New Features
- Share Usage Analytics: New option to share anonymous diagnostics and usage data with Invicti and our analytics partner, Pendo
- LDAP Service: New settings enable administrators to manage LDAP server configurations (available for select customers)
- Added custom headers for communication between Agents and Invicti Hawk
- Added a warning message when creating scan targets for websites that do not have a hostname mapped to an IP address
New Security Checks
- Added detection for supply chain attacks through Polyfill JS
- Added detection for GeoServer SQLi (CVE-2023-25157)
- Added checks for various WordPress plugins
Improvements
- Renamed the ‘Websites and APIs’ menu to ‘Targets’
- Improved Credit Card Disclosure Security Check
- Set the severity of ‘Possible XSS’ vulnerabilities to ‘Informational’
- Improved various Sensitive Data Exposure security checks
- Improved detection of the Short SSL Key Length vulnerability
- Added capability to check for Sensitive Data in XML responses
Fixes
- Added OpenShift certificate permission to resolve an SSL/TLS untrusted root certificate vulnerability issue with Docker/Kubernetes agents
- Fixed a timeout issue on the global dashboard
- Fixed missing Request Body content in vulnerability details
- Fixed an issue with the selection of agent groups
- Fixed an issue with the order in which internal agent scans are initiated
- Fixed an issue with the ‘Ignore Certificate Errors’ Agent setting for SSL Validation
- Fixed a download problem with PCI reports
- Fixed an issue with the SSO login that was causing incorrect redirects
- Removed references to 3.2 in the PCI DSS Compliance scan summary
- Fixed an issue with the Azure Boards integration reopening old vulnerabilities that do not link to active issues in Invicti Enterprise
- Fixed a timeout issue that was occurring on a pre-request script
- Fixed a problem in the JWT Engine to resolve a false positive issue
- Updated vulnerable OpenSSL libraries to secure versions
- Fixed a bug in the Checkout Logout Detection so that it now chooses the same verification agent as the verification process
- Fixed an issue related to the OTA app scan
- Fixed HTTP 413 responses resulting from nonce cookies stacking