onpremises only) Fixed an issue in agent endpoint where scan file names were not set as expected (onpremises only)

BUG FIXES

  • Fixed a database connectivity issue which was occurring when pool size was not sufficient (onpremises only)
  • Fixed an issue where installation wizard was shown when database connectivity was lost (onpremises only)
  • Fixed an issue in agent endpoint where scan file names were not set as expected (onpremises only)

07 Jun 2018

IMPROVEMENTS Improved audit logs’ contents. BUG FIXES Fixed an issue in “/scans/new” API endpoint. Fixed an issue where SMTP settings was not persisted as expected. Fixed an issue in IP restriction settings. Fixed an issue where vulnerabilities’ request/response details were not displayed properly.

IMPROVEMENTS

  • Improved audit logs’ contents.

BUG FIXES

  • Fixed an issue in “/scans/new” API endpoint.
  • Fixed an issue where SMTP settings was not persisted as expected.
  • Fixed an issue in IP restriction settings.
  • Fixed an issue where vulnerabilities’ request/response details were not displayed properly.

29 May 2018

NEW FEATURES Added SSO (Single Sign-On) support (onpremises only) Added an option to “Scan Policy > HTTP Request” settings to capture HTTP Requests Added installation wizard for onpremises installation (onpremises only) New plugin for integration with Bamboo Added code highlighting support for vulnerability request and response Added “Scans per Website Group” report type to Reporting …

NEW FEATURES

  • Added SSO (Single Sign-On) support (onpremises only)
  • Added an option to “Scan Policy > HTTP Request” settings to capture HTTP Requests
  • Added installation wizard for onpremises installation (onpremises only)
  • New plugin for integration with Bamboo
  • Added code highlighting support for vulnerability request and response
  • Added “Scans per Website Group” report type to Reporting page
  • Added an option to general settings to configure retention period for raw scan files (onpremises only)
  • Invicti Desktop integration: ability to import and export scans between the scanners.
  • Added Server-Side Template Injection (SSTI) vulnerability checks.
  • Added the OWASP 2017 Top Ten classifications report template.

NEW SECURITY CHECKS

  • Expect-CT security checks.
  • Added various new web applications in the application version database.
  • Added out of date checks for Hammer.JS., Phaser., Chart.js., Ramda., reveal.js., Fabric.js., Semantic UI., Leaflet., Foundation., three.js., PDF.js., Polymer.

IMPROVEMENTS

  • Added elapsed time information for ongoing scans
  • Added an option to scan reports page for hiding addressed issues
  • Improved Agents page to display configured agents’ versions (onpremises only)
  • Added CVSS score to JSON vulnerabilities report
  • Improved user profile to display trial expiration date
  • Improved response status messages on the API documentation
  • Added Invicti Enterprise issue link to created tickets for supported issue tracking systems (JIRA, TFS, GitHub and FogBugz)
  • Improved help text for schedule scan’s license errors
  • Allowed team members to manage their own notification settings
  • Added “Copy to Clipboard” functionality for API settings
  • Improved Incremental Scan page to configure maximum scan duration
  • Added an icon for scans launched by continuous integration systems
  • Added “LookupId” unique identifier for vulnerabilities to “/scans/report” API endpoint
  • Added “FirstSeenDate” and “LastSeenDate” fields for vulnerabilities to “/scans/report” API endpoint
  • Added “CreatedAt” and “UpdatedAt” fields for “/websites/list” API endpoint
  • Added “/vulnerability/list” API endpoint to list vulnerability templates
  • Improved logs for client certificate validation errors
  • Crawler can now parse multiple sitemaps in a robots.txt file.
  • Added support for parsing swagger documents in yaml format.
  • Added support for parsing relative meta refresh URLs.
  • Improved parsing of websites using React framework.
  • Content-Security-Policy-Report-Only header is not reported as an interesting header.
  • Variations are retested before starting an incremental scan.
  • Improved JavaScript content check performance while detecting out of date versions.
  • Renamed FogBugz send to action to its new name Manuscript.
  • GitHub Send to action now works with organization accounts and private repositories.
  • Added support for handling HTTP 307 redirects.
  • DS_STORE files are discovered and parsed.
  • Added WAF (Mod Security) rule generation support for out of band vulnerabilities.
  • Improved MySQL double encoded string attacks.
  • New Extensions scan policy settings to specify which extensions should be crawled and attacked.
  • Added “Disallowed HTTP Methods” settings to scope options on the new scan page.

BUG FIXES

  • Fixed an issue where empty value was not accepted for Excluded URLs
  • Fixed an issue where invitation was not deleted after an account deleted
  • Fixed font size for highlighted fields on vulnerability details
  • Fixed an issue where validation was not working as expected for Invicti Hawk settings
  • Fixed an issue where VDB update date was not persisted as expected
  • Fixed some possible vulnerabilities missing [Possible] indicator in title.
  • Fixed highlighting problem for “Password Transmitted over HTTP” vulnerability.
  • Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
  • Fixed incorrect “[Possible] WS_FTP Log File Detected” vulnerability.
  • Fixed Hawk validation error by not following redirects.
  • Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
  • Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
  • Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
  • Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
  • Fixed the SSL check hang on HTTP only hosts.
  • Fixed LFI engine by not analyzing source code disclosure on binary responses.
  • Fixed a validation issue for some Swagger documents.
  • Fixed the issue where CSP keywords are not reported when used without single quotes.
  • Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
  • Fixed incorrect source code disclosures reported in binary responses.
  • Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
  • Fixed out of date version reporting behavior when no ordinal is found in version database.
  • Fixed Lighttpd version disclosure detection signatures.
  • Fixed a Swagger parsing issue.