Invicti Enterprise On-Premises

NEW FEATURES

• Added support to save and re-use filters on the list pages (Recents Scans, Websites, Issues etc)
• Added out of the box integration for Slack and ServiceNow
• Introduced Report Policy Editor which allows to customize Scan Report results
• Added Russian FSTEC BDU Vulnerability Database numbers to version vulnerabilities

NEW SECURITY CHECKS

• Added Out of Band Server Side Template Injection security checks
• Added signature detection check for Caddy web server
• Added signature detection check for aah Go server
• Added signature detection check for JBoss application server
• Added CakePHP framework detection
• Added CakePHP version disclosure detection
• Added CakePHP out-of-date version detection
• Added CakePHP Stack Trace Disclosure
• Added CakePHP default page detection
• Added Out of Date checks for CKEditor 5

IMPROVEMENTS

• Configured scanner agent’s service options to recover automatically if it stops
• Improved display order of vulnerabilities in several reports
• Improved the wording in OWASP and Trend Matrix reports
• Updated the licensing model
• Allowed team members to manage their IP restrictions (previously only account administrators were allowed)
• Scheduled Scans will not be queued if a delayed one already exists in scan queue
• Improved Agent List page to display unavailable agents
• Improved the wording in Website and Global Dashboard pages
• Improved ‘/websites/get’ API endpoint to allow filtering by URL
• Improved validation messages for SSO settings
• Improved styling of Permission Matrix on New Team Member page
• Fixed error where Scheduled Scans were disabled by the system on license expiry (they’re now available again on license renewal)
• Updated .NET Framework version requirement to 4.7.2
• All authentication vulnerabilities (Basic, NTLM, Digest, etc. authorization required) are merged into a single vulnerability
• Added Label field for JIRA Send To actions
• Added Tags field for Manuscript (FogBugz) Send To actions
• Improved SQL Injection proof data by stripping HTML tags
• Improved CSRF token detection in cookie values

BUG FIXES

• Fixed wrong PDF scaling issue which causes fonts to be rendered very small for Report templates
• Fixed pagination problem on Scheduled Scans and Website Group pages
• Fixed a bug where screenshots are displayed for Scans run by Internal Agents
• Fixed the incorrect Content-Type header sent during Form Authentication requests
• Fixed the WAF rule generated for TRACE/TRACK HTTP methods which were blocking the other HTTP methods too
• Fixed the URL encoding issue for vulnerabilities that are send to Manuscript (formerly FogBugz)
• Fixed the error where the ExpectCT header was reported as an interesting header
• Fixed the Content-Type header parsing when there was an extra semicolon character at the end of the value
• Fixed the incorrect response displayed for Server Side Request Forgery (SSRF) vulnerabilities when the request was redirected to another page
• Fixed an incorrect external reference for the ViewState is not Encrypted vulnerability
• Fixed an incorrect possible LFI vulnerability when the response was redirected
• Fixed an incorrect Open Redirect vulnerability reported when a regular link was followed during DOM parsing
• Fixed broken case sensitivity check for crawled links
• Fixed FormatException that occurred while parsing cookies
• Fixed a JsonReaderException that occured while trying to parse a Swagger document
• Fixed parsing URLs with encoded chars
• Fixed hanging Open Redirect checks caused by binary responses
• Fixed the issue where a Swagger YAML file cannot be imported
• Fixed the cookie jar which does not ignore the duplicated cookie based on first cookie’s HttpOnly flag
• Fixed the Weak Signature Algorithm that is not reported for a self-signed root certificate

IMPROVEMENT

• Updated terms of services document

BUG FIXES

• Fixed a bug where XML reports can not be exported
• Fixed a bug where Jenkins integration was not working as expected
• Fixed an issue where “Check for Updates” was not displaying correct result for team member users
• Fixed a bug where sorting was not working on Scheduled Scans page

NEW FEATURE

• Added SSO (Single Sign-On) support for Netparker Enterprise On-Demand

IMPROVEMENTS

• Improved text shown after deleting a website
• Improved text shown on Authentication Verifier Settings page
• Improved help text for Recaptcha setting shown on Service Settings page
• Removed 2FA disable button for users who do not have required access permission (previously displayed as disabled)
• Improved timer behaviour of validation code shown on SMS Settings page 
• Improved order of vulnerabilities in several reports
• Response content will not be rendered if it’s higher than 10MB, instead response data can be downloaded from scan results page
• Refactored and improved performance of reports which can be exported from Scan Results page
• Added market place links for Jenkins, TeamCity and Bamboo plugins shown on Integrations page
• Improved validation messages for JIRA integration
• Improved samples for new website API documentation
• Changed wording on General Settings page
• Simplified endpoint format for Authentication Verifier settings

BUG FIXES

• Fixed a bug where if previous scan failed with domain resolution error, subsequent scans failed unexpectedly with the same error
• Fixed a bug where imported Swagger file was not parsed during scanning
• Fixed a bug where multiple SAML configurations might be configured with same configuration identifier
• Fixed an issue where Agent could not be disabled on Manage Agents page
• Fixed an issue where Jenkins icon was not displaying properly on IE
• Fixed a bug where sorting was not working for Next Execution Time on Scheduled Scans page
• Fixed a bug where product update links were not displaying correctly
• Fixed a bug where configured Scan Policies’ user agent was not used in Authentication Verifier
• Fixed documentation links for SSO providers
• Fixed API authorization error thrown on notification endpoints for Team Members
• Fixed an issue where custom reports were not displayed on Scan Results page
• Fixed an issue where Knowledge Base data was not saved properly

BUG FIXES

• Fixed a database connectivity issue which was occurring when pool size was not sufficient (onpremises only)
• Fixed an issue where installation wizard was shown when database connectivity was lost (onpremises only)
• Fixed an issue in agent endpoint where scan file names were not set as expected (onpremises only)

IMPROVEMENTS

• Improved audit logs’ contents.

BUG FIXES

• Fixed an issue in “/scans/new” API endpoint.
• Fixed an issue where SMTP settings was not persisted as expected.
• Fixed an issue in IP restriction settings.
• Fixed an issue where vulnerabilities’ request/response details were not displayed properly.

NEW FEATURES

• Added SSO (Single Sign-On) support (onpremises only)
• Added an option to “Scan Policy > HTTP Request” settings to capture HTTP Requests
• Added installation wizard for onpremises installation (onpremises only)
• New plugin for integration with Bamboo
• Added code highlighting support for vulnerability request and response
• Added “Scans per Website Group” report type to Reporting page
• Added an option to general settings to configure retention period for raw scan files (onpremises only)
• Invicti Desktop integration: ability to import and export scans between the scanners.
• Added Server-Side Template Injection (SSTI) vulnerability checks.
• Added the OWASP 2017 Top Ten classifications report template.

NEW SECURITY CHECKS

• Expect-CT security checks.
• Added various new web applications in the application version database.
• Added out of date checks for Hammer.JS., Phaser., Chart.js., Ramda., reveal.js., Fabric.js., Semantic UI., Leaflet., Foundation., three.js., PDF.js., Polymer.

IMPROVEMENTS

• Added elapsed time information for ongoing scans
• Added an option to scan reports page for hiding addressed issues
• Improved Agents page to display configured agents’ versions (onpremises only)
• Added CVSS score to JSON vulnerabilities report
• Improved user profile to display trial expiration date
• Improved response status messages on the API documentation
• Added Invicti Enterprise issue link to created tickets for supported issue tracking systems (JIRA, TFS, GitHub and FogBugz)
• Improved help text for schedule scan’s license errors
• Allowed team members to manage their own notification settings
• Added “Copy to Clipboard” functionality for API settings
• Improved Incremental Scan page to configure maximum scan duration
• Added an icon for scans launched by continuous integration systems
• Added “LookupId” unique identifier for vulnerabilities to “/scans/report” API endpoint
• Added “FirstSeenDate” and “LastSeenDate” fields for vulnerabilities to “/scans/report” API endpoint
• Added “CreatedAt” and “UpdatedAt” fields for “/websites/list” API endpoint
• Added “/vulnerability/list” API endpoint to list vulnerability templates
• Improved logs for client certificate validation errors
• Crawler can now parse multiple sitemaps in a robots.txt file.
• Added support for parsing swagger documents in yaml format.
• Added support for parsing relative meta refresh URLs.
• Improved parsing of websites using React framework.
• Content-Security-Policy-Report-Only header is not reported as an interesting header.
• Variations are retested before starting an incremental scan.
• Improved JavaScript content check performance while detecting out of date versions.
• Renamed FogBugz send to action to its new name Manuscript.
• GitHub Send to action now works with organization accounts and private repositories.
• Added support for handling HTTP 307 redirects.
• DS_STORE files are discovered and parsed.
• Added WAF (Mod Security) rule generation support for out of band vulnerabilities.
• Improved MySQL double encoded string attacks.
• New Extensions scan policy settings to specify which extensions should be crawled and attacked.
• Added “Disallowed HTTP Methods” settings to scope options on the new scan page.

BUG FIXES

• Fixed an issue where empty value was not accepted for Excluded URLs
• Fixed an issue where invitation was not deleted after an account deleted
• Fixed font size for highlighted fields on vulnerability details
• Fixed an issue where validation was not working as expected for Invicti Hawk settings
• Fixed an issue where VDB update date was not persisted as expected
• Fixed some possible vulnerabilities missing [Possible] indicator in title.
• Fixed highlighting problem for “Password Transmitted over HTTP” vulnerability.
• Fixed the incorrect Possible LFI caused by the persisted OOB RCE pattern on the page response.
• Fixed incorrect “[Possible] WS_FTP Log File Detected” vulnerability.
• Fixed Hawk validation error by not following redirects.
• Fixed the issue where a vulnerability is not reported when the cookie contains a CSRF token.
• Fixed the issue where static detection vulnerabilities are treated as fixed after a retest even though they are not.
• Fixed the issue where CSRF token in the cookie is not reported when token is in the form action.
• Fixed the issue on GitHub send to action where the test passed but vulnerability issue cannot be created.
• Fixed the SSL check hang on HTTP only hosts.
• Fixed LFI engine by not analyzing source code disclosure on binary responses.
• Fixed a validation issue for some Swagger documents.
• Fixed the issue where CSP keywords are not reported when used without single quotes.
• Fixed mailto: and javascript: links which were incorrectly reported as mixed content.
• Fixed incorrect source code disclosures reported in binary responses.
• Fixed incorrect UNC Server And Share Disclosure vulnerability reports.
• Fixed out of date version reporting behavior when no ordinal is found in version database.
• Fixed Lighttpd version disclosure detection signatures.
• Fixed a Swagger parsing issue.

BUG FIXES

• Fixed a bug where crawling is not working as expected.
• Fixed a security vulnerability in form authentication verification.

NEW FEATURES

• New plugin for integration with TeamCity
• New plugin for integration with Jenkins
• Added IP Address Restrictions

IMPROVEMENTS

• Improved XML and date samples displayed in API documentation.
• Improved input validation in the reporting page.
• Improved on-premises installation document for customers using load balancer.
• Renamed FogBugz integration to Manuscript.
• Improved validation of custom cookies.
• New scans launched outside scan window will be automatically queued
• Increased character limit for website name.
• Added more details to scanner agent’s startup log.
• Improved installation error message of internal scanner agent.
• Improved vulnerability request/response data page performance.
• Improved the navigation of issues and scans. 
• Improved validation of custom 404 settings in the Scan Policy.
• Added a “Copy to Clipboard” button for cURL samples in API documentation.
• Improved API documentation to show request details.
• Changed date/time format from 24-hour clock to 12-hour clock.

BUG FIXES

• Fixed HTTP response data that was not displayed correctly for stored XSS vulnerability.
• Fixed the Github integration which ws not working due to TLS 1.2 connectivity problem.
• Fixed an issue where loading icon does not rendering correctly in IE11.
• Fixed a font size problem in the PCI DSS reports.
• Fixed the info messages that were not fitting in the screen on small resolutions.
• Fixed an issue in which scan profiles could be created with same name.
• Fixed a bug with website verification emails which were not being sent.
• Fixed a bug with vulnerability counts in HIPAA and PCI DSS compliance reports.

NEW FEATURES

• Added agent grouping support which allows to launch scans in specified agent group. This feature is only available for on-premises standard agents.
• New API endpoints for getting website and website group details.

IMPROVEMENTS

• Changed Netpsparker Enterprise application’s loading icon.
• Added an icon to indicate external links.

BUG FIXES

• Fixed an issue where scans are not launched on on-premises AWS scanner agents.
• Fixed an issue where realtime scan results are not displayed correctly in IE11.
• Fixed an issue where proofs are not displayed correctly on vulnerability details section.

NEW FEATURES

• Realtime scan results
• Added out of the box integration support for: FogBugz, Github and TFS issue tracking systems.
• Grouping of notifications so a single email or SMS alert is sent with a list of all alerts rather than multiple individual alerts.
• New API endpoint for launching group scans.
• Scheduling for incremental scans both from the web UI and API.
• New API endpoint for generating custom scan reports.
• New scan policy setting to define Web (Session and Local) Storage.
• New Header Authentication settings to manually add request headers with authentication information.
• Added support to import links from CSV files.
• Added support for parsing of gzipped sitemaps.

NEW SECURITY CHECKS

• Check for reflected Code Evaluation in Apache Struts 2 (CVE-2017-12611).
• Check for Remote Code Execution in Apache Struts (CVE-2017-5638).

IMPROVEMENTS

• Scan Time Window setting is now available to new group scans page.
• Improved scan stability and performance.
• Improved default Form Values settings.
• Updated external references for several vulnerabilities.
• Updated default User-Agent HTTP request header string.
• Changed API endpoints to return 201-Created response status code for new resources.
• Added several UI improvements for WCAG guidelines compliance.
• Improved the email template that reports issues.
• Added “Attack Parameters” information to Scanned URLs report.
• Renamed the “Important” vulnerability severity to “High”.
• Added Form Authentication performance data to Scan Performance knowledge base node.
• Improved Active Mixed Content vulnerability description.
• Improved DOM simulation for events attached to document object.
• Added parsing of “Alternates”, “Content-Location” and “Refresh” response headers.
• Improved CSP engine performance by checking CSP Nonce value per directory.
• Changed sqlmap payloads to start with sqlmap.py, including the .py extension.
• Added –batch argument to sqlmap payloads.
• Removed Markdown Injection XSS attack payloads.
• Added ALL parameter type option to the Ignored Parameters settings.
• Added gtm.js (Google Tag Manager JS library) to the default excluded scope patterns.
• Updated the Accept HTTP header value for default scan policy.
• Added CSS exclusion selector supports frames and iframes.
• Added embedded space parsing for JavaScript code in HTML attribute values.
• Added parsing source information to Scanned URLs List and Crawled URLs List (JSON) reports.
• Email disclosure will not be reported for email addresses used in form authentication credentials.
• Added focus and blur event simulation for form authentication set value API calls.
• Added more information about HTML forms and input for vulnerabilities found in HTML forms.
• Added a JavaScript option to specify JavaScript cookies to persist across authentication and DOM simulation.
• Added Parameter Value column to the Vulnerabilities List report in CSV format.
• Added match by HTML element id for form values.
• Added “Ignore document events” to JavaScript settings to ignore triggering events attached to document object.
• Improved Windows Short Filename vulnerability details Remedy section.
• URL Rewrite parameters are now represented as asterisks in sqlmap payloads.

BUG FIXES

• Fixed an issue where AutoSave filename is missing during resuming a scan.
• Fixed an issue where “Test” button of authentication settings does not work as expected.
• Fixed an issue where model binding does not work as expected for scan profile API endpoints.
• Fixed CSRF vulnerability reporting on change password forms.
• Fixed case sensitivity checks while matching ignored parameters, now it matches case sensitive.
• Fixed the incorrect disabled external references section in WordPress Setup Configuration File template.
• Fixed various source code disclosure issues.
• Fixed an escaping issue with CSS exclusion selectors.
• Fixed the issue where the basic authentication credentials were not being sent on logout detection phase.
• Fixed a random DOM simulation exception occurs when site creates popup windows.
• Fixed a RemotingException occurs on Form Authentication Verifier.
• Fixed a possible NullReferenceException on Form Authentication.
• Fixed the broken form authentication custom script when the last line of the script is a single line comment.
• Fixed huge parameter value deserialization memory usage.
• Fixed the wrong URLs added with only extension values.
• Fixed a NullReferenceException which may be thrown while importing a swagger file.
• Fixed form authentication not triggered on retest.
• Fixed StackOverflowException in swagger parser thrown while parsing objects containing circular references.
• Fixed a swagger file parsing issue where target URL should be used when host field is missing.
• Fixed swagger importer by ignoring any metadata properties.
• Fixed a NullReferenceException occurs during DOM simulation.
• Fixed the incorrect URLs parsed on attack responses.
• Fixed the redundant duplicate HTTP requests issued by Web App Fingerprinter.
• Fixed ignore parameter issue for parameters containing special characters.
• Fixed a NullReferenceException that occurs for select elements missing option elements on multipart requests.
• Fixed missing vulnerabilities requiring late confirmation for incremental scans.
• Fixed a NullReferenceException may occur on iframe security checks.

NEW SECURITY CHECK

• Added “Out of Band Code Evaluation (Apache Struts 2)” security check (CVE-2017-9805).

NEW FEATURES

• Added scan policy settings for CSRF security checks.
• Added ability to use custom HTTP headers during scan.
• Added attacking optimization option for recurring parameters on different pages.
• Added a new knowledgebase item called Site Profile that lists information about target web site such as the web server operating system, database server, JavaScript libraries used etc.
• Redesigned the Basic, NTLM, Digest and Kerberos authentication settings which now supports multiple credentials for different URL paths.

NEW SECURITY CHECKS

• Added Referrer Policy security checks.
• Added markdown injection XSS patterns.
• Added HostIP and IPv6 patterns to MySQL and SSH SSRF security checks.
• Added Database Name Disclosure security checks for MS SQL and MySQL.
• Added Out of Date security checks for several JavaScript libraries.
• Added Remote Code Evaluation (Node.js) security checks.
• Added SSRF detection with server-status.
• Added user controllable cookie detection.
• Added Context-Aware XSS detection by generating XSS payloads based on the reflected context without breaking it.
• Added Default Page checks for IIS 7.0, 7.5, 8.5 and 10.0.
• Added IIS 10.0 Version Disclosure checks.
• Added WordPress Setup Configuration File checks.

IMPROVEMENTS

• Improved design of the group scan email template.
• Improved accessibility of several pages to follow WCAG guidelines.
• Optimized compression time while archiving the raw scan files.
• Added support for allowing users to launch scheduled scans manually.
• Disabled scheduled scans if the license is expired.
• Updated the links to several external references.
• Improved JavaScript and CSS resource parsing.
• Added DOM simulation options to scan policy optimizer wizard.
• Improved Mixed Content vulnerability reporting by separating them according to resource types.
• Improved boolean SQL injection detection for redirect responses.
• Improved WSDL parsing for files that contain optional extensions.
• Improved .sql file detection signature.
• Added extra confirmation for weak credentials detection.
• Added scan policy option to allow XHR requests during DOM simulation.
• Added form value for password input types to default scan policy.
• Increased the maximum response size limit for JavaScript resources.
• Improved the send to JIRA error message.
• Added maximum number of option elements per select element to simulate scan policy setting.
• Added filter ‘colon’ events scan policy option to filter events that contain colon character in its name during DOM simulation.
• Improved error based SQLi exploitation by generating prefix/suffix dynamically.
• Improved command injection vulnerability detection by prepending original parameter value to attack payload.
• Improved LFI vulnerability detection by detecting HTML and URL encoded PHP source codes.
• Improved LFI attack patterns.
• Improved DOM XSS attack patterns.
• Improved DOM/JavaScript simulation.
• Improved the performance of email address disclosure detection.
• Improved the performance of database connection string disclosure detection.
• Improved the performance of JavaScript library detection.
• Improved the performance of RoR database configuration detection.
• Improved Blind Command Injection detection on Linux systems.
• Improved resource finder to find more hidden resources.
• Improved support for simulating customized select elements.
• Improved NTLM, Digest and Kerberos authentication support.
• Improved DOM simulation stability and performance.
• Improved the default parameter name list for Parameter Based Navigation.
• Added NTLM and Digest authentication support to the generated sqlmap and cURL commands.
• Improved boolean and blind SQL injection checks for MySQL databases.
• Improved blind SQL injection checks for PostgreSQL databases.
• Improved reflected and stored XSS detection.
• HSTS checks now reports missing preload directives.
• Updated Korean translation.
• Improved JSON response parsing.
• Improved DOM based XSS payloads by prepending a URL to referer to make it practically work on web browsers.
• Improved email disclosure checks by checking host names against to public suffix list.

BUG FIXES

• Fixed a NullReferenceException which may have been thrown while editing settings of an user.
• Fixed an issue where email notifications are not sent for unconfirmed phone numbers.
• Fixed an issue which may have been thrown while deleting an account.
• Fixed an issue where error based SQLi confirmation is done based on the first seen database signature when multiple signatures appear in source code.
• Fixed the duplicate import link issue.
• Fixed an issue where XSS is missed when injected payload is not executed due to a syntax error.
• Fixed crawling of URLs on pages where base element points to some other URL.
• Fixes an issue where blacklisted Invicti attacks prevent further source code disclosures in HTML response.
• Fixed an issue where mixed content vulnerabilities are missing because DOM simulation is skipped due to missing JavaScript in HTML source.
• Fixed issues where empty POST parameter is imported and headers added as disabled for Postman files.
• Fixed an issue where signature fails to match MS SQL username in error messages.
• Fixed an issue where vulnerability is missed because of that not appending arbitrary value to extra querystring parameter name.
• Fixed the error caused by null bytes in attack patterns while sending vulnerabilities to JIRA.
• Fixed an incorrect “Password Transmitted over HTTP” issue for relative URLs on pages redirected to HTTPS addresses.
• Fixed the NullReferenceException thrown while importing certain HAR (HTTP Archive) files.
• Fixed incorrect “Interesting Header” report for Content-Security-Policy header.
• Fixed directory listing is not reported issues on some IIS versions.
• Fixed the issue where comments in CSS files are not parsed.
• Fixed the incorrect URL found in CSS comments.
• Fixed incorrect CSRF vulnerability reports by taking hidden token input into account.
• Fixed an IndexOutOfRangeException caused by CSP checks.
• Fixed the signature pattern which fails to match “Programming Error Message (PHP)” in multiple lines.
• Fixed markdown XSS attack patterns causing incorrect findings.
• Fixed incorrect “Interesting Header” reports for some headers.
• Fixed the incorrect http protocol displayed for SSL vulnerabilities.
• Fixed an issue where DOM simulation is performed for checking XSS once per XPath.
• Fixed the maximum crawled URL limit exceeded issue.
• Fixed duplicate resource finder requests.
• Fixed the WADL import issue where the operation fails for responses with no status codes.
• Fixed incorrect HttpOnly reports of XSRF-TOKEN cookies, due to its nature these cookies must be accessed from JS code.
• Fixed the incorrect missing object-src report on CSP checks.
• Fixed an issue where default crawled value is double-encoded instead of single.
• Fixed the missing content for Site Profile section of Knowledge Base report.