Invicti Enterprise On-Premises 21 Jun 2023 v23.6.0

New security checks

  • Added new security check for LDAP injection for IAST.
  • Added new security check for MongoDB injection.
  • Added new security check for Server-side Template Injection for IAST.
  • Added new security check for XPath injection for IAST.
  • Implemented security check for Sensitive Data Exposure.
  • Added the check for Boolean-based MongoDB injection.
  • Added the check for MongoDB Operator Injector.
  • Implemented the XML external entity check for IAST.
  • Added the ISO/IEC27001:2022 Classification.
  • Added the report template and attack pattern to the Out-of-band RCE.
  • Added passive check for Lua.
  • Added a security check to detect public Docker files.
  • Implemented a new engine to identify WordPress themes and Plugins.
  • Added new security checks for SAML.
  • Added security check for IT Hit WebDAV Server .Net Version Disclosure.
  • Added security check for MS Exchange Version Disclosure.
  • Added new payloads for Command Injection.
  • Added support for PopperJS.
  • Added support for CanvasJS.
  • Added new security check for the SQLite Database Detection.
  • Added new payloads for Header Injection.
  • Added new security check for Spring Boot Actuator Detection.
  • Added security check for NodeJS Stack Trace Disclosure.
  • Added security check for SailsJS and ActionHero Identified.
  • Added security check for JetBrains .idea Detected.
  • Added security check for GraphQL Stack Trace Disclosure.
  • Added security checks for Javascript Libraries.
  • Added security checks for Web Application Fingerprinter Engine.
  • Added new security checks for WordPress Hello Elementor Theme Detection.
  • Added new security checks for WordPress Twenty Twenty-Three Theme Detection.
  • Added new security checks for WordPress Twenty Twenty-Two Theme Detection.
  • Added new security checks for WordPress Astra Theme Detection.
  • Added new security checks for WordPress Twenty Twenty-One Theme Detection.
  • Added new security checks for WordPress Twenty Twenty Theme Detection.
  • Added new security checks for WordPress OceanWP Theme Detection.
  • Added new security checks for WordPress Twenty Seventeen Theme Detection.
  • Added new security checks for WordPress Kadence Theme Detection.
  • Added new security checks for WordPress Twenty-Sixteen Theme Detection.
  • Added new security checks for WordPress Twenty Nineteen Theme Detection.
  • Added new security checks for WordPress PopularFX Theme Detection.
  • Added new security checks for WordPress GeneratePress Theme Detection.
  • Added new security checks for WordPress Inspiro Theme Detection.
  • Added new security checks for WordPress Go Theme Detection.
  • Added new security checks for WordPress Smash Balloon Social Photo Feed Plugin Detection.
  • Added new security checks for WordPress Contact Form 7 Plugin Detection.
  • Added new security checks for WordPress Yoast SEO Plugin Detection.
  • Added new security checks for WordPress Elementor Website Builder Plugin Detection.
  • Added new security checks for WordPress Classic Editor Plugin Detection.
  • Added new security checks for WordPress Akismet Spam Protection Plugin Detection.
  • Added new security checks for WordPress WooCommerce Plugin Detection.
  • Added new security checks for WordPress Contact Form by WPForms Plugin Detection.
  • Added new security checks for WordPress Really Simple SSL Plugin Detection.
  • Added new security checks for WordPress Jetpack Plugin Detection.
  • Added new security checks for WordPress All-in-One WP Migration Plugin Detection.
  • Added new security checks for WordPress Wordfence Security Plugin Detection.
  • Added new security checks for WordPress Yoast Duplicate Post Plugin Detection.
  • Added new security checks for WordPress WordPress Importer Plugin Detection.
  • Added new security checks for WordPress LiteSpeed Cache Plugin Detection.
  • Added new security checks for WordPress UpdraftPlus WordPress Backup Plugin Plugin Detection.
  • Added new security check for EZProxy Identified.

Improvements

  • Updated the Java sensor for more stability in the sensor.
  • Added the Response Receiver information event to remove waiting time for requests.
  • Improved the discovery service for email, website, and main website matching.
  • Improved the Not Contains filter for tags.
  • Added the EC2 Instance ID column to the default columns on the Discovered Websites page.
  • Updated API documentation for outdated ApiFileModel JSON example.
  • Added an information message to the report policy page in case the custom report policy cannot be found.
  • Improved the agent assignment process to prevent performance issues.
  • Changed the Launch Scan button to the New Scan button on the dashboard.
  • Added an account ID control when querying the website with the root URL.
  • Improved the website importing when the CSV file has more than 1000 entries.
  • Added an information message for adding an AWS connection that appears when there is no running instance.
  • Improved the health check of websites discovered via the AWS connection.
  • Changed the Jira webhook settings, making the Exclude Body checkbox selection mandatory.
  • Fixed the importing website issue that threw an error when a user tries to add the website deleted from Invicti previously.
  • Improved the scan data by moving some information like attack and knowledge base data to the storage.
  • Improved the AWS discovery that can find private IPs in addition to the public IPs when the Include Unreachable Discovered Websites checkbox is selected.
  • Improved the user interface for the website’s menu.
  • Improved the user interface for the crawling options on the New Scan page.
  • Improved the business logic recorder to play the authenticated record.
  • Updated the Signature Detection pattern.
  • Improved the wordlist for Forced Browsing checks.
  • Changed the Session Cookie not marked as Secure severity from High to Medium.
  • Improved the performance of downloading the discovery data via the API endpoint.
  • [Acunetix 360] Improved the silent installation JSON document for AcuMonitor.
  • Increased the delay control for max scan duration to 12 hours. After 12 hours of the maximum scan time set by the customer, the web application fails the scan.
  • Improved Drupal and Joomla detection.
  • Improved the Next.js version detection.
  • Improved Django debug mode enabled.
  • Updated the SSL/TLS report template.

Fixes

  • Fixed the date-time issue in the Authentication Verifier Service that prevents verifier agents from being listed on the verifier page.
  • Fixed the typo on the filter options on the Discovered Webpages page.
  • Fixed the proxy settings on the scan policy, so it can be applicable for agents as well.
  • Fixed the agent selection issue that prevents users from launching scans.
  • Fixed an issue that caused a bad CSRF token when confirming Cross-site Scripting.
  • Fixed the issue that is filling out the login form on the logout page during the login verification.
  • Fixed the issue of changing the order of API parameters while importing the JSON file.
  • Fixed the vulnerability signature types for Cloudflare and Cdnjs.
  • Fixed the custom script information on the 3-Legged Authorization in the scan summary.
  • Fixed the issue that prevented empty website groups from being deleted.
  • Fixed the issue that resulted in the scanning of the target URL instead of the GraphQL endpoint.
  • Fixed the token detection issue although the Detect Bearer Authorization Token function is disabled.
  • Fixed the case-sensitive parameter name that caused issues when migrating the database.
  • Fixed the ServiceNow integration issue that failed to export the issue information.
  • Fixed the issue that allowed a user with permission to add/edit a website group the ability to view all account websites.
  • Fixed the permission issue that a user can add and edit discovery connection via an API endpoint although the user does not have that permission.
  • Fixed the logo issue that the Knowledge Base report was showing the old Invicti logo.
  • Fixed issues encountered during scan deletion and canceling to improve performance.
  • Fixed the issue in which a team’s name is deleted during the editing process.
  • Fixed the validation issue for the Kafta integration.
  • Fixed the password update issue for the authentication verifier process that failed to obtain the new password.
  • Improved report generation via API endpoints.
  • Fixed the login failures when the Authentication Profile is selected as the Use matched profile.
  • Fixed the issue that caused the flashing custom script screen.
  • Fixed the issue with cascading combo box by fixing the query.
  • Fixed an internal server error while exporting from the Invicti Standard to the Invicti Enterprise.
  • Fixed the issue with the “#” sign that can appear in the target URL.
  • Fixed the issue with choosing the All option from the website group drop-down on the Reporting page.
  • Fixed an issue about HTTP Status codes on the crawler performance in the Knowledge Base Report.
  • Fixed the importing GraphQL introspection issue.
  • Fixed the weak Nonce detection in Content Security Policy.