Invicti Standard

Security checks

• Added a new CVE check for CVE-2019-19326
• Added a new XSS attack for CVE-2024-11831

Improvements

• Improved XSS detection to reduce noise
• Increased the timeout duration for IAST responses to prevent premature failures
• Implemented an enhancement to capture the token information present in the response during the OAuth2 Implicit Flow
• Implemented an enhancement to enable more effective cookie management when HTTP/2 is enabled
• Updated dependencies with known vulnerabilities
• Improved prototype-pollution detection to reduce noise

Resolved issues

• Enhanced support for using multiple secrets simultaneously within a single custom header
• Resolved an issue where duplicate X-Content-Type-Options headers triggered false missing header reports
• A fix was implemented to prevent the application from crashing due to faulty custom scripts
• Addressed an issue encountered during report policy migration
• Corrected the MOVEit SQLi check to avoid reporting an incorrect version

Improvements

• Improved Stack Trace Disclosure (Java) detection pattern
• Added support for configuring the temp file via appsettings.json or an environment variable
• Updated Microsoft.OpenApi to version 2.0 preview to support OpenAPI 3.1.0 for improved API scanning

Resolved issues

• Fixed a file access conflict issue during VDB update
• Resolved an issue where multiple versions of Next.js were not properly displayed in the Technologies dashboard and Scan Reports

New features

• Added Post-request script feature (Read more)

New security check

• Added a new XSS Security check

Resolved issues

• Fixed an issue with verifying the existence of links in the link pool
• Improved incremental scanning
• Implemented logic to create the UserDocumentsDirectoryPath when it doesn’t already exist
• Added support for defining headers and HTTP method during CSV importImproved usage and reliability of SmartCard authentication
  
  

Improvements

• Added the ability to add Parent Relations for Azure products, enabling easier hierarchical management
• Implemented agent for secure storage and retrieval of passwords for Pre-Request scripts

Resolved issues

• Fixed naming issues of WordPress plugin Contact Form 7
• Fixed the issue of LoginRequiredUrl and Pre-Request script requests causing bottlenecks in HTTP requests
• Fixed an issue that unnecessarily included the code parameter in OAuth2 authorization requests
• The scanning engine now correctly processes merged request headers received from browser
• Improved usage and reliability of SmartCard authentication
  
  

Improvements

• Updated remediation details for outdated AngularJS versions

Resolved issues

• Fixed restrictions for JIRA integration
• Updated Chromium and Node.js versions, resolving Chromium-related issues, including the unexpected increase in Chromium count
• Exclude URL rules now function correctly even when the excluded URL is the target
• Fixed an issue with retrieving OAuth2 token data from JSON responses

Improvements

• Enhanced technology version identification from URI
• Improved reporting of multiple technology detections on the same file

Resolved issues

• Implemented a fallback mechanism to mitigate Chrome-related issues
• Updated OpenSSL from version 3.3.1 to 3.3.2
• Implemented a fix for an import issue caused by gRPC backward compatibility failure

Improvements

• Improved importing GraphQL queries
• Added the option to select US2 in the Enterprise Integration section, enabling IS connectivity for US2 instance customers
  

Resolved issues

• Resolved issue preventing the use of the Chromium Extension in Scanner and Verifier Agent
• Fixed the issue which was causing exports from Invicti Standard to Acunetix 360 to fail
  

New features

• Added single-tab crawling for websites that do not allow multiple-tab browsing (Read more)
• Upgraded the Shortcut integration API endpoint to v3

Improvements

• Improved payload for Log4j detection
• Added a feature to automatically override some headers in MFA cases
  

Resolved issues

• Resolved scan authentication issues for multiple pages
• Resolved issues related to screenshots and login processes
• Fixed security check for popper.js detection
• Added control for URLs that should not be included in the scope
  

New security checks

• Added detection of cookieconsent2 as a technology in the Vulnerability Database (VDB)

Improvements

• Added the ability to replace placeholders in browser for Authorization Headers
• Improved report template of JWT Signature is not verified vulnerability
  

Resolved issues

• Fixed tar file import error by addressing the invalid HAR file syntax, which was causing the web app to disclose the local path of the OnDemand web app machine in the error message
• Fixed duplicated links issue while proto file import
  

Improvements

• Redirected support email addresses to the http://support.invicti.com/ link
• Updated Chromium from version 121 to version 131 for enhanced performance and compatibility
• Enhanced detection accuracy for Weak Ciphers Enabled by analyzing false positives

Resolved issues

• Resolved the “Internal Server Error” encountered on the Invicti scans/report API endpoint after enabling the “Prevent any sensitive information showing within the product” setting
• Resolved the issue where the Agent Verifier was encountering errors when using certificates in a Linux environment
• Resolved a coverage issue where the login page reappeared during scans

Improvements

• Added new paths to forced browsing
• Updated the vulnerability template for the Internal Server Error vulnerability
• Improved Insecure HTTP Usage detection

New Security Checks

• Added detection of Google Tag Manager as a technology in the Vulnerability Database (VDB)

Improvements

• Invicti Standard Agent upgraded to .NET 8 for improved performance and compatibility
• Improved analysis and remediation capabilities for [Possible] Server-Side Template Injection vulnerabilities

Fixes

• Fixed a missing proxy implementation for ICBD and Puppeteer
• Fixed an issue where Retest-type scans did not identify the same vulnerabilities detected during full scans
• Fixed high CPU usage in some agents caused by Chromium
• Fixed an issue where the Misconfigured Access-Control-Allow-Origin Header vulnerability was not detected
• Improved detection of the [Possible] Password Transmitted over Query String vulnerability.