Custom Scripts for Security Checks in Invicti Enterprise
You can conduct your own attacks in Invicti Enterprise and detect vulnerabilities during scans.
To add a custom security script in Invicti Enterprise On-Demand, submit a ticket through our Help Center. Only a support engineer can add a custom script to your account.
- Before contact with a support engineer in order to add a custom script to your account, you need to decide what type of vulnerability the script will raise. You can specify the name of the vulnerability, its severity, and the text to be displayed when it is displayed in Invicti Enterprise and in reports. (see Custom Report Policies).
- Then, a support engineer will create a custom report policy and add your new vulnerability check into the custom report policy. After that, they will add your new custom security script to your account.
Using Invicti Enterprise On-Premises? An account owner can let you write your own custom security check. To do this, from the main menu, they have to select Settings > General. Then, select the “Account can execute custom security checks” checkbox. This enables users to create their custom report policies and add their custom security checks.
This topic explains how Invicti Enterprise lets you scan your web application with your custom security check.
For further information on security check types and how to write custom checks, see Custom Security Checks via Scripting and Custom Scripting API Docs.
For further information about the custom security script, see Working with custom security checks in Invicti.
Executing a custom script on a web page
For Invicti Enterprise to be able to find a vulnerability, it needs to scan your website. That is also the case for custom vulnerabilities. Go ahead and scan your website. Then, make sure the vulnerable page is listed in the Sitemap tree. Then, you can execute your custom script on a web page you want.
How to execute a custom script on a web page
- Log in to Invicti Enterprise.
- From the main menu, select Policies > Custom Scripts.
- Next to the relevant script, select View.
- From the Execute Custom Script panel, select or search a website from the Websites drop-down.
- From the Recently Completed Scans drop-down, select a scan.
- From the Sitemap, select a web page that a custom security check will be executed.
- Select Execute.
When Invicti executes the custom security check script, a message is displayed, informing you whether a vulnerability has been found during the execution.
Scanning a website with a custom security script
You can scan your website with a custom report and scan policy created based on your custom security script.
Prerequisites:
- A custom scan policy.
- A custom report policy.
For further information about custom scan policies, see Configuring Scan Policies.
How to scan a website with custom policies
- Log in to Invicti Enterprise.
- From the main menu, select Scans > New Scan.
- In the Target URL field, enter the URL.
- From the Scan Policy drop-down, select your custom scan policy.
- From the Report Policy drop-down, select your custom report policy.
- Complete the remainder of the fields, as described in Invicti Enterprise New Scan Fields, if necessary.
- Select Launch.
When the scan is completed, if a vulnerability is found (the one you have raised in your custom script code), it will be displayed in the report(s) and the Sitemap tree under the selected vulnerable page’s node.
If no vulnerabilities have been found, check the script code you have written. Execute the script code as many times as you want until you see it reported in the report(s) and the Sitemap tree.