Invicti Enterprise On-Premises 24 Apr 2023 v23.4.0

New security checks

  • Added package.json Configuration File attack pattern.
  • Added new File Upload Injection pattern.
  • Added SSRF (Equinix) vulnerability. 
  • Added Swagger user interface Out-of-Date vulnerability.
  • Added a file upload injection pattern.
  • Added StackPath CDN Identified vulnerability.
  • Added Insecure Usage of Version 1 GUID vulnerability.
  • Added JBoss Web Console JMX Invoker check.
  • Added Windows Server check. 
  • Added Windows CE check.
  • Added Cloudflare Identified, Cloudflare Bot Management, Cloudflare Browser Insights, and cdnjs checks. 
  • Added Varnish Version Disclosure vulnerability check.
  • Added Stack Trace Disclosure (Apache Shiro) vulnerability check.
  • Added Java Servlet Ouf-of-Date vulnerability check.
  • Added AEM Detected vulnerability check.
  • Added CDN Detected(JsDelivr) vulnerability check.

Improvements

  • Updated Invicti Enterprise with the new brand logo.
  • Added external schema import to solve a WSDL file importing another WSDL file.
  • Added the Hawk URL configuration to the silent installation document.
  • Improved the Authentication Verifier settings in the silent installation document to skip or not the verifier.
  • Improved the On-Premises installation package to run as 64-bit if the platform support 64-bit. 
  • Improved the settings page for admins to change the Hawk URL.
  • Improved the bulk update of those issues with the Fixed(Can’t Retest) status.
  • Added a column on the Issues page to show users whether an issue is retestable.
  • Improved the scan compression algorithm to lower the size of the scan data.
  • Added a tooltip to show the full scan report name when it is too long.
  • Added a progress indication while exporting a PCI scan report.
  • Added an option to delete the stuck agents’ commands.
  • Fixed the business logic recorder issue while using the Basic, NTLM/Kerberos Configurations.
  • Improved the descriptions for /api/1.0/issues/report endpoint and the integration parameter on the Allissues endpoint. 
  • Improved WS_FTP Log vulnerability test pattern.
  • Improved X-XSS-Protection Header Issue vulnerability template.
  • Improved MySQL Database Error Message attack pattern.
  • Improved XML External Entity Injection vulnerability test pattern.
  • Improved Forced Browsing List. 
  • Added CWE classification for Insecure HTTP Usage.
  • Added GraphQL Attack Usage to existing test patterns by default.
  • Added an option to ignore events that can break the JavaScript simulation script.
  • Added version number information to internal agents on the Configure New Agent page.
  • Added an option to set a timeout value for agents to be set as Unavailable if they are stuck. 
  • Improved Invicti Enterprise to clear all login files upon signing out of the application.
  • Improved the Authentication Verifier settings in the silent installation document to skip or not the verifier.
  • Created a queue to store scan results and register results asynchronously.
  • Added the vulnerability database to the installation package.

Fixes

  • Fixed Out-of-memory reason at CDPSession.
  • Fixed the issue with the DefectDojo report submission.
  • Fixed the Client Secret in raw text appearing in the scan report for OAuth2.
  • Fixed the time zone issue for the authentication verifier agent.
  • Fixed the IAST Bridge installation issue that ended prematurely.
  • Fixed the issue that displayed “vulnerability not found” on the user interface although the vulnerability is identified.
  • Fixed the scan duration limit issue that crashed the application.
  • Fixed the issue with a folder name with blanks to prevent the Unquoted Service Path vulnerability.
  • Fixed the control issue that threw an “internal server error” when exporting a scan from Invicti Standard to the Enterprise.
  • Fixed the update issue in the Proof node in the Knowledge Base panel. 
  • Fixed the scan profile issue when exported from Invicti Standard to Invicti Enterprise.
  • Fixed the API token reset issue for team members.
  • Fixed the API documentation’s website that failed to show descriptions.
  • Fixed the business logic recorder issue where the session is dropped because of a cookie.
  • Fixed the default email address that appeared on the login page during the custom script window. 
  • Fixed the Out-of-Memory issue caused by the Text Parser when adding any extension to the parser.
  • Fixed the Client Secret in raw text appearing in the scan report for OAuth2. 
  • Fixed the Hawk validation issue.
  • Fixed the scan flow with different logic for incremental scans that are launched via CI/CD integrations and the user interface.
  • Fixed the custom vulnerability deletion problem on the custom report policy.
  • Fixed the vulnerability database issue that occurred because of a URL redirect problem.
  • Fixed the internal server error on the Audit logs’ list endpoint. 
  • Fixed the issue of email notifications when a new scan is launched. 
  • Fixed the typo on the OAuth2 settings page.
  • Fixed the issue updating timeout issue. 
  • Fixed the issues API endpoint on the updating and sorting.
  • Fixed the tagging issue with the Azure Boards integration that the tag appeared on the Azure board although there is no tag entered on the Invicti side.
  • Improved the web app and agent communication.
  • Updated the docker agent package for the 64-bit process.
  • Fixed the bug that threw an object reference error while trying to end the scans that exceeded the max scan duration.
  • Fixed the Classless Inter-Domain Routing (CIDR) transformation issue for the discovery service.
  • Fixed the discovery service crawling issue.
  • Fixed issues that caused erroneous reports.