Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Support
Deploy Invicti Shark

Deploying Shark (IAST) in Invicti Enterprise On-Demand

This document is for:
Invicti Enterprise On-Demand

You can run interactive security testing (IAST) with Invicti Shark in your web application to confirm more vulnerabilities and minimize false positives.

Invicti provides industry-leading dynamic application security testing (DAST) capabilities to help find vulnerabilities in the target web application. Using Invicti Shark enables Invicti Enterprise to provide additional information from the back-end while scanning your web application.

This document shows how to enable, download, and install the Invicti Shark (IAST) agent for Invicti Enterprise On-Demand.

NOTE:

Deploying the Shark Agent is optional. Invicti scanner is still best in class as a black-box scanner, and the Shark agent improves accuracy and vulnerability results when scanning .NET, Java, and PHP web applications.

Benefits of Invicti Shark (IAST) agent

With Shark's IAST capabilities, Invicti enhances security by:

  • Pinpointing issue locations with debug details
  • Uncovering more vulnerabilities with additional insights
  • Expanding Proof-Based Scanning™ to verify more threats and streamline fixes
  • Scanning entire web apps, including hidden and unlinked areas

For the Shark to operate, you need to download an agent and deploy it on your server. For security reasons, this agent is generated uniquely for each target website.

TIP:

Shark has only a very minimal impact on the target machine’s resources — less than 1% in lab test results.

Recommendations for Invicti Shark

Invicti Shark works best in specific environments. To get the best out of Invicti Shark, you need to use it in the right environment. The following points provide the best practice for using the Shark:

  • Install Invicti Shark on your staging servers. This is the best place to perform IAST analysis.
  • You may install Invicti Shark on virtual machines to perform IAST analysis as part of CI/CD pipelines. In this case, the Shark installation would need to be done as part of the CI/CD pipeline.
  • We do not recommend installing Invicti Shark on production servers. Although Invicti Shark consumes limited resources, your production environment may run slower.

For more information, refer to Changing the DAST Game with Invicti IAST.

Accessing Invicti Shark

Before you can use the Invicti Shark (IAST) agent, follow these steps to request access:  

  • Select Scans > New Scan from the left-side menu.
  • Input Target URL in the text field.
  • In the Scan Settings section, select Shark (IAST and SCA) and click the "I’m Interested in Adding Shark" button.

  • Once approved, you are ready to download.

TIP:

If you have access to Invicti Shark, you will see the checkbox Enable Shark. Follow the steps from the Downloading Shark sensors step to continue with download and installation.

Downloading Shark sensors in Invicti Enterprise On-Demand

NOTE:

Using Invicti Enterprise On-Premises? Refer to the Deploying Shark (IAST) in Invicti Enterprise On-Premises document.

Invicti Shark fields

This table lists and explains the fields on the Shark (IAST) page.

Button/Section/Field

Description

Installation Files

This is the section that lets you download the required file to use on your server.

Server Platform

This lets you select the server to download the required files for your server, such as PHP, Java.

Advanced Settings

This lets you override settings for the default Shark Token and Bridge URL/Port.

  • If you want to override the default token and bridge settings, make sure to change them before downloading any files for your server.

Shark Token

  • This token secures communication between the Invicti scanner and the IAST Shark agent. A unique token is automatically generated for each website's installation of the Shark agent.
  • If you have a token already, select the I have a token I would like to reuse checkbox and enter your token.

This field is mandatory.

Bridge URL and Port

  • This is the URL and port number of the IAST bridge. The bridge is used to relay information from the Shark agent to the Invicti scanning engine.
  • You can set the default bridge URL and port on the General Settings page. This setting on the Shark configuration page lets you override the default bridge URL for each website.
  • Make sure that the Shark agent can connect to the address/port specified.

This field is only mandatory for Java and Node.js.

How to download Shark sensors in Invicti Enterprise

  • Select Scans > New Scan from the left-side menu.
  • From the Scan Settings, select Shark (IAST and SCA).
  • In the Shark Settings section, select Enable Shark.

  • From the Installation Files section, select a platform from the Server Platform dropdown, then click Save As. (In the example, we used PHP Server Platform). The download starts immediately.

IMPORTANT:

  • If you change any of the following settings after the download, please re-download your files.
  • If you change your token or Bridge URL after installing the Invicti Shark sensor, you must have a clean installation so that the changes take effect.
  • Whitelist the Bridge URL (https://iast.invicti.com).

  • In the Advanced Settings, if required, you can do the following:
  • If you have a token already, select the I have a token I would like to reuse checkbox and enter your token.
  • Enter your Bridge URL and Port only if you want to override the default bridge URL and Port.

TIP:

Deploying Invicti Shark on your server is explained in related topics:

Invicti Shark (IAST) scan results

After finishing the scan with the Invicti Shark agent, in the Technical Report section, click on any issue to see the results. The detailed overview of an issue looks like this:

Top Articles

What is Invicti?

Overview of Scan Policies

Scheduling Scans

Managing Integrations

Built-In Reports