Invicti - Enterprise Application Security

Summary

Invicti is an enterprise-level DAST solution designed to scan hundreds of applications integrated into SDLC.

 

You can find the most important features, some expert tricks and pricing details of Invicti.

17 min read

Invicti Integrations

What is Invicti?

Invicti is a web application security platform that brings DAST, IAST and SCA together. It can scan security issues on websites and APIs. 

It is evolved from one of the most popular DAST tools (Netsparker) and more than 3,100 companies use it worldwide.

Invicti Enterprise Dashboard

What is Invicti Used For?

Invicti is mainly used to identify web application security issues like SQL Injections or Cross-site Scripting (XSS).

Netsparker Security Issues

Also, Invicti can also analyse software composition and gather a list of technologies used in web applications.  You can monitor all these libraries in a pro-active manner.

Netsparker Out of Date Technologies

Most of the organizations use Invicti in their DevSecOps process.

Netsparker SDLC Integration

When Netsparker first launched in 2009, it was just a single instance penetration testing tool with a promising idea; Proof-Based Scanning™.

Netsparker Website in 2014

And it has grown A LOT over the years and recently received a $625 Million Investment from Summit Partners.

Netsparker Investment News

Over that time, I've seen Netsparker grow from a single instance web vulnerability scanner into Invicti, a fully-featured application security platform.

How does the Discovery feature work?

The Discovery feature is enabled by default, so you will already see many websites discovered when you open your Invicti Enterprise account.

Netsparker Discovery Feature

And it will add more and more every time you add a new website or change the Discovery configurations.

Netsparker Discovery Feature Settings

Invicti uses various sources to find all public websites that possibly belong to your company:

  • Your business email domain
  • Out of scope links from your scans
  • Other websites hosted from the same IP
  • SSL Certificates (Organization name)
  • Domain keywords and Second level domains
 
As it is an automated process, so it is far from being perfect. It will bring any other website that includes your domain name.
Netsparker Discovery Filter Options

You can filter them out.

Netsparker Discovery Filters

How do you manage your websites?

You can add your websites manually or import them with a CSV file. Websites can belong to multiple groups, and it is up to just your creativity.

Netsparker Add a New Website

some Website Groups examples based on

  • Hosting
  • Technology
  • Geolocation
  • Teams
  • Priority
Netsparker Website Groups

You can use it when you want to run a Group Scan

Starting a Netsparker Group Scan

How to configure a scan in Invicti?

Invicti Scan Settings is the most critical part of this guide so we will go step by step with very much detail. So let's start from the beginning!

 

Target URL: you can choose a target from the list.

 

Scan Profile: you can save your configurations to use later or share with team.

Save a Netsparker Scan Profile

Now we are going all the way through Scan Settings.

General

You will be configuring scan basics in the General section, and there are four topics:

  • Scan Policy
  • Report Policy
  • Custom Cookies
  • Crawling

Scan Policy

You can choose from built-in policies like OWASP Top 10 or PCI Checks.

Netsparker built-in Scan Policies

or you can create a New Scan Policy:

Create a New Netsparker Scan Policy

some of the essential sections in creating a New Scan Policy:

Security Checks

Add or remove some checks like “scan only for SQL Injection (Out of Band).”

Security Checks in Netsparker Scan Policy

Crawling

Invicti will crawl up to 2,500 pages by default and stop. You can increase the limit up to 15,000 pages.

Crawling configurations in Netsparker Scan Policy

Javascript

use Pre-defined Presets if you are scanning a Single Page Application.

You may need to increase DOM Load Timeout or Maximum Simulated Elements to include all pages in the application.

Javascript configurations in Netsparker Scan Policy

also, to exclude some specific parts of the website from the scan, you can use Exclude by CSS Selector:

Exclude by css feature in Netsparker Scan Policy

Attacking

to disable Proof-based Scanning, you can uncheck Enable Proof Generation:

Attacking configurations in Netsparker Scan Policy

Form Values

update default form values that Invicti uses when attacks contact forms on the site. 

Configure Form Values in Netsparker Scan Policy

Brute Force

Invicti will attack authentication forms to discover if anyone is using basic user/pass combinations. The default wordlist has 59 words.

 

However, you can update the wordlist and increase it to 5000 by using an Internal Agent or Invicti Standard. 

Configure Brute Force in Netsparker Scan Policy

Request

configure the User-Agent that Invicti will use and limit the requests per second if you want to change the speed.

Configure Requests in Netsparker Scan Policy

HTTP Headers

add or update the HTTP header values that Invicti will be using during the scan.

Configure HTTP Headers in Netsparker Scan Policy

Custom cookies

Create a custom cookie in the application and add this to Invicti. You can bypass MFA (multi-factor authentication) or CAPTCHA when you want to automate scans in the staging environment.

Imported Links

Add Custom Cookies in Netsparker

You can import sitemaps or API endpoints to include in the scan.

Import links to API Scan with Netsparker

Supported formats:

  • ASP .Net Project File (.csproj, .vbproj.)
  • Burp Saved Items– (.xml)
  • Comma Separated Values (CSV) – (.csv)
  • Fiddler – (.saz files)
  • HTTP Archives – HAR files
  • I/O Docs – (.json, .zip)
  • Netsparker Session File – (.nss)
  • OWASP ZAP – (.txt)
  • Postman – (.json)
  • RAML – (.raml)
  • Open API – (.json, .yaml, .yml)
  • Web Application Description Language (WADL) – (.wadl)
  • Web Service Definition Language (WSDL) – (.wsdl, .xml)
  • WordPress REST API – (.json)

PCI Scan

You can run a PCI DSS scan to get official PCI Compliance. It s disabled by default and you need to request sales team to enable.

PCI Compliance Report with Netsparker

Shark (IAST)

Shark is new in town, and it is Invicti ‘s IAST module.

 

You need to install an agent into your webserver to activate. It supports .NET, PHP, Java and Node.js at the moment.

Netsparker Shark Feature for IAST

Benefits of using Invicti Shark:

  • better crawling 
  • improve accuracy
  • the exact location of the vulnerabilities in the code:
Netsparker Shark IAST Issue Report Example

Authentication

Invicti support 5 different authentication methods;

  • Form Authentication
  • Basic, NTLM/Kerberos 
  • Header
  • Client Certificate 
  • Oauth2

Form Authentication

add login url and create a Persona with username and password.

Netsparker Form Authentication Settings

Then click “Verify Login & Logout”, to confirm it works. You will see a macro running below, and it will generate a Logged-in version on the left and a Logout version on the right side.

Netsparker Form Authentication Verification

Custom Script

After adding the login URL, you will see the Custom Script button will be enabled. You can create a login sequence (macro) to authenticate multi-step forms or for a complicated login form.

How does Invicti monitor Technologies?

Find all the out of date technologies in the application after the first scan.

Netsparker Out of Date Technologies Feature

And keep monitoring proactively if there is a new issue with that library you will get a notification email even though you haven't run a scan.

Netsparker Out of Date Technologies Email

Invicti can detect outdated versions for many JavaScript libraries, CMSs, Web Servers and database services. You can check here the complete list.

What Systems Does Invicti Integrate With?

It is almost 2022 here and “Security is Everyone's Responsibility” now.

 

Software development is faster than ever and the security team ratio is 1:100 to the development team if you are lucky.

 

There is no way to keep it up with application security without automation.

Invicti has 7 groups for Integrations:

1-Issue Tracking Systems

You started a scan and Invicti found an issue.

 

It creates a Jira ticket for Suphi (a developer). Suphi fixes the issue and updates the issue ticket status to “Resolved”.  Invicti runs a “Retest scan” and confirm the issue if it is fixed. If not It changes the status to “Reopen Status”.

Netsparker Integrations for Issues Tracking Systems

2-Project Management

If your team already using Trello, no need to make changes.

Netsparker Integrations for Project Management Tools

3-Continuous Integration Systems

It is the way to tell Invicti to go and scan when there is a change in the application.

Netsparker Integrations for Continuous Integration Systems

4-Communication

You can add Invicti items into your team conversation channels

Netsparker Integrations for Communication Tools

your security team can share issues via Slack.

Netsparker Integration with Slack

5-Privileged Access Management

you can utilize the access management solution that your company uses.

Netsparker Integration for Privileged Access Management Tools

6-API​

If you are using custom solutions then it is better to check out Invicti API. (full document

Netsparker Integration API Options

7-Vulnerability Management

It supports only Service Now Vulnerability Response at the moment.

Netsparker Integration for Vulnerability Management Tools

What are Invicti editions?

There are 3 different editions in Invicti;

  • Invicti Standard
  • Invicti Team
  • Invicti Enterprise

 

In this chapter, I will share the details of these editions and different use cases for them.

Let’s dive right in.

Invicti Standard

Invicti Standard is a single instance Windows only web application scanning tool.

 

Penetration testers and cyber security engineers mainly use it as a first-level vulnerability discovery before jumping into manual pentesting.

Invicti Enterprise

You will have Invicti Enterprise if you need to scan more than +50 targets.

 

Let me some details:

 

  • Invicti Team and Invicti Enterprise include Invicti Standard, and there is no user limit.
  • Invicti Enterprise customers request custom integrations
  • Invicti Team is Cloud only (AWS US or AWS EU)
  • Invicti Enterprise has an On-premise option (Windows only)
  • Both support internal application scanning via agents (Windows, Linux, Docker)
  • Invicti Enterprise customers have dedicated tech support

How to scan a WAF protected web site with Invicti?

You should whitelist Invicti in your firewall settings. Otherwise, you will be just testing your firewall, which is not a good idea.

 

As we know that there are various ways to bypass firewalls in a real attack scenario, it is better not just rely on firewalls when discussing application security.

 

There are multiple ways to whitelist Invicti for your firewall:

 

a-Whitelist by IP Address

 

Invicti AWS (US): 

54.88.149.100
54.85.169.114

 

Invicti AWS (EU):

3.121.126.156
3.122.64.138

 

b- Whitelist by Authentication Header

You can add a custom authentication header value and use it in your firewall configurations to whitelist.

Whitelist Netsparker in your firewall

How much does Invicti cost?​

Invicti pricing works based on target numbers.

 

Therefore, every domain and subdomain is a new target. You need to buy 5 FQDN licenses to scan the targets below:

 

  • https://www.appsecsanta.com
  • https://api.appsecsanta.com
  • https://dev.appsecsanta.com
  • https://staging.appsecsanta.com
  • http://127.0.0.1/~appsecsanta/

 

It is a minimum two years subscription, and you can pay annually.

When you should use Invicti Standard?

Invicti Standard is a good choice, specifically if you have just a few targets and planning scans from time to time.

 

It has command-line interface support so you can create some automation. However, it is not the best choice if you are planning integrations or building an SDLC.

 

Finally, It is essential to know that Invicti Standard is a single user license, so check Team edition if multiple people will run these scans.

When you should use Invicti Enterprise?

Invicti Enterprise is designed to scale and manage the entire dynamic scanning process.

 

Most of the people who love using Invicti Enterprise:

 

  • have more than 50 websites
  • integrated into SDLC and scanning every release
  • have a lot of people involved from different teams or locations
  • custom implementation required (authentication, integration)

Why am I getting emails from Invicti?

Most likely, somebody is running a security scan on your website if It is not your security team.

 

Invicti uses invicti@example.com by default in contact forms, and during the scan, it may generate dozens of emails.

 

If you think there is unauthorized scanning going on, contact support@invicti.com.

How long does a typical Invicti scan take?

It all depends on how big and complex the application is. It usually takes 8-10 hours on average. In any case, no scan should take more than 24 hours.

 

Contact support@invicti.com for speed optimization investigations.

On this page: