Invicti Enterprise On-Premises

BUG FIXES

• Fixed an issue with setting up a new Team Member when SSO was enforced.
• Fixed an issue which was occurring during re-installing previously terminated agent.

NEW FEATURES

• Added support for merging accounts (On-Premises only). This will move all resources (Users, Websites, etc.) into the selected master account and delete all other accounts.

IMPROVEMENTS

• Account Owner or users with Administrator permission can now delete other Team Members’ policies.
• Updated some third-party libraries to the latest version.
• Added OWASP 2017 classification data to the Executive Summary report.
• SSO Enforcement has been disabled for users with Administrator permission (On-Premises only).

BUG FIXES

• Fixed an issue where a JavaScript setting was not set as expected on the New Scan Policy page.
• Fixed an issue that was thrown when deleting an account.
• Fixed a bug where it was not possible to configure country code top-level domain (co.uk, com.tr, etc.) on the Discovery Settings page.

NEW FEATURES

• Added issue synchronization support for Jira and Manuscript issue trackers
• Added notification support for Fixed, Revived, False Positive and Accepted Risk Issues to Slack integration
• Upgraded the Invicti scanning engine to v5.2-hf2 (5.2.0.22027)
• Added a new Vulnerability Families feature, where similar types of vulnerabilities are no longer reported separately
• Added out of the box Issue tracking integration for GitLab, Bitbucket, Unfuddle, Zapier, and Azure DevOps
• Added support for Swagger 3/OpenAPI link import
• Added support for importing links in the IOdocs file format
• Added Retest support for several Cookie vulnerabilities
• Added a new Knowledge Base item for Not Found pages
• Added ISO 27001 vulnerability classifications and report template
• Added custom field support for Issue tracking integrations
• Added Azure DevOps Continuous Integration system integration
• Added PowerShell support to the Gitlab Continuous Integration system integration. The Gitlab page now has Integration Script Generator information for Gitlab PowerShell scripts.
• Added Pipeline Script Generation support to Jenkins Continuous Integration system informtion. The Jenkins page now has Integration Script Generation information for Jenkins Pipeline scripts.

NEW SECURITY CHECKS

• Added a new pattern for CherryPy Version Disclosure
• Added an LFI attack pattern for WEB-INF/web.xml
• Added Ruby Error Disclosure detection
• Added WP Engine Configuration File detection
• Added CherryPy Stack Trace Disclosure detection
• Added Intro.js Out-of-date Version detection
• Added Axios Out-of-date Version detection
• Added Fingerprintjs2 Out-of-date Version detection
• Added XRegExp Out-of-date Version detection
• Added DataTables Out-of-date Version detection
• Added Lazy.js Out-of-date Version detection
• Added FancyBox Out-of-date Version detection
• Added Underscore.js Out-of-date Version detection
• Added Lightbox Out-of-date Version detection
• Added JBoss application server Out-of-date Version detection
• Added SweetAlert2 Out-of-date Version detection
• Added Lodash Out-of-date Version detection
• Added Bluebird Out-of-date Version detection
• Added Polymer Out-of-date Version detection

IMPROVEMENTS

• Added Content Security Policy (CSP) to the Invicti Enterprise web application
• Changed enum values to display in alphabetical order in the Value column in the Filter popup
• Added an Audit Log for Rate Limited requests
• Highlighted selected option for JavaScript section on the New Scan Policy page
• Highlighted relevant tabs for validation errors on the New Scan Policy page
• Improved the Report Policy page to make it more responsive and added a scroll bar
• Improved help text for Application and Service Discovery pages
• Added a Check/Uncheck by Severity filtering option on the Report Policy page
• Added PHP extension attack for Nginx vulnerability to the File Upload engine
• Added File Upload patterns for the Nginx Parsing vulnerability
• Added settings to the File Upload engine for configuring upload folders
• Added errorlog.axd detection support
• Improved elmah.axd detection
• The severity of the Cookie Not Marked as Secure vulnerability was lowered for non-session cookies
• Improved SSTI PHP Smarty attack detection
• Improved the Swagger link importer to handle additional properties with integer and string value types
• Improved the Expect-CT engine by only reporting a vulnerability once for each host
• Improved RSA key confirmation by handling OpenPGP format
• Increased the HSTS Not Enabled vulnerability severity from Information to Low
• Improved HTTP 407 Proxy Authentication error handling
• Added classifications to the HSTS Not Enabled vulnerability
• Excluded unpopular JavaScript Library Out of Date checks from the default policy to improve performance
• Improved CSP security checks by analyzing empty responses, as CSP can be declared on headers instead of meta tags
• Generalized the RegEx Pattern of the trace.axd detected vulnerability to match all languages
• Improved JSON format detection
• Replaced Unicode replacement characters with question marks in responses
• Added a Scan Policy option to attack cookies
• Improved element click DOM simulation for various element types
• SRI Not Implemented will no longer be reported for localhost URLs
• Improved ASP.NET error message detection
• Added descriptions to PCI categories in the PCI Compliance Report
• Improved Boolean SQL Injection detection
• Improved the Blind Command Injection attack patterns
• Improved the representation of Report Template compilation errors
• Misconfigured X-Frame-Options Header is now reported separately
• Improved Source Code Disclosure checks to prevent the reporting of JavaScript template pages
• Status Code, Status Description and Content Length information have been added to the Slowest Pages node in the Knowledge Base
• Improved WADL document parsing by ignoring DTDs
• Improved Open Redirect DOM based confirmation performance
• Long identified source code is shortened in Possible Source Code Disclosure vulnerabilities
• Cookie vulnerabilities report where the cookie is set from
• Improved Swagger Document Format detection
• The file upload engine now detects new links in the response after the file is uploaded

BUG FIXES

• Fixed the issue where Authentication did not work when retesting
• Fixed the issue where the Swagger importer generated an invalid JSON request body
• Fixed the ArgumentException thrown while performing Heartbleed security checks
• Fixed the issue where the wrong version was identified for Drupal
• Fixed a disallowed HTTP method issue where some methods were still being allowed
• Fixed a typo in the CSP Not Implemented vulnerability details
• Fixed a Form Authentication issue that occured on some React-based websites
• Fixed signature detection for links found via the crawler
• Fixed an issue in the CSP engine where it reported an incorrect vulnerability
• Fixed a URL encoding issue in DOM simulation that was causing some vulnerabilities to be missed
• Fixed the issue where the text parser incorrectly parsed extensions in the onclick event
• Fixed duplicate parsing source field values reported for IFrame vulnerabilities
• Fixed an issue where Apache MultiViews could not be detected in the target server
• Fixed the incorrect Cookie Expire Date set during Form Authentication
• Fixed the incorrect Source Code Disclosure report caused by SSTI attacks
• Fixed a Content-Type parsing issue in Form Authentication
• Fixed the issue where cookies received via Form Authentication were not being analyzed for vulnerabilities
• Fixed the incorrect Source Code Disclosure reported when an XSS via RFI vulnerability was found
• Fixed a bug in cookie handling code during Form Authentication
• Fixed the incorrect severity reported for the Cookie not Marked as Secure vulnerability on some scans
• Fixed an ArgumentOutOfRangeException thrown on some long scans

NEW FEATURES

• Added Application/Service Discovery feature
• Added out of the box integration for GitLab CI
• Added custom recurrence options to Scheduled Scans to support advanced scheduling scenarios
• Added support for downloading internal scanner agents on Manage Agents page (On-Demand only)
• Added raw text option to Import Websites page

IMPROVEMENTS

• Improved colors for the app menu to follow WCAG guidelines
• New scheduled scans are not added to the queue if a delayed one already exists
• Improved validatation for SSO configuration pages
• Updated EULA and TOS pages
• Added support for deleting agents on the Manage Agents page
• Readjusted API rate limits
• Added a Data Protection Policy page
• Account admins can now disable other team members’ 2FA settings
• Improved the wording on several pages
• Improved JIRA integration to prevent reopening the same issue twice in JIRA
• Added support for running concurrent scans on a single Enterprise computing instance (ondemand only)
• Attack Pattern’ renamed as ‘Payload’ in the Send To integration templates
• Added tooltip for Scan and Report Policies options on the New Scan page

BUG FIXES

• Fixed the problem where Severity Trends displayed global severity numbers even if a Scan Group was selected on the Website Dashboard page
• Fixed an issue where the Manage Websites page, where the Last Scanned column was displaying the last scan’s initiation time
• Fixed a bug where the severity order was wrong for the Retest Summary section on the Scan Report page

NEW FEATURES

• Added support to save and re-use filters on the list pages (Recents Scans, Websites, Issues etc)
• Added out of the box integration for Slack and ServiceNow
• Introduced Report Policy Editor which allows to customize Scan Report results
• Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

• Added Out of Band Server Side Template Injection security checks
• Added signature detection check for Caddy web server
• Added signature detection check for aah Go server
• Added signature detection check for JBoss application server
• Added CakePHP framework detection
• Added CakePHP version disclosure detection
• Added CakePHP out-of-date version detection
• Added CakePHP Stack Trace Disclosure
• Added CakePHP default page detection
• Added Out of Date checks for CKEditor 5

IMPROVEMENTS

• Configured scanner agent’s service options to recover automatically if it stops
• Improved display order of vulnerabilities in several reports
• Improved the wording in OWASP and Trend Matrix reports
• Updated the licensing model
• Allowed team members to manage their IP restrictions (previously only account administrators were allowed)
• Scheduled Scans will not be queued if a delayed one already exists in scan queue
• Improved Agent List page to display unavailable agents
• Improved the wording in Website and Global Dashboard pages
• Improved ‘/websites/get’ API endpoint to allow filtering by URL
• Improved validation messages for SSO settings
• Improved styling of Permission Matrix on New Team Member page
• Fixed error where Scheduled Scans were disabled by the system on license expiry (they’re now available again on license renewal)
• Updated .NET Framework version requirement to 4.7.2
• All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into a single vulnerability
• Added Label field for JIRA Send To actions
• Added Tags field for Manuscript (FogBugz) Send To actions
• Improved SQL Injection proof data by stripping HTML tags
• Improved CSRF token detection in cookie values

BUG FIXES

• Fixed wrong PDF scaling issue which causes fonts to be rendered very small for Report templates
• Fixed pagination problem on Scheduled Scans and Website Group pages
• Fixed a bug where screenshots are displayed for Scans run by Internal Agents
• Fixed the incorrect Content-Type header sent during Form Authentication requests
• Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were blocking the other HTTP methods too
• Fixed the URL encoding issue for vulnerabilities that are send to Manuscript (formerly FogBugz)
• Fixed the error where the ExpectCT header was reported as an interesting header
• Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
• Fixed the incorrect response displayed for Server Side Request Forgery (SSRF) vulnerabilities when the request was redirected to another page
• Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
• Fixed an incorrect possible LFI vulnerability when the response was redirected
• Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
• Fixed broken case sensitivity check for crawled links
• Fixed FormatException that occurred while parsing cookies
• Fixed a JsonReaderException that occured while trying to parse a Swagger document
• Fixed parsing URLs with encoded chars
• Fixed hanging Open Redirect checks caused by binary responses
• Fixed the issue where a Swagger YAML file cannot be imported
• Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie’s HttpOnly flag
• Fixed the Weak Signature Algorithm that is not reported for a self-signed root certificate

IMPROVEMENT

• Updated terms of services document

BUG FIXES

• Fixed a bug where XML reports can not be exported
• Fixed a bug where Jenkins integration was not working as expected
• Fixed an issue where “Check for Updates” was not displaying correct result for team member users
• Fixed a bug where sorting was not working on Scheduled Scans page

NEW FEATURE

• Added SSO (Single Sign-On) support for Netparker Enterprise On-Demand

IMPROVEMENTS

• Improved text shown after deleting a website
• Improved text shown on Authentication Verifier Settings page
• Improved help text for Recaptcha setting shown on Service Settings page
• Removed 2FA disable button for users who do not have required access permission (previously displayed as disabled)
• Improved timer behaviour of validation code shown on SMS Settings page 
• Improved order of vulnerabilities in several reports
• Response content will not be rendered if it’s higher than 10MB, instead response data can be downloaded from scan results page
• Refactored and improved performance of reports which can be exported from Scan Results page
• Added market place links for Jenkins, TeamCity and Bamboo plugins shown on Integrations page
• Improved validation messages for JIRA integration
• Improved samples for new website API documentation
• Changed wording on General Settings page
• Simplified endpoint format for Authentication Verifier settings

BUG FIXES

• Fixed a bug where if previous scan failed with domain resolution error, subsequent scans failed unexpectedly with the same error
• Fixed a bug where imported Swagger file was not parsed during scanning
• Fixed a bug where multiple SAML configurations might be configured with same configuration identifier
• Fixed an issue where Agent could not be disabled on Manage Agents page
• Fixed an issue where Jenkins icon was not displaying properly on IE
• Fixed a bug where sorting was not working for Next Execution Time on Scheduled Scans page
• Fixed a bug where product update links were not displaying correctly
• Fixed a bug where configured Scan Policies’ user agent was not used in Authentication Verifier
• Fixed documentation links for SSO providers
• Fixed API authorization error thrown on notification endpoints for Team Members
• Fixed an issue where custom reports were not displayed on Scan Results page
• Fixed an issue where Knowledge Base data was not saved properly

BUG FIXES

• Fixed a database connectivity issue which was occurring when pool size was not sufficient (onpremises only)
• Fixed an issue where installation wizard was shown when database connectivity was lost (onpremises only)
• Fixed an issue in agent endpoint where scan file names were not set as expected (onpremises only)

IMPROVEMENTS

• Improved audit logs’ contents.

BUG FIXES

• Fixed an issue in “/scans/new” API endpoint.
• Fixed an issue where SMTP settings was not persisted as expected.
• Fixed an issue in IP restriction settings.
• Fixed an issue where vulnerabilities’ request/response details were not displayed properly.

NEW FEATURES

• Added SSO (Single Sign-On) support (onpremises only)
• Added an option to “Scan Policy > HTTP Request” settings to capture HTTP Requests
• Added installation wizard for onpremises installation (onpremises only)
• New plugin for integration with Bamboo
• Added code highlighting support for vulnerability request and response
• Added “Scans per Website Group” report type to Reporting page
• Added an option to general settings to configure retention period for raw scan files (onpremises only)
• Invicti Desktop integration: ability to import and export scans between the scanners.
• Added Server-Side Template Injection (SSTI) vulnerability checks.
• Added the OWASP 2017 Top Ten classifications report template.

NEW SECURITY CHECKS

• Expect-CT security checks.
• Added various new web applications in the application version database.
• Added out of date checks for Hammer.JS., Phaser., Chart.js., Ramda., reveal.js., Fabric.js., Semantic UI., Leaflet., Foundation., three.js., PDF.js., Polymer.

IMPROVEMENTS

• Added elapsed time information for ongoing scans
• Added an option to scan reports page for hiding addressed issues
• Improved Agents page to display configured agents’ versions (onpremises only)
• Added CVSS score to JSON vulnerabilities report
• Improved user profile to display trial expiration date
• Improved response status messages on the API documentation
• Added Invicti Enterprise issue link to created tickets for supported issue tracking systems (JIRA, TFS, GitHub and FogBugz)
• Improved help text for schedule scan’s license errors
• Allowed team members to manage their own notification settings
• Added “Copy to Clipboard” functionality for API settings
• Improved Incremental Scan page to configure maximum scan duration
• Added an icon for scans launched by continuous integration systems
• Added “LookupId” unique identifier for vulnerabilities to “/scans/report” API endpoint
• Added “FirstSeenDate” and “LastSeenDate” fields for vulnerabilities to “/scans/report” API endpoint
• Added “CreatedAt” and “UpdatedAt” fields for “/websites/list” API endpoint
• Added “/vulnerability/list” API endpoint to list vulnerability templates
• Improved logs for client certificate validation errors
• Crawler can now parse multiple sitemaps in a robots.txt file.
• Added support for parsing swagger documents in yaml format.
• Added support for parsing relative meta refresh URLs.
• Improved parsing of websites using React framework.
• Content-Security-Policy-Report-Only header is not reported as an interesting header.
• Variations are retested before starting an incremental scan.
• Improved JavaScript content check performance while detecting out of date versions.
• Renamed FogBugz send to action to its new name Manuscript.
• GitHub Send to action now works with organization accounts and private repositories.
• Added support for handling HTTP 307 redirects.
• DS_STORE files are discovered and parsed.
• Added WAF (Mod Security) rule generation support for out of band vulnerabilities.
• Improved MySQL double encoded string attacks.
• New Extensions scan policy settings to specify which extensions should be crawled and attacked.
• Added “Disallowed HTTP Methods” settings to scope options on the new scan page.

BUG FIXES

• Fixed an issue where empty value was not accepted for Excluded URLs
• Fixed an issue where invitation was not deleted after an account deleted
• Fixed font size for highlighted fields on vulnerability details
• Fixed an issue where validation was not working as expected for Invicti Hawk settings
• Fixed an issue where VDB update date was not persisted as expected
• Fixed some possible vulnerabilities missing [Possible] indicator in title.
• Fixed highlighting problem for “Password Transmitted over HTTP” vulnerability.
• Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
• Fixed incorrect “[Possible] WS_FTP Log File Detected” vulnerability.
• Fixed Hawk validation error by not following redirects.
• Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
• Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
• Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
• Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
• Fixed the SSL check hang on HTTP only hosts.
• Fixed LFI engine by not analyzing source code disclosure on binary responses.
• Fixed a validation issue for some Swagger documents.
• Fixed the issue where CSP keywords are not reported when used without single quotes.
• Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
• Fixed incorrect source code disclosures reported in binary responses.
• Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
• Fixed out of date version reporting behavior when no ordinal is found in version database.
• Fixed Lighttpd version disclosure detection signatures.
• Fixed a Swagger parsing issue.

BUG FIXES

• Fixed a bug where crawling is not working as expected.
• Fixed a security vulnerability in form authentication verification.

NEW FEATURES

• New plugin for integration with TeamCity
• New plugin for integration with Jenkins
• Added IP Address Restrictions

IMPROVEMENTS

• Improved XML and date samples displayed in API documentation.
• Improved input validation in the reporting page.
• Improved on-premises installation document for customers using load balancer.
• Renamed FogBugz integration to Manuscript.
• Improved validation of custom cookies.
• New scans launched outside scan window will be automatically queued
• Increased character limit for website name.
• Added more details to scanner agent’s startup log.
• Improved installation error message of internal scanner agent.
• Improved vulnerability request/response data page performance.
• Improved the navigation of issues and scans. 
• Improved validation of custom 404 settings in the Scan Policy.
• Added a “Copy to Clipboard” button for cURL samples in API documentation.
• Improved API documentation to show request details.
• Changed date/time format from 24-hour clock to 12-hour clock.

BUG FIXES

• Fixed HTTP response data that was not displayed correctly for stored XSS vulnerability.
• Fixed the Github integration which ws not working due to TLS 1.2 connectivity problem.
• Fixed an issue where loading icon does not rendering correctly in IE11.
• Fixed a font size problem in the PCI DSS reports.
• Fixed the info messages that were not fitting in the screen on small resolutions.
• Fixed an issue in which scan profiles could be created with same name.
• Fixed a bug with website verification emails which were not being sent.
• Fixed a bug with vulnerability counts in HIPAA and PCI DSS compliance reports.