Release Notes
Invicti Standard
RSS FEED
Improvements
- Improved the "SameSite Cookie Not Implemented" security check
- Improved the "JWT Signature is not Verified" security check
Resolved issues
- Fixed login failures due to issues with loading authentication profiles
- Fixed an issue where Linux/cloud agents couldn't parse secrets pre-request query parameters
- Improved the application's launch time
Security checks
- Added detection of Pega Infinity as a technology in the Vulnerability Database (VDB)
Improvements
- Defined the Hawk check delay in the scanning policy
- Added a Maximum Cookie Count setting to manage cookie numbers when necessary
Resolved issues
- Implemented fix to ensure that manual scanning continues without interruption when using a proxy
- Implemented If-Modified-Since header to minimize false positives during vulnerability scans
- Fixed logging in Post-Request scripts
- Implemented fix to ensure Post-Request script is triggered for all requests in the browser context
Security checks
- Added a new CVE check for CVE-2019-19326
- Added a new XSS attack for CVE-2024-11831
Improvements
- Improved XSS detection to reduce noise
- Increased the timeout duration for IAST responses to prevent premature failures
- Implemented an enhancement to capture the token information present in the response during the OAuth2 Implicit Flow
- Implemented an enhancement to enable more effective cookie management when HTTP/2 is enabled
- Updated dependencies with known vulnerabilities
- Improved prototype-pollution detection to reduce noise
Resolved issues
- Enhanced support for using multiple secrets simultaneously within a single custom header
- Resolved an issue where duplicate X-Content-Type-Options headers triggered false missing header reports
- A fix was implemented to prevent the application from crashing due to faulty custom scripts
- Addressed an issue encountered during report policy migration
- Corrected the MOVEit SQLi check to avoid reporting an incorrect version
Improvements
- Improved Stack Trace Disclosure (Java) detection pattern
- Added support for configuring the temp file via appsettings.json or an environment variable
- Updated Microsoft.OpenApi to version 2.0 preview to support OpenAPI 3.1.0 for improved API scanning
Resolved issues
- Fixed a file access conflict issue during VDB update
- Resolved an issue where multiple versions of Next.js were not properly displayed in the Technologies dashboard and Scan Reports
New features
- Added Post-request script feature (Read more)
New security check
- Added a new XSS Security check
Resolved issues
- Fixed an issue with verifying the existence of links in the link pool
- Improved incremental scanning
- Implemented logic to create the UserDocumentsDirectoryPath when it doesn't already exist
- Added support for defining headers and HTTP method during CSV importImproved usage and reliability of SmartCard authentication
Improvements
- Added the ability to add Parent Relations for Azure products, enabling easier hierarchical management
- Implemented agent for secure storage and retrieval of passwords for Pre-Request scripts
Resolved issues
- Fixed naming issues of WordPress plugin Contact Form 7
- Fixed the issue of LoginRequiredUrl and Pre-Request script requests causing bottlenecks in HTTP requests
- Fixed an issue that unnecessarily included the code parameter in OAuth2 authorization requests
- The scanning engine now correctly processes merged request headers received from browser
- Improved usage and reliability of SmartCard authentication
Improvements
- Updated remediation details for outdated AngularJS versions
Resolved issues
- Fixed restrictions for JIRA integration
- Updated Chromium and Node.js versions, resolving Chromium-related issues, including the unexpected increase in Chromium count
- Exclude URL rules now function correctly even when the excluded URL is the target
- Fixed an issue with retrieving OAuth2 token data from JSON responses
Improvements
- Enhanced technology version identification from URI
- Improved reporting of multiple technology detections on the same file
Resolved issues
- Implemented a fallback mechanism to mitigate Chrome-related issues
- Updated OpenSSL from version 3.3.1 to 3.3.2
- Implemented a fix for an import issue caused by gRPC backward compatibility failure
Improvements
- Improved importing GraphQL queries
- Added the option to select US2 in the Enterprise Integration section, enabling IS connectivity for US2 instance customers
Resolved issues
- Resolved issue preventing the use of the Chromium Extension in Scanner and Verifier Agent
- Fixed the issue which was causing exports from Invicti Standard to Acunetix 360 to fail
New features
- Added single-tab crawling for websites that do not allow multiple-tab browsing (Read more)
- Upgraded the Shortcut integration API endpoint to v3
Improvements
- Improved payload for Log4j detection
- Added a feature to automatically override some headers in MFA cases
Resolved issues
- Resolved scan authentication issues for multiple pages
- Resolved issues related to screenshots and login processes
- Fixed security check for popper.js detection
- Added control for URLs that should not be included in the scope
New security checks
- Added detection of cookieconsent2 as a technology in the Vulnerability Database (VDB)
Improvements
- Added the ability to replace placeholders in browser for Authorization Headers
- Improved report template of JWT Signature is not verified vulnerability
Resolved issues
- Fixed tar file import error by addressing the invalid HAR file syntax, which was causing the web app to disclose the local path of the OnDemand web app machine in the error message
- Fixed duplicated links issue while proto file import
Improvements
- Redirected support email addresses to the http://support.invicti.com/ link
- Updated Chromium from version 121 to version 131 for enhanced performance and compatibility
- Enhanced detection accuracy for Weak Ciphers Enabled by analyzing false positives
Resolved issues
- Resolved the “Internal Server Error” encountered on the Invicti scans/report API endpoint after enabling the “Prevent any sensitive information showing within the product” setting
- Resolved the issue where the Agent Verifier was encountering errors when using certificates in a Linux environment
- Resolved a coverage issue where the login page reappeared during scans
New Security Checks
- Added detection of Google Tag Manager as a technology in the Vulnerability Database (VDB)
Improvements
- Invicti Standard Agent upgraded to .NET 8 for improved performance and compatibility
- Improved analysis and remediation capabilities for [Possible] Server-Side Template Injection vulnerabilities
Fixes
- Fixed a missing proxy implementation for ICBD and Puppeteer
- Fixed an issue where Retest-type scans did not identify the same vulnerabilities detected during full scans
- Fixed high CPU usage in some agents caused by Chromium
- Fixed an issue where the Misconfigured Access-Control-Allow-Origin Header vulnerability was not detected
- Improved detection of the [Possible] Password Transmitted over Query String vulnerability.
New Security Checks
- Added detection for multiple JavaScript libraries
- Added detection for Masa CMS (CVE-2022-47002 and CVE-2021-42183)
Fixes
- Fixed a bug that was disabling the skip scan phase option
New Security Checks
- Updated detection for ActiveMQ - Remote Code Execution (CVE-2023-46604) and TorchServe Management API SSRF (CVE-2023-43654)
Improvements
- Added 'save as new' and 'overwrite' options when importing scans
- Reporting improvements for the “Unknown Option Used In Referrer-Policy” vulnerability
- Added the ability to export/import scan profiles and scan policies between different instances of Invicti Standard
Fixes
- Various fixes for the verifiers
- Out-of-date version for Boolean Based MongoDB Injection is now reported correctly
New Security Checks
- Added XWiki version disclosure vulnerability and attack patterns.
Fixes
- Fixed the false negative issue related to Polyfill.io.
- Fixed an issue related to creating a custom script for a web application using the OIDC method with a login pop-up.
New Security Checks
- Adjusted the severity of SSLv3 and TLS 1.0 vulnerabilities to reflect their security risks
- Added support for CSP frame-ancestors
- Added detection for CVE-2024-6297, affecting several WordPress plugins
Improvements
- Pre-request script now works in DOM as well
Fixes
- Resolved an issue with a pre-request script that was affecting crawling functionality
New Security Checks
- Added detection for Jenkins Secret as a Sensitive Data Exposure
Improvements
- Started to utilize the Microsoft Azure Trusted Signing service for code signing of Invicti Standard
Fixes
- Fixed chromium-related issues in the agent
- Fixed the issue where temp folders could not be deleted and Chromium instances remained open when Puppeteer encountered an error
- Fixed the false positive on detection of "Stack Trace Disclosure (Java)"
- Fixed an issue related to the Moment.js regex
- Fixed the OIDC authentication issue
- Fixed the issue where the REST API endpoint returned HTTP 400 instead of HTTP 200 when sending custom values
- Fixed the issue preventing proper login to the target URL
New Security Checks
- Incorporated the reporting of sensitive information disclosures from Okta
- Added a check for Authentication bypass in Fortra's GoAnywhere MFT (CVE-2024-0204)
- Added a check for Open SSH server RC (CVE-2024-6387)
- Added a check for cached pages that contain sensitive data (CWE-525)
Improvements
- Resolved an issue where scans were failing due to the TLS connection not being established
Fixes
- Resolved a problem that was causing scans to become stuck
New Security Checks
- Added a new security check to identify supply chain attacks through Polyfill JS
- Added a detection for GeoServer SQLi vulnerability (CVE-2023-25157)
- Added checks for various WordPress plugins
Improvements
- Improved Credit Card Disclosure Security Check
- Added custom headers for communication between Agents and Invicti Hawk
- Set the severity of 'Possible XSS' vulnerabilities to 'Informational'
- Improved various Sensitive Data Exposure security checks
- Improved the detection of the Short SSL Key Length vulnerability
- Added the capability to check for Sensitive Data in XML responses
Fixes
- Fixed missing Request Body content in vulnerability details
- Fixed an issue with the 'IgnoreCertificateErrors' Agent setting for SSL Validation
- Fixed a problem in the JWT Engine to resolve a false positive issue
- Fixed an issue related to the OTA app scan
- Fixed HTTP 413 responses resulting from nonce cookies stacking
New Features
- Added functionality for scanning gRPC API Web Services → Learn more
New Security Checks
- Added a new attack pattern for missing Open Redirection
Improvements
- Added an option to trigger only specified lists of events
- Updated all the IAST Sensors:
- .NET Framework and .NET Core 6.2.0
- Java 16.0.0
- Node.js 2.1.3
- PHP 8.0.1
Fixes
- Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
- Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
- Fixed vulnerabilities with the Invicti Scan Agent Docker image
- Fixed the disk space utilization issue that was causing the InvictiCommon folder size to increase significantly during scans
- Improved the crawling capability to allow for automatic crawling of XHR requests
- Fixed an AWS4Signer authentication issue