Custom Scripts for Security Checks in Invicti Standard
You can conduct your own attacks in Invicti and raise vulnerabilities during scans.
This topic explains how Invicti Standard helps you to add custom vulnerability detections to your scans. To add a custom script in Invicti Enterprise, see Custom Scripts for Security Checks in Invicti Enterprise.
For further information on security check types and how to write custom code for those, see Custom Security Checks via Scripting.
Deciding Which Vulnerability Type Will be Detected
Invicti’s Default Report Policy includes many vulnerabilities. They are the built-in vulnerabilities that Invicti can find out of the box, including SQL Injection, XSS, LFI.
In addition, you can define custom vulnerability types by creating a new Report Policy. These new vulnerability types will be available to all the scans that use the report policy.
When writing script code, you should refer to built-in vulnerability types by their names, but to custom vulnerability types by the generated GUIDs.
Before writing a custom security check script, you should decide what type of vulnerability the script will raise. If it does not already exist in a Default Report Policy, you should create a custom one in the Report Policy Editor (see Custom Report Policies). You can specify the name of the vulnerability, its severity and the text to be displayed when it is displayed in the UI and in reports.
Identifying a Sample Vulnerable Web Page
For Invicti to be able to find a vulnerability, it first needs to discover that page during the crawling stage of the scan. That is also the case for custom vulnerabilities. Go ahead and perform a Crawl Only scan for the target website and make sure the vulnerable page is listed in the Sitemap tree. Do not forget to select the custom report policy if you are going to write a script for a custom vulnerability you have created.
How to Write a Custom Script for a Security Check
- Right-click the target page in the Sitemap, and click Custom Scripts.
- The Custom Scripts panel is displayed and docked to the right of the Invicti window.
- In the Custom Scripts panel, click the New Script drop-down, and select one of the security check types for you want to write a script (see Custom Security Checks via Scripting for more information on custom security check types for which you can write scripts).
- After entering a meaningful name, Invicti will create a script file for you in the Invicti documents directory on your local machine, and open the file using your system's default registered JavaScript editor.
- The file will already be populated with some template custom script code. Make any necessary changes to the code, and save it.
When writing script code, you should refer to built-in vulnerability types by their names, but to custom vulnerability types by the generated GUIDs.
- Switch back to the Invicti window. First, make sure the target vulnerable page is still selected in the Sitemap tree, because the code you have written will be executed against whatever is selected. Then, from the Custom Scripts panel toolbar, click Execute.
- When Invicti is finished executing the custom security check script, a message is displayed, informing you whether a vulnerability has been found during execution:
- If a vulnerability is found (hopefully the one you have raised in your custom script code), it will be displayed in the Sitemap tree under the selected vulnerable page's node
- If no vulnerabilities have been found, check the script code you have written. You should also check the Logs panel for error logs. If your custom security check is performing HTTP requests, you can use a tool like Fiddler to diagnose whether the correct request parameters were sent and whether the expected response has been returned from the server. Execute the script code as many times as you want until you see it reported in the Sitemap tree.
- Once you have confirmed that your script is working as expected, conduct a new scan. But this time make it a Full Scan (not Crawl and Wait one).
Also, make sure you have created a new Scan Policy in the Scan Policy Editor and remember you have selected the custom security check you have just created.
- If things are working as expected, your activity will be listed in the Activity panel during the scan. This confirms that the script code you have written is executing for all the discovered links and parameters.
The scan will also find the vulnerability in the vulnerable page.