Troubleshooting inconsistent web security scan results in Invicti Enterprise

Problem

Description

Server load problem

If the server is out of resources, the web application might not be responding to all the HTTP requests from the scanner, which will generate timeouts. This can happen because Invicti scanner affects the web applications in different ways, so you might notice an unusual CPU load on the application server, database server, and other components.

HTTP Error 500 / Internal Server Errors

These problems occur randomly due to a session state problem, database server load or current CPU load, for example.

Session killed

The session gets killed during the scan because of application memory recycle, server restart or error recovery features in the web servers, and the scanner can't recreate the session.

Different caching algorithms

Depending on the caching system, like a reverse proxy, used on the web application, the same request might get different responses each time.

Web application firewalls, IPS and other similar protectıon mechanisms blocking the scanner's HTTP requests

If there is a mechanism blocking the scanner’s HTTP requests, such as firewalls, IPSes, or a load-balancer, it won’t be able to access the web application properly. These systems might prevent some specific attack payloads and headers Invicti scanner uses, or limit the number of requests. In order to overcome this issue, you should whitelist your IP or create a firewall rule to allow scanning. One other alternative is to configure your scan (or use a custom scan policy) to include a custom Header:Value pair for your security systems to recognise and allow.

Problem

Description

Reverse proxy or proxy connection failures

Sometimes, the target can be deployed on a local or private server that requires a proxy connection. Such servers don’t allow you to reach them without providing a proxy connection. Likewise, the machine that Invicti scanner is installed on might need a proxy to connect to the internet.

Temporary internet connection failures

When the scanner is not able to access the website, the problem may arise from a temporary internet connection failure. The machine with the installed scanner or the target server might be affected from these connection corruptions.

HTTP timeouts (due to server-side or communication related problems)

If the target server has issues related to server performance, it might respond very slowly. If its capabilities are not enough for an automated tool, then probably it will no longer respond.

Load balancers

These will almost definitely cause problems and different scan results.

Ideally in such a setup, you should scan the website directly, by bypassing the load balancer.

Suggestion

Description

Decrease the scan speed

This is done by reducing the number of concurrent connections the scanner opens with the web application.

To decrease the scan speed open the Scan Policy Editor, navigate to the HTTP options and adjust the Concurrent Connections slider. You can also adjust the scan speed during the scan.

Monitoring the application and database server

This is done by making sure they are not under a heavy load.

If you notice a spike in resources, try to determine which pages the scanner is scanning, which might also help you solve an underlying problem.

Ensure that there is minimum interference between the Invicti scanner and target website.

Network components such as proxies, web application firewalls, network firewalls, intrusion prevention or detection systems can all slow down the connection and drop or block requests.