Invicti Product Release Notes
Release Notes
Invicti Standard
RSS FEED
Security checks
- Added detection of Pega Infinity as a technology in the Vulnerability Database (VDB)
Improvements
- Defined the Hawk check delay in the scanning policy
- Added a Maximum Cookie Count setting to manage cookie numbers when necessary
Resolved issues
- Implemented fix to ensure that manual scanning continues without interruption when using a proxy
- Implemented If-Modified-Since header to minimize false positives during vulnerability scans
- Fixed logging in Post-Request scripts
- Implemented fix to ensure Post-Request script is triggered for all requests in the browser context
<script>
</script>Security checks
- Added a new CVE check for CVE-2019-19326
- Added a new XSS attack for CVE-2024-11831
Improvements
- Improved XSS detection to reduce noise
- Increased the timeout duration for IAST responses to prevent premature failures
- Implemented an enhancement to capture the token information present in the response during the OAuth2 Implicit Flow
- Implemented an enhancement to enable more effective cookie management when HTTP/2 is enabled
- Updated dependencies with known vulnerabilities
- Improved prototype-pollution detection to reduce noise
Resolved issues
- Enhanced support for using multiple secrets simultaneously within a single custom header
- Resolved an issue where duplicate X-Content-Type-Options headers triggered false missing header reports
- A fix was implemented to prevent the application from crashing due to faulty custom scripts
- Addressed an issue encountered during report policy migration
- Corrected the MOVEit SQLi check to avoid reporting an incorrect version
Improvements
- Improved Stack Trace Disclosure (Java) detection pattern
- Added support for configuring the temp file via appsettings.json or an environment variable
- Updated Microsoft.OpenApi to version 2.0 preview to support OpenAPI 3.1.0 for improved API scanning
Resolved issues
- Fixed a file access conflict issue during VDB update
- Resolved an issue where multiple versions of Next.js were not properly displayed in the Technologies dashboard and Scan Reports
New features
- Added Post-request script feature (Read more)
New security check
- Added a new XSS Security check
Resolved issues
- Fixed an issue with verifying the existence of links in the link pool
- Improved incremental scanning
- Implemented logic to create the UserDocumentsDirectoryPath when it doesn't already exist
- Added support for defining headers and HTTP method during CSV importImproved usage and reliability of SmartCard authentication
Improvements
- Added the ability to add Parent Relations for Azure products, enabling easier hierarchical management
- Implemented agent for secure storage and retrieval of passwords for Pre-Request scripts
Resolved issues
- Fixed naming issues of WordPress plugin Contact Form 7
- Fixed the issue of LoginRequiredUrl and Pre-Request script requests causing bottlenecks in HTTP requests
- Fixed an issue that unnecessarily included the code parameter in OAuth2 authorization requests
- The scanning engine now correctly processes merged request headers received from browser
- Improved usage and reliability of SmartCard authentication
Improvements
- Updated remediation details for outdated AngularJS versions
Resolved issues
- Fixed restrictions for JIRA integration
- Updated Chromium and Node.js versions, resolving Chromium-related issues, including the unexpected increase in Chromium count
- Exclude URL rules now function correctly even when the excluded URL is the target
- Fixed an issue with retrieving OAuth2 token data from JSON responses
Improvements
- Enhanced technology version identification from URI
- Improved reporting of multiple technology detections on the same file
Resolved issues
- Implemented a fallback mechanism to mitigate Chrome-related issues
- Updated OpenSSL from version 3.3.1 to 3.3.2
- Implemented a fix for an import issue caused by gRPC backward compatibility failure
Improvements
- Improved importing GraphQL queries
- Added the option to select US2 in the Enterprise Integration section, enabling IS connectivity for US2 instance customers
Resolved issues
- Resolved issue preventing the use of the Chromium Extension in Scanner and Verifier Agent
- Fixed the issue which was causing exports from Invicti Standard to Acunetix 360 to fail
New features
- Added single-tab crawling for websites that do not allow multiple-tab browsing (Read more)
- Upgraded the Shortcut integration API endpoint to v3
Improvements
- Improved payload for Log4j detection
- Added a feature to automatically override some headers in MFA cases
Resolved issues
- Resolved scan authentication issues for multiple pages
- Resolved issues related to screenshots and login processes
- Fixed security check for popper.js detection
- Added control for URLs that should not be included in the scope
New security checks
- Added detection of cookieconsent2 as a technology in the Vulnerability Database (VDB)
Improvements
- Added the ability to replace placeholders in browser for Authorization Headers
- Improved report template of JWT Signature is not verified vulnerability
Resolved issues
- Fixed tar file import error by addressing the invalid HAR file syntax, which was causing the web app to disclose the local path of the OnDemand web app machine in the error message
- Fixed duplicated links issue while proto file import
Improvements
- Redirected support email addresses to the http://support.invicti.com/ link
- Updated Chromium from version 121 to version 131 for enhanced performance and compatibility
- Enhanced detection accuracy for Weak Ciphers Enabled by analyzing false positives
Resolved issues
- Resolved the “Internal Server Error” encountered on the Invicti scans/report API endpoint after enabling the “Prevent any sensitive information showing within the product” setting
- Resolved the issue where the Agent Verifier was encountering errors when using certificates in a Linux environment
- Resolved a coverage issue where the login page reappeared during scans
New Security Checks
- Added XWiki version disclosure vulnerability and attack patterns.
Fixes
- Fixed the false negative issue related to Polyfill.io.
- Fixed an issue related to creating a custom script for a web application using the OIDC method with a login pop-up.