What is Invicti? | Application Security Scanner

This document is for:

Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

Invict Enterprise and Invicti Standard are automated and fully configurable web application security scanners that enable you to scan websites, web applications, and services, and identify security flaws. Both of them scan all types of web applications, regardless of the platform or the language with which they are built.

Invicti scanner is the only online web application security scanner that automatically exploits identified vulnerabilities in a read-only and safe way in order to confirm identified issues. It also presents proof of the vulnerability so that you don’t waste time manually verifying it.

Our scanning technology is designed to help you secure web applications without any fuss, so you can focus on fixing the reported vulnerabilities. If the scanner can’t automatically confirm a vulnerability, it informs you about it by prefixing it with '[Possible]', and assigning a Certainty value, so you know what should be fixed immediately.

This document explains key concepts, features, and differences between Standard and Enterprise editions.

Key concepts

Learn key concepts and features related to Invicti Standard and Enterprise security scanners.

Highly accurate

Invicti scanners produce highly accurate web application security scans, whose vulnerabilities are verified, proving that they are not false positives.

Vulnerabilities

A vulnerability is a security weakness in your website or web application that provides an opening for malicious hackers to gain access, get access to data or exploit for illegitimate or illegal purposes.

Proof-Based ScanningTM

Our Proof-Based Scanning technology automatically verifies detected vulnerabilities, confirming that they are real and not false positives, by exploiting them in a read-only and safe manner.

Proof of Concept

Invicti scanner identifies vulnerabilities, then it safely exploits them during the web vulnerability scan. This Proof of Concept is the actual exploit that proves that the vulnerability exists. And, it's useful if you need to reproduce the vulnerability for a developer.

This is what a Cross-site Scripting vulnerability report looks like, where the Proof URL is what the scanner uses to exploit the vulnerability.

Proof of Exploit

A Proof of Exploit reports that data is extracted from the exploited target. It demonstrates the impact an exploited vulnerability can have and proves that it is not a false positive. For example, when exploiting a command injection vulnerability and generating a Proof of Exploit for it, the scanners only read data to show the task list without executing them.

This is what it looks like in the case of a command injection vulnerability, as reported in Invicti Enterprise.

Invicti scanners generate proof when they identify the following vulnerability types:

SQL Injection
Boolean SQL Injection
Blind SQL Injection
Remote File Inclusion (RFI)
Command Injection
Blind Command Injection
XML External Entity (XXE) Injection
Remote Code Evaluation
Local File Inclusion (LFI)
Server-side Template Injection
Remote Code Execution
Injection via Local File Inclusion

If the scanner can’t automatically prove the vulnerability exists, you will be advised so that you can double-check its findings.

Benefits of Proof-Based ScanningTM technology

Here are some of the key benefits:

You don’t have to manually verify detected vulnerabilities, so you have more time for fixing them.
You don’t have to be a seasoned security professional, since results are automatically confirmed for you. There is no need to know how to reproduce the findings.
Finding vulnerabilities in web applications costs you less since you can assign it to less technical people.
If you are a QA, you won't be sent back by the developers to prove that there is a vulnerability in their code.
As a developer or service provider, you don’t need to convince your superior or customer to fix their issues, simply show them the proof!

NOTE:

The accuracy of Invicti’s Proof-Based Scanning currently stands at slightly over 99.98%, according to the company’s security researchers that reviewed the last 5 years’ statistics.
This accuracy means that when it marks a vulnerability as confirmed, you can be 99.98% sure that the issue is real, exploitable, and not a false positive.
Also, the research revealed that the scanner provides accurate automatic confirmation for 94.74% of all direct-impact vulnerabilities it detects.

For more information, refer to Proof-Based Scanning: No noise, just facts.

Issues

An Issue is the name, type, date, and other details of any detected vulnerability. For more information, refer to Issues.

Severities

Each vulnerability is assigned a different severity or threat level according to the damage it could do and the urgency with which it requires fixing. For more information, refer to Vulnerability Severity Levels.

Scan Policies

Invicti scanners use Scan Policies in order to determine and specify the type, range, and targets of your scan according to your needs. For more information, refer to Scan Policies.

Scheduled Scans

Scans can be launched immediately or they can be scheduled for times when it best suits you, including at regular intervals. For more information, refer to Scheduling Scans.

Integrations

Invicti integrates with a wide range of software and tools that enable you to connect with your existing SDLC, including vulnerability management systems, issue tracking systems, continuous integration systems, single sign-on providers, team messaging systems, and web application firewalls. For more information, refer to Integrations.

What is the difference between Invicti Enterprise and Invicti Standard?

Invicti Enterprise is a scalable, multi-user web application security solution and Invicti Standard is an on-premises desktop web vulnerability scanner.

Invicti crawling and scanning technology

Invicti scanner has industry-leading scanning technology. Both editions are built around the same crawling and Proof-Based Scanning technology. In terms of coverage, detection of vulnerabilities, and security flaws, you get the same results.

Overview of Invicti web application security scanners

Invicti Standard was built for those who are more hands-on – security engineers, penetration testers, and developers – and scan typically less than 50 websites.

Invicti Enterprise is a scalable, multi-user online vulnerability scanner with built-in enterprise workflow and testing tools. Because it is a browser-based cloud platform, you don’t need to buy, license, install or support hardware or software. You can also launch as many web application security scans as you want within minutes.

Scalability of service

Scalability is the major difference between the editions. If you need to scan multiple websites at the same time, you can manually launch multiple instances of the Standard scanner. Alternatively, with Invicti Enterprise, you can scan thousands of websites at once.

Feature highlight: Target Groups

Invicti Enterprise enables you to group targets (websites), configure generic scan settings and launch or schedule a web security scan with a single click.

Keeping up with the latest web security threats

Follow our web application security blog and you will notice that we frequently release software updates. In fact, our list of vulnerabilities checks grows daily. Releasing frequent updates ensures that you can scan your web applications against the latest security threats and vulnerabilities. The response time for releasing new security checks is also critical especially when a vulnerability such as Apache Struts is discovered and being exploited in the wild.

Invicti Standard checks for updates every time it is launched. You can apply updates in minutes.
Invicti Enterprise is maintenance-free. We update the service and updates are automatically available.

Web security scanner adaptability

Typically, desktop software is more configurable than an online service. The reason is because an online service is built around an engine that is designed to cater for a wider variety of customers. Therefore, it has fewer configurable parameters, resulting in a number of limitations.

But, this is not the case with the Invicti scanners. Anything that can be configured in Invicti Standard can also be configured in Invicti Enterprise, such as the URL rewrite rules and other crawling options, HTTP connection properties and other scan policy settings.

Team collaboration

Invicti Standard is a desktop application that is designed for a single user who has access to the computer on which it is installed.
Invicti Enterprise is a multi-user environment. Every team member has their own user account in the Invicti Enterprise edition and with the right privileges can launch web application security scans, view reports and issues. As an administrator, you can configure different privileges for each user.

Feature highlight: Vulnerability management and tasks

Just like dedicated bug tracking systems, Invicti Enterprise enables you to assign identified vulnerabilities as tasks to team members for remediation. This is an essential feature when you are tracking the security of many web applications.

Tasks marked as Fixed (Unconfirmed) are automatically rescanned. Depending on the result, they are either closed or reopened and reassigned.

The vulnerability management system is designed to ensure every user knows what they need to do, and for results and fixes to be checked automatically. You can also integrate your existing bug tracking solution.

Web application security scans in your SDLC

Both Standard and Enterprise editions can be easily integrated into your SDLC and Continuous Integration processes.

Invicti Standard has command line support allowing you to easily write scripts that can be triggered by other applications to launch automated scans.
Invicti Enterprise has an extensive and well documented API that you can use to trigger any type of action available in the Invicti Enterprise dashboard. In addition, it has native plugins that allow for continuous integration with tools such as TeamCity, Jenkins, Bamboo, GitLab and Azure that help to expand Invicti's capabilities.

Keeping web applications secure

Launching a single web application security scan and remediating the identified vulnerabilities can be quite difficult. It is even more demanding to scan all web applications frequently and ensure that detected vulnerabilities are fixed, and that the applied fixes don’t open new security flaws.

If you use Invicti Standard, you can compare different scan results on the same website. Our Retest and Incremental scans allow you to pinpoint the differences between scans and keep track of all issues. It's easy to compare results, but time consuming if you have lots of websites.
This is where Invicti Enterprise shines. Its trending and correlated reports are automatically updated each time a website or web application is scanned. This negates the need to manually compare results.

Manual crawling and security scanning

If you need to manually crawl a website or a section of it, you'll need to proxy the traffic through the scanner so it will capture it, identify attack surfaces, and then scan them. Invicti Standard can be used for manual crawling.

With Invicti Enterprise, you can’t as it is a cloud based product. Nevertheless, you can still achieve the same results by configuring a browser to proxy the traffic through a local proxy (such as Fiddler) and capture the traffic. Once you capture the traffic, you can import the Fiddler capture to Invicti Enterprise and launch the scan.

Enterprise or Standard web application security scanner?

If you have a small team and a small number of websites, and you prefer to be more hands-on, Invicti Standard is the best option.
If you operate in a large team and have many websites and web applications to secure, and need supporting tools to ensure collaboration among the team members, Invicti Enterprise is recommended. You will also have access to the Invicti Standard edition for each user.