What is the Invicti Knowledge Base?
The Knowledge Base is a section in Invicti’s vulnerability scan report that shows a variety of information about the scanned websites and applications, as well as the scanning process itself. The available details vary depending on the scan and are grouped into Knowledge Base nodes.
Nodes are only displayed if the relevant information was found in a specific scan.
The Knowledge Base is an invaluable technical resource for security personnel, engineers, and developers. You can export the information as a report and use it to improve application security, gain better visibility into your entire environment, optimize vulnerability testing coverage, and boost scan and application performance. Let’s see which Knowledge Base nodes can help you achieve these improvements.
Benefit #1: Improved Security
Many Knowledge Base nodes provide information that complements the core vulnerability reports. You can use this to improve overall security, for example by eliminating unnecessary components or implementing more secure coding practices. Here are some of the nodes to help you improve security:
- Proofs: A central location for all vulnerability proofs identified during the scan. This provides a quick overview of the potential impact of existing vulnerabilities and the kinds of data accessible to attackers who target confirmed weaknesses.
- Cookies: A list of all cookies set by the scanned web pages, along with information about cookie security flags. Cookies are often targeted by attackers and can reveal details that help to prepare attacks, so information from this node is vital for security.
- Comments: Surprisingly often, code comments contain sensitive information, such as user names, passwords, or connection strings. The Comments node gathers all the comments found in rendered web page code, highlighting keywords that may indicate sensitive information.
- External Scripts: Having visibility of all external scripts loaded by an application is useful to detect unexpected resources that could pose a security risk or even signal that an injection attack has already succeeded. Invicti gathers this information under the External Scripts node.
- Site Profile: Knowing what web software versions you have is important for update and product management. The Site Profile node provides a convenient summary of this information, which also shows you what intelligence attackers are able to extract. Outside the Knowledge Base, the Technologies page shows a more detailed view of detected products and versions.
- Interesting Headers: Though often overlooked, HTTP security headers are an important part of the web security puzzle. This node summarizes all the customized or otherwise unusual headers found across the scan targets. Apart from security considerations, this information is also useful for administration and engineering, for example for detecting unused components or web application firewall issues.
Benefit #2: Better Asset Visibility
A vital benefit of using Invicti is that apart from improving security, you also get insights about your environment and web assets. Knowledge Base nodes include a wealth of information to improve visibility and limit your attack surface:
- File Extensions: This node provides a list of all files available from your web pages, grouped by file extension. Apart from improving visibility, it can also help you spot unexpected uploads that could be a sign of a successful attack. The MIME Types node serves a similar purpose but on the level of declared MIME types rather than file extensions.
- CSS Files: Cascading Style Sheets are a potential attack vector, so having centralized visibility of all CSS files in your environment is useful for security as well as keeping track of all the style sources. The External CSS Files node extends this intelligence to external resources.
- Not Founds: Whenever Invicti crawls a page and encounters a 404 error, it adds the URL to this list. This can help you locate dead links and other navigation or redirection issues.
- Email Addresses: For convenience, Invicti collects all the email addresses it encounters during a scan. While publishing an email address is not a security issue in itself, having a list of all such addresses can be useful to find outdated aliases or enforce corporate address format policies.
- Incremental Scan: Invicti supports incremental scanning to test only pages added or modified since the last scan. This node lists all the new pages detected during an incremental scan, giving an overview of recent changes to the web application environment.
Benefit #3: Optimized Coverage
Good vulnerability scanning coverage is essential to the effectiveness of any dynamic application security testing (DAST) solution – after all, if you can’t test it, you can’t secure it. The Knowledge Base provides extensive information related to coverage, allowing you to troubleshoot page access issues and optimize coverage:
- Web Pages with Inputs: This node lists all web form inputs found in the crawled application. This is useful both for test quality assurance and for identifying all the potential injection points in the application.
- Form Validation Errors: To test pages that are only displayed after form submission, Invicti attempts to provide mock inputs. This node lists all failed attempts at automated form submission, allowing you to customize predefined form values to ensure coverage.
- Out of Scope Links: Invicti always tries to crawl and test all links, except for links that are out-of-scope due to manually configured rules or other limitations. This node lists all uncrawled and untested links to help you optimize coverage.
- URL Rewrite: Heuristic URL rewrite detection allows Invicti to maximize scanning accuracy for websites that use URL rewriting. This node summarizes the URL rewriting rules applied during a scan and lists pages scanned using each rule to help you troubleshoot any issues and manually tweak rewrite settings if necessary.
- REST APIs: This node shows all the URLs and parameters for REST APIs found and used by Invicti during the scan. This can help you verify API testing coverage and potentially also discover APIs that shouldn’t be exposed. The Web Services (SOAP) node shows similar information for SOAP web services.
Benefit #4: Increased Performance
As it crawls and scans web pages, Invicti records performance information to help you with troubleshooting and optimization. Apart from reducing the time of future scans, this can also allow you to identify performance issues with the application itself:
- Crawling Performance: A detailed table reporting crawled link counts and response times grouped by response code and URL information source. This includes URLs that were provided manually by the user, obtained by following links or discovered by Invicti using other methods. Apart from response times, this node also provides valuable discovery information.
- Scan Performance: For each type of operation performed by Invicti during the scan, this node lists how many times the operation was run along with the total and average execution time. This includes crawling operations and all mock attack attempts. Based on this information, you can fine-tune scanning to reduce scan times.
- Slowest Pages: Invicti maintains a list of the 10 slowest pages it encountered during the scan. This can help you improve the application by troubleshooting performance issues.
Beyond Vulnerability Scanning
Accurate vulnerability scanning is by far the most important aspect of web application security – but not the only one. Security is all about having a full picture of your environment and attack surface so you can anticipate threats and implement mitigations. That way, you can measurably improve your security posture in the long run instead of just ticking off resolved vulnerabilities.
Invicti’s Knowledge Base helps you to see beyond the vulnerabilities by providing solid background information about your assets, technologies, and scanning processes. This article only scratches the surface, especially as most of the nodes can have many different uses. For details, see the support documentation about the Knowledge Base nodes and report – or, better still, fire up the Invicti scanner and explore the Knowledge Base for yourself.