Invicti Standard

Improvements

• Disabled the detection of CSRF vulnerabilities from built-in policies
• Added custom header support for SSRF registration

Fixes

• Fixed an issue related to BLR links

New Security Checks

• Added a new security check to identify supply chain attacks through Polyfill JS
• Added a detection for GeoServer SQLi vulnerability (CVE-2023-25157)
• Added checks for various WordPress plugins

Improvements

• Improved Credit Card Disclosure Security Check
• Added custom headers for communication between Agents and Invicti Hawk
• Set the severity of ‘Possible XSS’ vulnerabilities to ‘Informational’
• Improved various Sensitive Data Exposure security checks
• Improved the detection of the Short SSL Key Length vulnerability
• Added the capability to check for Sensitive Data in XML responses

Fixes

• Fixed missing Request Body content in vulnerability details
• Fixed an issue with the ‘IgnoreCertificateErrors’ Agent setting for SSL Validation
• Fixed a problem in the JWT Engine to resolve a false positive issue
• Fixed an issue related to the OTA app scan
• Fixed HTTP 413 responses resulting from nonce cookies stacking

New Features

• Added functionality for scanning gRPC API Web Services → Learn more

New Security Checks

• Added a new attack pattern for missing Open Redirection

Improvements

• Added an option to trigger only specified lists of events
• Updated all the IAST Sensors:
  • .NET Framework and .NET Core 6.2.0
  • Java 16.0.0
  • Node.js 2.1.3
  • PHP 8.0.1

Fixes

• Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
• Fixed an issue with user-agent selection in scan policies that was causing disabled security check vulnerabilities to appear in the dashboards and scan reports
• Fixed vulnerabilities with the Invicti Scan Agent Docker image
• Fixed the disk space utilization issue that was causing the InvictiCommon folder size to increase significantly during scans
• Improved the crawling capability to allow for automatic crawling of XHR requests
• Fixed an AWS4Signer authentication issue

New Security Checks

• Added detection methods for five more WordPress Templates
• Added detection of Fortinet vulnerabilities (CVE-2020-12812, CVE-2019-5591, CVE-2018-13379)

Improvements

• Updated CWE IDs for several vulnerabilities

Fixes

• Fixed an issue in the detection of the ‘Improper XML parsing leads to Billion Laughs Attack’ vulnerability
• Resolved an issue with the Business Logic Recorder

New Feature

• Enabled Korean language support

New Security Checks

• Added detection method for Angular
• Added a new security check for Oracle EBS RCE

Fixes

• Fixed a scan authentication issue and a crawling issue with Cloud Agents
• Fixed the HTTP 401 forbidden response form authentication error
• Fixed an issue with the detection method for wp-admin vulnerabilities
• Fixed an error that was occurring when generating knowledge base reports
• Updated the extraction algorithm for downloaded scan files from Invicti Enterprise
• Fixed a scan issue that was producing 413 error responses

Improvements

• Improved AWS Secret Key ID detection security checks
• Improved Google Cloud API Key detection security checks
• Updated remediation information for Angular JS related vulnerabilities
• Improved Boolean-Based MongoDB Injection detection method

Fixes

• Fixed a validation error when validating Shark settings
• Fixed an issue with duplicate custom user agents that was preventing scanning
• Fixed an issue where authentication would fail when started with an Authentication profile
• Fixed an issue that caused proxy usage for Chromium even when no proxy was selected from the scan policy settings

New features

• Provided a new encryption method of API Token for Agent/Verifier Agent
• Added a pre-request script to generate AWS Signature token

New security checks

• Added a new security check for TLS/SSL certificate key size too small issue
• Improved WP Config detection over backup files
• Added a new security check for CVE-2023-46805 / CVE-2024-21887
• Added detection for exposed WordPress configuration files
• Added a new Security Check that allows to report two vulnerabilities: TorchServe Management API Publicly Exposed and TorchServe Management API SSRF
• Command Injection in VMware Aria Operations for Networks can now be detected

Improvements

• Implemented enhancements: Highlighting and Verification of Response Status Codes
• Disabled the BREACH Security Engine
• Report template of Possible XSS is updated to cover mime sniffing
• Increased the default Severity level of Version Disclosure (Varnish) from ‘Information’ to ‘Low’

Fixes

• Fixed the issue where the customer couldn’t scan their target with the additional website properly
• Fixed an issue that was causing a memory issue in Javascript Parser
• Fixed the inability of the custom script editor to load the form authentication fields

New features

• Added the ability to force authentication verifier agents to use incognito mode by default on Chromium browsers

New security checks

• Added detection for ActiveMQ RCE to the OOB RCE Attack Pattern (CVE-2023-46604)

Fixes

• Added a Cookie Source field to the Knowledge Base Cookies screen

New features

• Added a new BLR log providing details on BLR execution

New security checks

• Implemented a detection and reporting mechanism for the Backup Migration WordPress plugin (CVE-2023-6553)
• Added detection for TinyMCE

Improvements

• Updated the “Insecure Transportation Security Protocol Supported (TLS 1.0)” vulnerability to High Severity
• Updated the WSDL serialization mechanism
• Implemented support for scanning sites with location permission pop-ups
• Added support for FreshService API V2
• Removed obsolete X-Frame-Options Header security checks

Fixes

• Fixed a bug in the Request/Response tab of Version Disclosure vulnerabilities
• Removed the target URL from the scope control list

New security checks

• Added a check for dotCMS
• Added a check for the Ultimate Member WordPress plugin
• Added a new mXSS pattern
• Added new signatures to detect JWKs

Improvements

• Improved the recommendations for the Weak Ciphers Enabled vulnerability
• Improved detection of swagger.json vulnerabilities
• Added support for AWS WAFv2 rules
• Improved more of our error and warning messages so they are more user friendly
• Added Sentry implementation into the Agent repository

Fixes

• Fixed a proxy issue that was impacting the detection of weak ciphers
• Fixed a problem with importing WDSL files

New features

• In the scan settings section, we’ve added a checkbox (under Authentication > Form) to collect all logs about the authentication progress
• Enhanced reporting of DOM XSS vulnerabilities

Improvements

• Updated the Shark Dotnet Sensor to .NET Core 6
• Improved site-logout detection

Fixes

• Resolved a problem with missing information in the report policy database
• Fixed an issue with the import of scan data from Invicti Enterprise to Invicti Standard
• Fixed a bug in the importing of links
• Fixed some vulnerabilities on our Invicti Docker Image by updating the packages
• Fixed reporting of some false/positive passive out-of-date vulnerabilities

New features

• Added CVSS 4.0 categorization of vulnerabilities
• Added support for PCI DSS 4.0
• Added new messaging for when scans fail due to mistyped http/https protocols

 New security checks

• Added new HSQLDB vulnerabilities and report templates
• Added new Typo3 vulnerabilities and report templates

Improvements

• Improved the vulnerability calculator for Boolean MongoDB
• Improved the signature for .dockerignore file detected issues
• Improved the request body rating algorithm
• Improved the signature for Joomla detection
• Improved the signature for other docker-related signatures
• Improved the Postman collection parsing algorithm
• Resolved an issue with adding a client certificate to set up a scan
• Added logs for better traceability of BLR playbacks

Fixes

• Fixed the NRE in the agent log if any authentication is adjusted
• Fixed an issue that was causing verifiers to not use scan policy proxy settings
• Fixed an auth verifier client certificate authentication path error