Invicti
Invicti is a full-scale web application security platform that offers DAST, IAST and SCA tools at the enterprise level.
Invicti Review
-
by Suphi Cankurt
- - Updated Mar 8, 2022
This is a complete guide to Invicti Application Security Platform.
In this new guide, you will learn everything there is to know about this platform (evolved from Netsparker):
- Key features
- Real-life use cases
- Advanced tips
- Pricing and lots more
So if you want to get the most out of Invicti, this guide is for you.
Let’s jump right in.
CHAPTER 1:
Intro to Invicti
What is Invicti?
Invicti is a web application security platform that brings DAST, IAST and SCA together. It can scan security issues on websites and APIs.
It is evolved from one of the most popular DAST tool (Netsparker) and more than 3,100 companies use it worldwide.
What is Invicti Used For?
Invicti is mainly used to identify web application security issues like SQL Injections or Cross-site Scripting (XSS).
Also, Invicti can also analyse software composition and gather a list of technologies used in web applications.
You can monitor all these libraries in a pro-active manner.
Most of the organizations use Invicti in their DevSecOps process.
When Netsparker first launched in 2009, it was just a single instance penetration testing tool with a promising idea; Proof-Based Scanning™.
And its has grown A LOT over the years and recently received a $625 Million Investment from Summit Partners.
Over that time, I've seen Netsparker's grow from a single instance web vulnerability scanner into Invicti, a fully-featured application security platform.
Today, Invicti is a great solution for:
- Startup CTO's who manage web security for their websites
- Penetration testing companies that work with multiple clients
- “In house” security teams that run security checks for company websites and APIs.
- Security consultants who advise clients on their Application Security Program.
CHAPTER 2:
Discovery
At first sight, the Discovery feature is easily overlooked.
Let me ask you a question:
Do you know how many websites your company have?
- WordPress blogs
- Temporary campaign sites
- The internal app that the marketing team using
This chapter will show you how to use the Discovery feature to find all your websites and more.
Discovered Websites
The Discovery feature is enabled by default, so you will already see many websites discovered when you open your Invicti Enterprise account.
And it will add more and more every time you add a new website or change the Discovery configurations.
Invicti uses various sources to find all public websites that possibly belong to your company:
- Your business email domain
- Out of scope links from your scans
- Other websites hosted from the same IP
- SSL Certificates (Organization name)
- Domain keywords and Second level domains
You can filter them out.
CHAPTER 3:
Website Groups
Web Groups is the section where you create your Invicti management hierarchy.
You will use Website Groups for
- Reporting
- Managing Roles
- Starting Group Scans
In this chapter, I will show you real website group examples.
New Website
You can add your websites manually or import with a CSV file.
Websites can belong to multiple groups, and it is up to just your creativity.
some Website Groups examples based on
- Hosting
- Technology
- Geolocation
- Teams
- Priority
You can use it when you want to run a Group Scan
CHAPTER 4:
Scan Settings
Let's configure your first Invicti scan!
Add your target, configure authentication and push “Launch!
However, you need more to cover edge cases or optimize your security scans for speed.
In this chapter, you will learn how to run scans with Invicti like a pro.
New Scan
Invicti Scan Settings is the most critical part of this guide, so that we will go step by step with very much detail.
So let's start from the beginning!
Target URL: you can choose a target from the list.
Scan Profile: you can save your configurations to use later or share with team.
Now we are going all the way through Scan Settings.
Scan Settings
General
You will be configuring scan basics in the General section, and there are four topics:
- Scan Policy
- Report Policy
- Custom Cookies
- Crawling
Scan Policy
You can choose from built-in policies like OWASP Top 10 or PCI Checks.
or you can create a New Scan Policy:
some of the essential sections in creating a New Scan Policy:
Security Checks
Add or remove some checks like “scan only for SQL Injection (Out of Band).”
Crawling
Invicti will crawl up to 2,500 pages by default and stop.
You can increase the limit up to 15,000 pages.
Javascript
use Pre-defined Presets if you are scanning a Single Page Application.
You may need to increase DOM Load Timeout or Maximum Simulated Elements to include all pages in the application.
also, to exclude some specific parts of the website from the scan, you can use Exclude by CSS Selector:
Attacking
to disable Proof-based Scanning, you can uncheck Enable Proof Generation:
Form Values
update default form values that Invicti uses when attacks contact forms on the site.
Brute Force
Invicti will attack authentication forms to discover if anyone is using basic user/pass combinations.
The default wordlist has 59 words.
However, you can update the wordlist and increase it to 5000 by using an Internal Agent or Invicti Standard.
Request
configure the User-Agent that Invicti will use and limit the requests per second if you want to change the speed.
HTTP Headers
add or update the HTTP header values that Invicti will be using during the scan.
Custom Cookies
Create a custom cookie in the application and add this into Invicti.
You can bypass MFA (multi-factor authentication) or CAPTCHA when you want to automate scans in the staging environment.
Imported Links
You can import sitemaps or API endpoints to include in the scan.
Supported formats:
- ASP .Net Project File (.csproj, .vbproj.)
- Burp Saved Items– (.xml)
- Comma Separated Values (CSV) – (.csv)
- Fiddler – (.saz files)
- HTTP Archives – HAR files
- I/O Docs – (.json, .zip)
- Netsparker Session File – (.nss)
- OWASP ZAP – (.txt)
- Postman – (.json)
- RAML – (.raml)
- Open API – (.json, .yaml, .yml)
- Web Application Description Language (WADL) – (.wadl)
- Web Service Definition Language (WSDL) – (.wsdl, .xml)
- WordPress REST API – (.json)
PCI Scan
You can run a PCI DSS scan to get official PCI Compliance.
It s disabled by default and you need to request sales team to enable.
Shark (IAST)
Shark is new in town, and it is Invicti ‘s IAST module.
You need to install an agent into your webserver to activate. It supports .NET, PHP, Java and Node.js at the moment.
Benefits of using Invicti Shark:
- better crawling
- improve accuracy
- the exact location of the vulnerabilities in the code:
Authentication
Invicti support 5 different authentication methods;
- Form Authentication
- Basic, NTLM/Kerberos
- Header
- Client Certificate
- Oauth2
Form Authentication
add login url and create a Persona with username and password.Then click “Verify Login & Logout”, to confirm it works.
You will see a macro running below, and it will generate a Logged-in version on the left and a Logout version on the right side.
Custom Script
after adding the login URL, you will see Custom Script button will be enabled. You can create a login sequence (macro) to authenticate multi-step forms or for a complicated login form.
CHAPTER 5:
Technologies
Invicti Technologies is designed to monitor all the technologies in the scanned applications.
It is enabled by default and works pro-actively to find out-of-date technologies or issues with your versions.
And in this chapter you’ll learn how this feature works.
Out of Date Technologies
Find all the out of date technologies in the application after the first scan.
And keep monitoring proactively if there is a new issue with that library you will get a notification email even though you haven't run a scan.
Invicti can detect outdated versions for many JavaScript libraries, CMS's, Web Servers and database services.
You can check here the complete list.
CHAPTER 6:
Integrations
It is no secret that integrations are the key to a successful DevSecOps.
We believe that any solution that doesn’t take automation into account is an incomplete solution.
And in this chapter, you’ll learn Invicti Integration capabilities.
Integrating into SDLC
It is almost 2022 here and “Security is Everyone's Responsibility” now.
Software development is faster than ever and the security team ratio is 1:100 of the development team if you are lucky.
There is no way to keep it up with application security without automation.
Invicti has 7 groups for Integrations:
You started a scan and Invicti found an issue.
It creates a Jira ticket for Suphi (a developer). Suphi fixes the issue and updates the issue ticket status to “Resolved”.
Invicti runs a “Retest scan” and confirm the issue if it is fixed. If not It changes the status to “Reopen Status”.
If your team already using Trello, no need to make changes.
It is the way to tell Invicti to go and scan when there is a change in the application.
It is the way to tell Invicti to go and scan when there is a change in the application.
your security team can share issues via Slack.
you can utilize the access management solution that your company uses.
If you are using custom solutions then it is better to check out Invicti API. (full document)
It supports only Service Now Vulnerability Response at the moment.
CHAPTER 7:
Invicti Editions
There are 3 different editions in Invicti;
- Invicti Standard
- Invicti Team
- Invicti Enterprise
In this chapter, I will share the details of these editions and different use cases for them.
Let’s dive right in.
Invicti Standard?
Invicti Standard is a single instance Windows only web application scanning tool.
Penetration testers and cyber security engineers mainly use it as a first-level vulnerability discovery before jumping into manual pentesting.
Invicti Team and Enterprise
You will have Invicti Enterprise if you need to scan more than +50 targets.
Let me some details:
- Invicti Team and Invicti Enterprise include Invicti Standard, and there is no user limit.
- Invicti Enterprise customers request custom integrations
- Invicti Team is Cloud only (AWS US or AWS EU)
- Invicti Enterprise has an On-premise option (Windows only)
- Both support internal application scanning via agents (Windows, Linux, Docker)
- Invicti Enterprise customers have dedicated tech support
How to scan a WAF protected web site with Invicti?
You should whitelist Invicti in your firewall settings. Otherwise, you will be just testing your firewall, which is not a good idea.
As we know that there are various ways to bypass firewalls in a real attack scenario, it is better not just rely on firewalls when discussing application security.
There are multiple ways to whitelist Invicti for your firewall:
a-Whitelist by IP Address
Invicti AWS (US):
54.88.149.100
54.85.169.114
Invicti AWS (EU):
3.121.126.156
3.122.64.138
b- Whitelist by Authentication Header
You can add a custom authentication header value and use it in your firewall configurations to whitelist.
How much does Invicti cost?
Invicti pricing works based on target numbers. Therefore, every domain and subdomain is a new target. You need to buy 5 FQDN licenses to scan targets below:
- https://www.appsecsanta.com
- https://api.appsecsanta.com
- https://dev.appsecsanta.com
- https://staging.appsecsanta.com
- http://127.0.0.1/~appsecsanta/
It is a minimum two years subscription, and you can pay annually.
When you should use Invicti Standard?
Invicti Standard is a good choice, specifically if you have just a few targets and planning scans from time to time.
It has command-line interface support so you can create some automation. However, it is not the best choice if you are planning integrations or building an SDLC.
Finally, It is essential to know that Invicti Standard is a single user license, so check Team edition if multiple people will run these scans.
When you should use Invicti Enterprise?
Invicti Enterprise is designed to scale and manage the entire dynamic scanning process. Most of the people who love using Invicti Enterprise:
- have more than 50 websites
- integrated into SDLC and scanning every release
- have a lot of people involved from different teams or locations
- custom implementation required (authentication, integration)
Why am I getting emails from Invicti?
Most likely, somebody is running a security scan on your website if It is not your security team.
Invicti uses invicti@example.com by default in contact forms, and during the scan, it may generate dozens of emails.
If you think there is unauthorized scanning going on, contact support@invicti.com.
How long does a typical Invicti scan take?
It all depends on how big and complex the application is.
It usually takes 8-10 hours in average.
In any case, no scan should take more than 24 hours.
Contact support@invicti.com for speed optimization investigations.
Suphi Cankurt –
Netsparker is the dast tool you should check if you plan to integrate into SDLC. It generates actionable items with high accuracy (Proof-based Scanning) and is suited up with tons of built-in integration capabilities.
Ricky T –
best web vulnerability scanner, but its expensive.