You will get: Integrations High Accuracy Customer Support

Invicti Review

This is a complete guide to Invicti Application Security Platform.

In this new guide, you will learn everything there is to know about this platform (evolved from Netsparker):

  • Key features
  • Real-life use cases
  • Advanced tips
  • Pricing and lots more

So if you want to get the most out of Invicti, this guide is for you.

Let’s jump right in.

Invicti

CHAPTER 1:

Intro to Invicti

Intro to Netsparker

What is Invicti?

Invicti is a web application security platform that brings DAST, IAST and SCA together. It can scan security issues on websites and APIs. 

It is evolved from one of the most popular DAST tool (Netsparker) and more than 3,100 companies use it worldwide.

What is Invicti Used For?

Invicti is mainly used to identify web application security issues like SQL Injections or Cross-site Scripting (XSS).

Netsparker Security Issues

Also, Invicti can also analyse software composition and gather a list of technologies used in web applications. 

You can monitor all these libraries in a pro-active manner.

Netsparker Out of Date Technologies

Most of the organizations use Invicti in their DevSecOps process.

Netsparker SDLC Integration

When Netsparker first launched in 2009, it was just a single instance penetration testing tool with a promising idea; Proof-Based Scanning™.

Netsparker Website in 2014

And its has grown A LOT over the years and recently received a $625 Million Investment from Summit Partners.

Netsparker Investment News

Over that time, I've seen Netsparker's grow from a single instance web vulnerability scanner into Invicti, a fully-featured application security platform.

Today, Invicti is a great solution for:

  • Startup CTO's who manage web security for their websites
  • Penetration testing companies that work with multiple clients
  • “In house” security teams that run security checks for company websites and APIs.
  • Security consultants who advise clients on their Application Security Program.

CHAPTER 2:

Discovery

At first sight, the Discovery feature is easily overlooked.

Let me ask you a question:

Do you know how many websites your company have?

  • WordPress blogs
  • Temporary campaign sites
  • The internal app that the marketing team using

This chapter will show you how to use the Discovery feature to find all your websites and more.

Discovery

Discovered Websites

The Discovery feature is enabled by default, so you will already see many websites discovered when you open your Invicti Enterprise account.

Netsparker Discovery Feature

And it will add more and more every time you add a new website or change the Discovery configurations.

Netsparker Discovery Feature Settings

Invicti uses various sources to find all public websites that possibly belong to your company:

  • Your business email domain
  • Out of scope links from your scans
  • Other websites hosted from the same IP
  • SSL Certificates (Organization name)
  • Domain keywords and Second level domains
 
As it is an automated process, so it is far from being perfect. It will bring any other website that includes your domain name.
Netsparker Discovery Filter Options

You can filter them out.

Netsparker Discovery Filters

CHAPTER 3:

Website Groups

Web Groups is the section where you create your Invicti management hierarchy.

You will use Website Groups for

  • Reporting
  • Managing Roles
  • Starting Group Scans
 

In this chapter, I will show you real website group examples.

Website Groups

New Website

You can add your websites manually or import with a CSV file.  

Websites can belong to multiple groups, and it is up to just your creativity.

Netsparker Add a New Website

some Website Groups examples based on

  • Hosting
  • Technology
  • Geolocation
  • Teams
  • Priority
Netsparker Website Groups

You can use it when you want to run a Group Scan

Starting a Netsparker Group Scan

CHAPTER 4:

Scan Settings

Let's configure your first Invicti scan!

Add your target, configure authentication and push “Launch!

However, you need more to cover edge cases or optimize your security scans for speed.

In this chapter, you will learn how to run scans with Invicti like a pro.

Scan Settings

New Scan

Invicti Scan Settings is the most critical part of this guide, so that we will go step by step with very much detail.

So let's start from the beginning!

Target URL: you can choose a target from the list.

Scan Profile: you can save your configurations to use later or share with team.

Save a Netsparker Scan Profile

Now we are going all the way through Scan Settings.

Scan Settings

General

You will be configuring scan basics in the General section, and there are four topics:

  • Scan Policy
  • Report Policy
  • Custom Cookies
  • Crawling
Scan Policy

You can choose from built-in policies like OWASP Top 10 or PCI Checks.

Netsparker built-in Scan Policies

or you can create a New Scan Policy:

Create a New Netsparker Scan Policy

some of the essential sections in creating a New Scan Policy:

Security Checks

Add or remove some checks like “scan only for SQL Injection (Out of Band).”

Security Checks in Netsparker Scan Policy
Crawling

Invicti will crawl up to 2,500 pages by default and stop.

You can increase the limit up to 15,000 pages.

Crawling configurations in Netsparker Scan Policy
Javascript

use Pre-defined Presets if you are scanning a Single Page Application.

You may need to increase DOM Load Timeout or Maximum Simulated Elements to include all pages in the application.

Javascript configurations in Netsparker Scan Policy

also, to exclude some specific parts of the website from the scan, you can use Exclude by CSS Selector:

Exclude by css feature in Netsparker Scan Policy
Attacking

to disable Proof-based Scanning, you can uncheck Enable Proof Generation:

Attacking configurations in Netsparker Scan Policy
Form Values

update default form values that Invicti uses when attacks contact forms on the site. 

Configure Form Values in Netsparker Scan Policy
Brute Force

Invicti will attack authentication forms to discover if anyone is using basic user/pass combinations.

The default wordlist has 59 words.

However, you can update the wordlist and increase it to 5000 by using an Internal Agent or Invicti Standard. 

Configure Brute Force in Netsparker Scan Policy
Request

configure the User-Agent that Invicti will use and limit the requests per second if you want to change the speed.

Configure Requests in Netsparker Scan Policy
HTTP Headers

add or update the HTTP header values that Invicti will be using during the scan.

Configure HTTP Headers in Netsparker Scan Policy
Custom Cookies

Create a custom cookie in the application and add this into Invicti.

You can bypass MFA (multi-factor authentication) or CAPTCHA when you want to automate scans in the staging environment.

Imported Links

Add Custom Cookies in Netsparker

You can import sitemaps or API endpoints to include in the scan.

Import links to API Scan with Netsparker

Supported formats:

  • ASP .Net Project File (.csproj, .vbproj.)
  • Burp Saved Items– (.xml)
  • Comma Separated Values (CSV) – (.csv)
  • Fiddler – (.saz files)
  • HTTP Archives – HAR files
  • I/O Docs – (.json, .zip)
  • Netsparker Session File – (.nss)
  • OWASP ZAP – (.txt)
  • Postman – (.json)
  • RAML – (.raml)
  • Open API – (.json, .yaml, .yml)
  • Web Application Description Language (WADL) – (.wadl)
  • Web Service Definition Language (WSDL) – (.wsdl, .xml)
  • WordPress REST API – (.json)

 

PCI Scan

You can run a PCI DSS scan to get official PCI Compliance.

It s disabled by default and you need to request sales team to enable.

PCI Compliance Report with Netsparker

Shark (IAST)

Shark is new in town, and it is Invicti ‘s IAST module.

You need to install an agent into your webserver to activate. It supports .NET, PHP, Java and Node.js at the moment.

Netsparker Shark Feature for IAST

Benefits of using Invicti Shark:

  • better crawling 
  • improve accuracy
  • the exact location of the vulnerabilities in the code:
Netsparker Shark IAST Issue Report Example

Authentication

Invicti support 5 different authentication methods;

  • Form Authentication
  • Basic, NTLM/Kerberos 
  • Header
  • Client Certificate 
  • Oauth2
Form Authentication
add login url and create a Persona with username and password.
Netsparker Form Authentication Settings

Then click “Verify Login & Logout”, to confirm it works.

You will see a macro running below, and it will generate a Logged-in version on the left and a Logout version on the right side.

Netsparker Form Authentication Verification
Custom Script

after adding the login URL, you will see Custom Script button will be enabled. You can create a login sequence (macro) to authenticate multi-step forms or for a complicated login form.

CHAPTER 5:

Technologies

Invicti Technologies is designed to monitor all the technologies in the scanned applications.

It is enabled by default and works pro-actively to find out-of-date technologies or issues with your versions.

And in this chapter you’ll learn how this feature works.

Technologies

Out of Date Technologies

Find all the out of date technologies in the application after the first scan.

Netsparker Out of Date Technologies Feature

And keep monitoring proactively if there is a new issue with that library you will get a notification email even though you haven't run a scan.

Netsparker Out of Date Technologies Email

Invicti can detect outdated versions for many JavaScript libraries, CMS's, Web Servers and database services.

You can check here the complete list.

CHAPTER 6:

Integrations

It is no secret that integrations are the key to a successful DevSecOps.

We believe that any solution that doesn’t take automation into account is an incomplete solution.

And in this chapter, you’ll learn Invicti Integration capabilities.

Netsparker Integrations

Integrating into SDLC

It is almost 2022 here and “Security is Everyone's Responsibility” now.

Software development is faster than ever and the security team ratio is 1:100 of the development team if you are lucky.

There is no way to keep it up with application security without automation.

Invicti has 7 groups for Integrations:

1-Issue Tracking Systems

You started a scan and Invicti found an issue.

It creates a Jira ticket for Suphi (a developer). Suphi fixes the issue and updates the issue ticket status to “Resolved”. 

Invicti runs a “Retest scan” and confirm the issue if it is fixed. If not It changes the status to “Reopen Status”.

Netsparker Integrations for Issues Tracking Systems
2-Project Management

If your team already using Trello, no need to make changes.

Netsparker Integrations for Project Management Tools
3-Continuous Integration Systems

It is the way to tell Invicti to go and scan when there is a change in the application.

Netsparker Integrations for Continuous Integration Systems
4-Communication

It is the way to tell Invicti to go and scan when there is a change in the application.

Netsparker Integrations for Communication Tools

your security team can share issues via Slack.

Netsparker Integration with Slack
5-Privileged Access Management

you can utilize the access management solution that your company uses.

Netsparker Integration for Privileged Access Management Tools
6-API

If you are using custom solutions then it is better to check out Invicti API. (full document

Netsparker Integration API Options
7-Vulnerability Management

It supports only Service Now Vulnerability Response at the moment.

Netsparker Integration for Vulnerability Management Tools

CHAPTER 7:

Invicti Editions

There are 3 different editions in Invicti;

  • Invicti Standard
  • Invicti Team
  • Invicti Enterprise

In this chapter, I will share the details of these editions and different use cases for them.

Let’s dive right in.

Netsparker Editions

Invicti Standard?

Invicti Standard is a single instance Windows only web application scanning tool.

Penetration testers and cyber security engineers mainly use it as a first-level vulnerability discovery before jumping into manual pentesting.

Invicti Team and Enterprise

You will have Invicti Enterprise if you need to scan more than +50 targets.

Let me some details:

  • Invicti Team and Invicti Enterprise include Invicti Standard, and there is no user limit.
  • Invicti Enterprise customers request custom integrations
  • Invicti Team is Cloud only (AWS US or AWS EU)
  • Invicti Enterprise has an On-premise option (Windows only)
  • Both support internal application scanning via agents (Windows, Linux, Docker)
  • Invicti Enterprise customers have dedicated tech support

How to scan a WAF protected web site with Invicti?

You should whitelist Invicti in your firewall settings. Otherwise, you will be just testing your firewall, which is not a good idea.

As we know that there are various ways to bypass firewalls in a real attack scenario, it is better not just rely on firewalls when discussing application security.

There are multiple ways to whitelist Invicti for your firewall:

a-Whitelist by IP Address

Invicti AWS (US): 

54.88.149.100
54.85.169.114

Invicti AWS (EU):

3.121.126.156
3.122.64.138

b- Whitelist by Authentication Header

You can add a custom authentication header value and use it in your firewall configurations to whitelist.

Whitelist Netsparker in your firewall

How much does Invicti cost?

Invicti pricing works based on target numbers. Therefore, every domain and subdomain is a new target. You need to buy 5 FQDN licenses to scan targets below:

  1. https://www.appsecsanta.com
  2. https://api.appsecsanta.com
  3. https://dev.appsecsanta.com
  4. https://staging.appsecsanta.com
  5. http://127.0.0.1/~appsecsanta/

It is a minimum two years subscription, and you can pay annually.

When you should use Invicti Standard?

Invicti Standard is a good choice, specifically if you have just a few targets and planning scans from time to time.

It has command-line interface support so you can create some automation. However, it is not the best choice if you are planning integrations or building an SDLC.

Finally, It is essential to know that Invicti Standard is a single user license, so check Team edition if multiple people will run these scans.

When you should use Invicti Enterprise?

Invicti Enterprise is designed to scale and manage the entire dynamic scanning process. Most of the people who love using Invicti Enterprise:

  • have more than 50 websites
  • integrated into SDLC and scanning every release
  • have a lot of people involved from different teams or locations
  • custom implementation required (authentication, integration)

Why am I getting emails from Invicti?

Most likely, somebody is running a security scan on your website if It is not your security team.

Invicti uses invicti@example.com by default in contact forms, and during the scan, it may generate dozens of emails.

If you think there is unauthorized scanning going on, contact support@invicti.com.

How long does a typical Invicti scan take?

It all depends on how big and complex the application is.

It usually takes 8-10 hours in average.

In any case, no scan should take more than 24 hours.

Contact support@invicti.com for speed optimization investigations.

2 reviews for Invicti

5.0 out of 5
2
0
0
0
0
Write a review
Show all Most Helpful Highest Rating Lowest Rating
  1. Suphi Cankurt

    Netsparker is the dast tool you should check if you plan to integrate into SDLC. It generates actionable items with high accuracy (Proof-based Scanning) and is suited up with tons of built-in integration capabilities.

    + PROS: Integrations High Accuracy Advanced Configurations
    - CONS: Not the cheapest one
    Helpful(1) Unhelpful(0)You have already voted this
  2. Ricky T

    best web vulnerability scanner, but its expensive.

    + PROS: highly accurate
    - CONS: expensive
    Helpful(1) Unhelpful(0)You have already voted this

    Add a review

    Your email address will not be published.

    Latest Invicti News

    Update – 2022.03.08Netsparker renamed to Invicti
    Update – 2022.03.01Now you can run Software Composition Analysis with Netsparker Shark – details here
    AppSec Santa