Support
Deploy Invicti Shark

Deploying Shark (IAST) in Invicti Enterprise On-Demand

This document is for:
Invicti Enterprise On-Demand

You can run interactive security testing (IAST) with Invicti Shark in your web application in order to confirm more vulnerabilities and further minimize false positives.

Invicti provides industry-leading dynamic application security testing (DAST) capabilities to help find vulnerabilities in the target web application. Using Shark enables Invicti to provide additional information from the back-end while scanning your web application.

By adding IAST capabilities with the Shark, Invicti provides the following benefits:

  • Showing the exact location of the issue and reporting debug information
  • Providing additional details to help security teams uncover more vulnerabilities
  • Complementing existing Proof-based Scanning™ functionality to automatically prove even more vulnerabilities and simplify remediation efforts
  • Ensuring that the entire web application is scanned, including any hidden and unlinked locations that may be inaccessible to the crawler

For Invicti Shark to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.

Deploying the Shark Agent is optional. Invicti is still best in class as a black-box scanner, and the Shark Agent improves accuracy and vulnerability results when scanning .NET, Java, Node.js, and PHP web applications.

Shark has only a very minimal impact on resources on the target machine — less than 1% in lab test results.

Recommendation for Invicti Shark

Invicti Shark works best in specific environments. To get the best out of Invicti Shark, you need to use it in the right environment. The following points provide the best practice in using the Shark:

  • You need to install Invicti Shark on your staging servers. This is the best place to perform IAST analysis.
  • You may install Invicti Shark on virtual machines to perform IAST analysis as part of CI/CD pipelines. In this case, the Shark installation would need to be done as part of the CI/CD pipeline.
  • We do not recommend installing Invicti Shark on production servers. Your production environment may run slower although Invicti Shark consumes limited resources.

For further information, see Changing the DAST Game with Invicti IAST.

Invicti Shark fields

This table lists and explains the fields on the Shark (IAST) page.

Button/Section/FieldDescription
Installation FilesThis is the section that lets you download the required file to use on your server.
Server PlatformThis lets you select the server to download the required files for your server, such as PHP, Java.
Advanced SettingsThis lets you override settings for the default Shark Token and Bridge URL/Port.

 

  • If you want to override the default token and bridge settings, make sure to change them before downloading any files for your server.
Shark Token
  • This token secures communication between the Invicti scanner and the IAST Shark agent. A unique token is automatically generated for each website’s installation of the Shark agent.
  • If you have a token already, select the I have a token I would like to reuse checkbox and enter your token.
  • This field is mandatory.
Bridge URL and Port
  • This is the URL and port number of the IAST bridge. The bridge is used to relay information from the Shark agent to the Invicti Scanning Engine.
  • You can set the default bridge URL and port on the General Settings page. This setting on the Shark configuration page lets you override the default bridge URL for each website.
  • Make sure that the Shark can connect to the address/port specified.
  • This field is only mandatory for Java, .NET, and Node.js.
Validate Shark SettingsThis lets you validate that the request is forwarded to the bridge and the sensor sends the request to the bridge.
This is only available in Invicti Standard.

Downloading Shark Sensors in Invicti Enterprise On-Demand

Ready to use Invicti Shark? Contact us.

To do this, follow these steps: From the main menu, go to Scans > New Scan > Shark, then select I’m Interested in Adding Shark.

Once approved, you are ready to download.

Using Invicti Enterprise On-Premises? See Deploying Shark (IAST) in Invicti Enterprise On-Premises.

How to download Shark sensors in Invicti Enterprise On-Demand
  1. Log in to Invicti Enterprise
  2. From the main menu, select Scans > New Scan.
  3. From the Scan Settings, select Shark (IAST and SCA).
  1. From the Shark Settings section, select Enable Shark.
  2. From the Installation Files section, select a platform from the Server Platform drop-down, then click Save As. The download starts immediately.

If you change any of the following settings after the download, please re-download your files.

If you change your token or Bridge URL after installing the Invicti Shark sensor, you must have a clean installation so that the changes take effect.

Allowlist the Bridge URL (https://iast.invicti.com)

  1. From the Advanced Settings, if required, you can do the following:
  • If you have a token already, select the I have a token I would like to reuse checkbox and enter your token.
  • Enter your Bridge URL and Port only if you want to override the default bridge URL and Port.

Downloading Shark sensors in Invicti Standard

Invicti Standard has Shark (IAST) capability. However, this capability can only be enabled using the complimentary Invicti Standard solution with all Team and Enterprise deployments. To use the Shark in Invicti Standard, contact us.

How to download Shark sensors in Invicti Standard
  1. Open Invicti Standard
  2. In the Home tab, select New.
  3. From the Scan Settings, select Shark.
  4. From the Shark Settings section, select Enable Shark.
  5. From the Installation Files section, select a platform from the Server Platform drop-down, then select Save As.
  6. Select a save location and select Save.
  7. From the Shark Settings section, if required, you can do the following:
  • Change Bridge URL, if necessary.
  • Keep the auto-generated Shark Token as it is or enter your token if you have already.

If you change your token or Bridge URL after installing the Invicti Shark sensor, you must have a clean installation so that the changes take effect.

Whitelist the Bridge URL (https://iast.invicti.com)

  • Select Validate Shark Settings to verify that the request is forwarded to the bridge and the sensor sends the request to the bridge.

Deploying Invicti Shark in your server is explained in related topics: