How Invicti finds vulnerabilities

People often ask us what vulnerability database Invicti uses in its scans. In reality, finding known vulnerabilities is just a small part of what we do. This article describes how Invicti works under the hood and where its biggest strengths lie.

How Invicti finds vulnerabilities

Two sources of vulnerability information

We often get asked about the inner workings of Invicti’s vulnerability scanning engine. People familiar with network and virus scanners also ask what vulnerability databases we use and how often we update them. In reality, it’s all a lot more interesting than ticking boxes on a list of known issues. Time to set the record straight about how a cutting-edge web vulnerability scanner works.

When most people hear the word “scanner”, they think of software that looks for known risks. This is generally what virus scanners and network scanners do: check targets against a list of known issues, such as (respectively) malware signatures and CVE vulnerability reports. So when customers see how effective Invicti is, their first question is often: “What vulnerability database do you use?” Well, the short answer is “Yes.” The full answer is that Invicti is an advanced heuristic scanner that also checks for known web application vulnerabilities – but let’s break this down a bit.

The mundane part: CVEs

The idea of relying on a vulnerability database comes from the systems and network security world, where a software or hardware bug is discovered, publicly disclosed, and added to a vulnerability database such as CVE. Network scanners, for example, work by finding such known issues in target systems. To fix the vulnerability, you simply patch or update the affected component.

Some CVEs also apply to web applications. These are bugs in widely-used products that need to be patched to avoid attacks. As one part of the scanning process, Invicti checks for such issues based on the CVE registry and several other sources of vulnerability intelligence, so scans also cover vulnerabilities such as Heartbleed (CVE-2014-0160) or POODLE (CVE-2014-3566). In fact, the Invicti security advisory program actively contributes to finding bugs in open-source packages by scanning them for vulnerabilities during engine testing. To learn how our security researchers do this, see our article on vulnerability disclosures.

Although an important part of overall security, checking for known issues is relatively easy and not terribly exciting. Things get interesting when you have to check for unknown issues – and this is when you find out how effective your web application security solution truly is.

The really clever part: heuristics

The vast majority of web application vulnerabilities are brand new issues that were introduced in new code in custom-built applications – so how are you supposed to know about them? This is the main difference between web application security testing and signature-based security checks: web vulnerability scanning is primarily about finding new vulnerabilities resulting from underlying weaknesses categorized in the CWE system. To find previously unknown issues, Invicti uses a cutting-edge heuristic scanning engine that probes websites and applications for vulnerabilities just like a penetration tester would.

The word “heuristic” comes from the Ancient Greek “heurískō”, meaning “I find” or “I discover” – the same origin as “Eureka!”

Invicti uses a variety of advanced heuristic techniques to find all entry points in web applications and test them for vulnerabilities. This includes automatic URL rewriting to provide maximum scan coverage, automated fuzzing to generate unexpected inputs that may reveal a weakness, and proprietary Proof-Based Scanning technology to safely test weaknesses and provide proof that the vulnerability is real.

Because web vulnerability scanners don’t rely on signatures, their effectiveness is highly dependent on the quality and maturity of the underlying heuristic scanning engine. If the scanning engine is too eager to flag suspicious responses as signs of vulnerabilities, it will flood the user with false positives. If it is too cautious or simply not advanced enough, it will miss real vulnerabilities or even bypass whole pages, for example because it can’t deal with authentication.

As an industry veteran and technology leader, Invicti knows how to strike the right balance. After aggregating and analyzing six years’ worth of real-life vulnerability data, we found that Proof-Based Scanning provides automatic confirmations for 94% of direct-impact vulnerabilities, with an accuracy level of 99.98%. That’s about as accurate as a vulnerability scanner can get.

Get the best of both worlds

The purpose of a web application security solution is to help the user improve security more efficiently than with manual testing alone. This goes way beyond vulnerability databases and even beyond scanning itself. To get measurable security improvements, you need a holistic view of web application security that pulls together accurate information from all relevant sources and applies it through effective automation.

Invicti combines high-quality heuristic results from its industry-leading vulnerability scanning engine with information about known issues listed in vulnerability databases. All these vulnerability results are complemented by asset discovery and crawling information, warnings about outdated web technologies, detailed vulnerability descriptions complete with suggested remedies, best-practice recommendations, compliance reports, and more. This gives you a complete picture of what you need to fix in your web environment, so you can start getting real value from Invicti in a matter of days.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.