🚀 Invicti Acquires Kondukto to Deliver Proof-Based Application Security Posture Management
100% Signal 0% Noise
Platform
Platform Overview
ASPM
API Security
DAST
SAST
SCA
Container Security
AI-Powered AppSec
Features
Pricing
Why Invicti
About Us
Case Studies
Contact Us
Resources
Resource Library
Blog
Webinars
White Papers
Podcasts
Case Studies
Invicti Learn
Live Training
Partners
Documentation
Get a demo
Home
/
Invicti Enterprise On-Premises
/
v23.4.0
Invicti Product Release Notes
Invicti Enterprise On-Demand
Invicti Enterprise On-Premises
Invicti Standard
Invicti Application Security Platform
April 24, 2023

v23.4.0

New security checks

  • Added package.json Configuration File attack pattern.
  • Added new File Upload Injection pattern.
  • Added SSRF (Equinix) vulnerability. 
  • Added Swagger user interface Out-of-Date vulnerability.
  • Added a file upload injection pattern.
  • Added StackPath CDN Identified vulnerability.
  • Added Insecure Usage of Version 1 GUID vulnerability.
  • Added JBoss Web Console JMX Invoker check.
  • Added Windows Server check. 
  • Added Windows CE check.
  • Added Cloudflare Identified, Cloudflare Bot Management, Cloudflare Browser Insights, and cdnjs checks. 
  • Added Varnish Version Disclosure vulnerability check.
  • Added Stack Trace Disclosure (Apache Shiro) vulnerability check.
  • Added Java Servlet Ouf-of-Date vulnerability check.
  • Added AEM Detected vulnerability check.
  • Added CDN Detected(JsDelivr) vulnerability check.

Improvements

  • Updated Invicti Enterprise with the new brand logo.
  • Added external schema import to solve a WSDL file importing another WSDL file.
  • Added the Hawk URL configuration to the silent installation document.
  • Improved the Authentication Verifier settings in the silent installation document to skip or not the verifier.
  • Improved the On-Premises installation package to run as 64-bit if the platform support 64-bit. 
  • Improved the settings page for admins to change the Hawk URL.
  • Improved the bulk update of those issues with the Fixed(Can’t Retest) status.
  • Added a column on the Issues page to show users whether an issue is retestable.
  • Improved the scan compression algorithm to lower the size of the scan data.
  • Added a tooltip to show the full scan report name when it is too long.
  • Added a progress indication while exporting a PCI scan report.
  • Added an option to delete the stuck agents' commands.
  • Fixed the business logic recorder issue while using the Basic, NTLM/Kerberos Configurations.
  • Improved the descriptions for /api/1.0/issues/report endpoint and the integration parameter on the Allissues endpoint. 
  • Improved WS_FTP Log vulnerability test pattern.
  • Improved X-XSS-Protection Header Issue vulnerability template.
  • Improved MySQL Database Error Message attack pattern.
  • Improved XML External Entity Injection vulnerability test pattern.
  • Improved Forced Browsing List. 
  • Added CWE classification for Insecure HTTP Usage.
  • Added GraphQL Attack Usage to existing test patterns by default.
  • Added an option to ignore events that can break the JavaScript simulation script.
  • Added version number information to internal agents on the Configure New Agent page.
  • Added an option to set a timeout value for agents to be set as Unavailable if they are stuck. 
  • Improved Invicti Enterprise to clear all login files upon signing out of the application.
  • Improved the Authentication Verifier settings in the silent installation document to skip or not the verifier.
  • Created a queue to store scan results and register results asynchronously.
  • Added the vulnerability database to the installation package.

Fixes

  • Fixed Out-of-memory reason at CDPSession.
  • Fixed the issue with the DefectDojo report submission.
  • Fixed the Client Secret in raw text appearing in the scan report for OAuth2.
  • Fixed the time zone issue for the authentication verifier agent.
  • Fixed the IAST Bridge installation issue that ended prematurely.
  • Fixed the issue that displayed "vulnerability not found" on the user interface although the vulnerability is identified.
  • Fixed the scan duration limit issue that crashed the application.
  • Fixed the issue with a folder name with blanks to prevent the Unquoted Service Path vulnerability.
  • Fixed the control issue that threw an “internal server error” when exporting a scan from Invicti Standard to the Enterprise.
  • Fixed the update issue in the Proof node in the Knowledge Base panel. 
  • Fixed the scan profile issue when exported from Invicti Standard to Invicti Enterprise.
  • Fixed the API token reset issue for team members.
  • Fixed the API documentation’s website that failed to show descriptions.
  • Fixed the business logic recorder issue where the session is dropped because of a cookie.
  • Fixed the default email address that appeared on the login page during the custom script window. 
  • Fixed the Out-of-Memory issue caused by the Text Parser when adding any extension to the parser.
  • Fixed the Client Secret in raw text appearing in the scan report for OAuth2. 
  • Fixed the Hawk validation issue.
  • Fixed the scan flow with different logic for incremental scans that are launched via CI/CD integrations and the user interface.
  • Fixed the custom vulnerability deletion problem on the custom report policy.
  • Fixed the vulnerability database issue that occurred because of a URL redirect problem.
  • Fixed the internal server error on the Audit logs' list endpoint. 
  • Fixed the issue of email notifications when a new scan is launched. 
  • Fixed the typo on the OAuth2 settings page.
  • Fixed the issue updating timeout issue. 
  • Fixed the issues API endpoint on the updating and sorting.
  • Fixed the tagging issue with the Azure Boards integration that the tag appeared on the Azure board although there is no tag entered on the Invicti side.
  • Improved the web app and agent communication.
  • Updated the docker agent package for the 64-bit process.
  • Fixed the bug that threw an object reference error while trying to end the scans that exceeded the max scan duration.
  • Fixed the Classless Inter-Domain Routing (CIDR) transformation issue for the discovery service.
  • Fixed the discovery service crawling issue.
  • Fixed issues that caused erroneous reports.
Invicti Security Corp
1000 N Lamar Blvd Suite 300
Austin, TX 78703, US
© Invicti {year}
Resources
FeaturesIntegrationsPlansCase StudiesRelease NotesInvicti Learn
Use Cases
Penetration Testing SoftwareWebsite Security ScannerEthical Hacking SoftwareWeb Vulnerability ScannerComparisonsOnline Application Scanner
Web Security
The Problem with False PositivesWhy Pay for Web ScannersSQL Injection Cheat SheetGetting Started with Web SecurityVulnerability IndexUsing Content Security Policy to Secure Web Applications
Comparison
Acunetix vs. InvictiBurp Suite vs. InvictiCheckmarx vs. InvictiProbely vs. InvictiQualys vs. InvictiTenable Nessus vs. Invicti
Company
About UsContact UsDocumentationCareersResourcesPartners

Invicti Security is changing the way web applications are secured. Invicti’s dynamic and interactive application security products help organizations in every industry scale their overall security operations, make the best use of their security resources, and engage developers in helping to improve their overall security posture.

LegalPrivacy PolicyCalifornia Privacy RightsTerms of UseAccessibilitySitemap
Privacy Policy