Invicti Enterprise On-Demand

This update includes changes to the internal agents. The internal scan agent’s current version is 25.6.0. The internal authentication verifier agent’s current version is 25.6.0.

Improvements

• Improved Stack Trace Disclosure (Java) detection pattern
• Added support for configuring the temp file via appsettings.json or an environment variable (Read more)
• Updated plugin dependencies to address known security vulnerabilities and improve overall stability; upgraded Jenkins compatibility to version 2.462
• Updated the Jenkins plugin script generation to use the latest GitHub Actions versions and ubuntu-latest runner for improved compatibility and security
• Updated Microsoft.OpenApi to version 2.0 preview to support OpenAPI 3.1.0 for improved API scanning
• Added API GET method to retrieve scheduled scans by ID

Resolved issues

• Added an event notification name to the logs for email notifications
• Resolved an issue where multiple versions of Next.js were not properly displayed in the Technologies dashboard and Scan Reports

This update includes changes to the internal agents. The internal scan agent’s current version is 25.5.1. The internal authentication verifier agent’s current version is 25.5.1.

New features

• Added Post-Request script feature (Read more)
• Integrated AI Assist Bot intoInvicti Enterprise On-Demand

Security checks

• Added a new XSS Security check

Improvements

• Updated workflows to improve reliability and security while maintaining alignment with GitHub’s best practices
• Addressed multiple versions of GitHub Actions available in the marketplace
• Added new REST API endpoint (agents/listverifiers) to retrieve AV agents data
• Restricted the Vulnerability Note field to 1000 characters

Resolved issues

• Resolved an issue causing scans to get stuck during archiving
• Resolved discrepancy between API (listByWebsite) and UI (Recent Scans) results
• Fixed an issue with verifying the existence of links in the link pool
• Improved incremental scanning
• Implemented logic to create the UserDocumentsDirectoryPath when it doesn’t already exist
• Added support for defining headers and HTTP method during CSV import

This update includes changes to the internal agents. The internal scan agent’s current version is 25.5.0. The internal authentication verifier agent’s current version is 25.5.0.

New features

• Implemented webapp for secure storage and retrieval of passwords for Pre-Request scripts
• Added an integration for NTA with NGINX (Read more)

Improvements

• Implemented default limit setting to 1000 without flag for all fields except Second Level Domains
• Implemented custom field Parent option in integration with Azure Boards
• Implemented agent for secure storage and retrieval of passwords for Pre-Request scripts

Resolved issues

• Fixed an issue with Bad Request Response on Scan Summary
• Fixed naming issues of WordPress plugin Contact Form 7
• Implemented possibility to keep the report history of PCI scans with exceptions defined
• Fixed the issue of LoginRequiredUrl and Pre-Request script requests causing bottlenecks in HTTP requests
• Fixed an issue that unnecessarily included the code parameter in OAuth2 authorization requests
• The scanning engine now correctly processes merged request headers received from browser

This update includes changes to the internal agents. The internal scan agent’s current version is 25.4.1. The internal authentication verifier agent’s current version is 25.4.1.

Resolved issues

• Resolved an issue on the Technologies Dashboard
• The ‘Tags’ filter in All Issues now works correctly when using the ‘Not Contains’ condition
• Resolved issue where no results appeared when filtering the target list on the Target Group page. This was linked to the ‘View Target List’ permission
• Resolved communication issues in the TestBasicAuthCredentials process and improved HTTP connection handling
• Resolved an issue where not all attributes were exported correctly from the Issues page

This update includes changes to the internal agents. The internal scan agent’s current version is 25.4.0. The internal authentication verifier agent’s current version is 25.4.0.

New feature

• Added an option to prevent reopening Issue Tracker issues when a vulnerability is marked as False Positive and later revived (Read more).

Improvements

• Requests with empty or default values are not sent to DeepInfo
• Introduced a new setting under the Account General settings, within the Data Privacy and Security section, to modify the X-AMZ-Expires parameter while downloading the scan data
• Enhanced the “Configure New Agent” page to include additional details for auth verifier agents (Read more)
• Updated remediation details for outdated AngularJS versions
• [BREAKING CHANGE]: Updated the Docker agent’s compression method and file extension; ensure any automation or scripts referencing the old format are updated accordingly.

Resolved issues

• Fixed an issue where the Issue note field could not be updated
• Fixed inefficient algorithmic complexity in DotNet IAST Sensor
• Resolved the issue where an invalid character response occurred when attempting to add a user
• Resolved the “Invalid Target URI” error that occurred when editing the Target URI to end with multiple slashes (///) on the new scan page
• Resolved the issue where the scan profile was not updating with the support account
• Fixed restrictions for JIRA integration
• Fixed an issue where pressing “Enter” instead of clicking the “Check” button during password verification triggered a full scan instead of the intended login verification
• Updated Chromium and Node.js versions, resolving Chromium-related issues, including the unexpected increase in Chromium count.
• Exclude URL rules now function correctly even when the excluded URL is the target
• Fixed an issue with retrieving OAuth2 token data from JSON responses

This update did not include changes to the internal agents.

Improvement

• Improved API Discovery of API specifications spread across multiple files in Mulesoft Anypoint Exchange

This update includes changes to the internal agents. The internal scan agent’s current version is 25.3.1. The internal authentication verifier agent’s current version is 25.3.1.

New feature

• Added the ability to reset the issue state to its default

Resolved issues

• Fixed an exception caused by an invalid Target URI in scheduled scans
• Fixed an issue where proxy credentials were not encrypted when launching InvictiProxy
• Fixed inconsistent styling in the report policy, ensuring uniform formatting in the vulnerability profile sections

This update includes changes to the internal agents. The internal scan agent’s current version is 25.3.0. The internal authentication verifier agent’s current version is 25.3.0.

Improvements

• Enhanced technology version identification from URI
• Improved reporting of multiple technology detections on the same file
• Scheduled group scans will be initiated in chunks when exceeding 500 websites
• Updated footer URL in Invicti Enterprise reports
• The SelfDisable command is no longer sent to the Agent when its state is updated to Disabled
• Upgraded 3rd party script libraries
• Added support for encrypting proxy credentials settings in the agent appsettings.json file
• Updated the Splunk Python SDK for the Splunk Plugin to ensure compliance with the latest Splunk Vetting Policy

Resolved issues

• Fixed issue with error occurring when sending vulnerabilities to APIHub if externalId is Null
• Fixed permission issue with unlinking API in APIHub
• Fixed the issue to enable compatibility with the latest version of GitHub Actions
• Scheduled scans now remove the URL path after ‘#’ when using the default Scan Profile
• Fixed sorting issues in the dashboard to use numerical order instead of alphabetical
• Updated OpenSSL from version 3.3.1 to 3.3.2

API changes

• The Validate Imported Links API endpoint no longer requires a Target URL when a file is uploaded

This update includes changes to the internal agents. The internal scan agent’s current version is 25.2.1. The internal authentication verifier agent’s current version is 25.2.1

Improvements

• Added a loading state for the Export CSV button to prevent multiple clicks
• Improved value filling in GraphQL queries
• Added the ability to re-scan cloned PCI scans on previously scanned targets to apply exceptions

Resolved issues

• Fixed an issue where ‘LaunchInstance’ errors caused GUIDs to be stored instead of AWS-generated instance IDs in the database
• Fixed an issue that caused the Mend vulnerabilities to be reported with incorrect severity
• Replaced a formatted string in a SQL statement with a prepared statement using SqlCommand and SqlParameter to prevent potential SQL injection
• Fixed the issue which was causing exports from Invicti Standard to Invicti Enterprise to fail
• The issue preventing the use of the Chromium Extension in Scanner and Verifier Agent has been resolved

This update includes changes to the internal agents. The internal scan agent’s current version is 25.2.0. The internal authentication verifier agent’s current version is 25.2.0

New features

• Added single-tab crawling for websites that do not allow multiple-tab browsing
• Upgraded the Shortcut integration API endpoint to v3

Improvements

• Added Customizations folder to the Agent Output folder
• Improved the performance of searching by profileName on the Scan-Index page

Resolved issues

• Updated APIHub npm package to the latest version
• Resolved scan authentication issues for multiple pages
• Resolved issues related to screenshots and login processes
• Fixed Dashboard Widget Active Issue is empty when selecting a specific target
• Fixed the problem of reverting vulnerability in issue update endpoint to default
• Fixed removes preferred agent group in update-scheduled API endpoint
• Fixed an auto-update issue for Verifier Agent
• Added control for URLs that should not be included in the scope
• Upgraded the Shortcut (Clubhouse) integration
• Resolved an issue caused by the Chromium version update by updating Chromium dependencies for the Linux operating system. Refer to the updated scripts to install the required dependencies for Headless Chrome. (Read more)

This update includes changes to the internal agents. The internal scan agent’s current version is 25.1.1. The internal authentication verifier agent’s current version is 25.1.1

Improvements

• API specifications from sub-organizations in Mulesoft are now synchronized into API Inventory

Resolved issues

• Improved performance of the All Issues page

This update includes changes to the internal agents. The internal scan agent’s current version is 25.1.1. The internal authentication verifier agent’s current version is 25.1.1

New features

• Improved support for handling gRPC multiple proto imports in the Agent and in the engine

New security checks

• Added detection of cookieconsent2 as a technology in the Vulnerability Database (VDB)

Improvements

• Added pull commands for Docker and OpenShift to the New Agent page
• Added the SourceType field to the New Issues API endpoint
• Enhanced agent mode to better distinguish between verifier and scanner agents
• Added the ability to replace placeholders in the browser for Authorization Headers
• Improved report template of JWT Signature is not verified vulnerability

Resolved issues

• Resolved an issue where file upload events using LSR/BLR in React forms failed to propagate to body-level listeners