Invicti is an enterprise-level DAST solution designed to scan hundreds of applications integrated into SDLC.
You can find the most important features, some expert tricks and pricing details of Invicti.
17 min read
Invicti is a web application security platform that brings DAST, IAST and SCA together. It can scan security issues on websites and APIs.
It is evolved from one of the most popular DAST tools (Netsparker) and more than 3,100 companies use it worldwide.
Invicti is mainly used to identify web application security issues like SQL Injections or Cross-site Scripting (XSS).
Also, Invicti can also analyse software composition and gather a list of technologies used in web applications. You can monitor all these libraries in a pro-active manner.
Most of the organizations use Invicti in their DevSecOps process.
When Netsparker first launched in 2009, it was just a single instance penetration testing tool with a promising idea; Proof-Based Scanning™.
And it has grown A LOT over the years and recently received a $625 Million Investment from Summit Partners.
Over that time, I've seen Netsparker grow from a single instance web vulnerability scanner into Invicti, a fully-featured application security platform.
The Discovery feature is enabled by default, so you will already see many websites discovered when you open your Invicti Enterprise account.
And it will add more and more every time you add a new website or change the Discovery configurations.
Invicti uses various sources to find all public websites that possibly belong to your company:
You can filter them out.
You can add your websites manually or import them with a CSV file. Websites can belong to multiple groups, and it is up to just your creativity.
some Website Groups examples based on
You can use it when you want to run a Group Scan
Invicti Scan Settings is the most critical part of this guide so we will go step by step with very much detail. So let's start from the beginning!
Target URL: you can choose a target from the list.
Scan Profile: you can save your configurations to use later or share with team.
Now we are going all the way through Scan Settings.
You will be configuring scan basics in the General section, and there are four topics:
You can choose from built-in policies like OWASP Top 10 or PCI Checks.
or you can create a New Scan Policy:
some of the essential sections in creating a New Scan Policy:
Add or remove some checks like “scan only for SQL Injection (Out of Band).”
Invicti will crawl up to 2,500 pages by default and stop. You can increase the limit up to 15,000 pages.
use Pre-defined Presets if you are scanning a Single Page Application.
You may need to increase DOM Load Timeout or Maximum Simulated Elements to include all pages in the application.
also, to exclude some specific parts of the website from the scan, you can use Exclude by CSS Selector:
to disable Proof-based Scanning, you can uncheck Enable Proof Generation:
update default form values that Invicti uses when attacks contact forms on the site.
Invicti will attack authentication forms to discover if anyone is using basic user/pass combinations. The default wordlist has 59 words.
However, you can update the wordlist and increase it to 5000 by using an Internal Agent or Invicti Standard.
configure the User-Agent that Invicti will use and limit the requests per second if you want to change the speed.
add or update the HTTP header values that Invicti will be using during the scan.
Create a custom cookie in the application and add this to Invicti. You can bypass MFA (multi-factor authentication) or CAPTCHA when you want to automate scans in the staging environment.
You can import sitemaps or API endpoints to include in the scan.
You can run a PCI DSS scan to get official PCI Compliance. It s disabled by default and you need to request sales team to enable.
Shark is new in town, and it is Invicti ‘s IAST module.
You need to install an agent into your webserver to activate. It supports .NET, PHP, Java and Node.js at the moment.
Benefits of using Invicti Shark:
Invicti support 5 different authentication methods;
add login url and create a Persona with username and password.
Then click “Verify Login & Logout”, to confirm it works. You will see a macro running below, and it will generate a Logged-in version on the left and a Logout version on the right side.
After adding the login URL, you will see the Custom Script button will be enabled. You can create a login sequence (macro) to authenticate multi-step forms or for a complicated login form.
Find all the out of date technologies in the application after the first scan.
And keep monitoring proactively if there is a new issue with that library you will get a notification email even though you haven't run a scan.
It is almost 2022 here and “Security is Everyone's Responsibility” now.
Software development is faster than ever and the security team ratio is 1:100 to the development team if you are lucky.
There is no way to keep it up with application security without automation.
Invicti has 7 groups for Integrations:
You started a scan and Invicti found an issue.
It creates a Jira ticket for Suphi (a developer). Suphi fixes the issue and updates the issue ticket status to “Resolved”. Invicti runs a “Retest scan” and confirm the issue if it is fixed. If not It changes the status to “Reopen Status”.
If your team already using Trello, no need to make changes.
It is the way to tell Invicti to go and scan when there is a change in the application.
You can add Invicti items into your team conversation channels
your security team can share issues via Slack.
you can utilize the access management solution that your company uses.
If you are using custom solutions then it is better to check out Invicti API. (full document)
It supports only Service Now Vulnerability Response at the moment.
There are 3 different editions in Invicti;
In this chapter, I will share the details of these editions and different use cases for them.
Let’s dive right in.
Invicti Standard is a single instance Windows only web application scanning tool.
Penetration testers and cyber security engineers mainly use it as a first-level vulnerability discovery before jumping into manual pentesting.
You will have Invicti Enterprise if you need to scan more than +50 targets.
Let me some details:
You should whitelist Invicti in your firewall settings. Otherwise, you will be just testing your firewall, which is not a good idea.
As we know that there are various ways to bypass firewalls in a real attack scenario, it is better not just rely on firewalls when discussing application security.
There are multiple ways to whitelist Invicti for your firewall:
a-Whitelist by IP Address
Invicti AWS (US):
Invicti AWS (EU):
b- Whitelist by Authentication Header
You can add a custom authentication header value and use it in your firewall configurations to whitelist.
Invicti pricing works based on target numbers.
Therefore, every domain and subdomain is a new target. You need to buy 5 FQDN licenses to scan the targets below:
It is a minimum two years subscription, and you can pay annually.
Invicti Standard is a good choice, specifically if you have just a few targets and planning scans from time to time.
It has command-line interface support so you can create some automation. However, it is not the best choice if you are planning integrations or building an SDLC.
Finally, It is essential to know that Invicti Standard is a single user license, so check Team edition if multiple people will run these scans.
Invicti Enterprise is designed to scale and manage the entire dynamic scanning process.
Most of the people who love using Invicti Enterprise:
Most likely, somebody is running a security scan on your website if It is not your security team.
Invicti uses firstname.lastname@example.org by default in contact forms, and during the scan, it may generate dozens of emails.
If you think there is unauthorized scanning going on, contact email@example.com.
It all depends on how big and complex the application is. It usually takes 8-10 hours on average. In any case, no scan should take more than 24 hours.
Contact firstname.lastname@example.org for speed optimization investigations.