Invicti OOB, Invicti IAST and Verified Badge

Invicti OOB and Invicti IAST work together to enhance the reliability and precision of vulnerability scans. Invicti OOB ensures accurate detection of out-of-band vulnerabilities, while Invicti IAST leverages IAST technology to confirm vulnerabilities with 100% certainty, significantly reducing false positives. The Verified badge is displayed for vulnerabilities with a 100% confidence rating.

This document explains how to identify vulnerabilities identified by Invicti OOB and Invicti IAST technologies in the vulnerability results.

Invicti OOB

Invicti OOB enables Invicti to improve the accuracy and reliability of vulnerability scans by identifying out-of-band vulnerabilities (exploits reported back to the scanner). It integrates seamlessly with out-of-band checks and requires no installation or configuration; however, it does need internet access to bxss.me.

Refer to our whitelisting guidelines for more information:

• Whitelisting requirements for Invicti Platform - US region
• Whitelisting requirements for Invicti Platform - EU region

By default, all scans use Invicti OOB service, unless specific checks are excluded or the service is disabled. Without Invicti OOB, out-of-band detection is not possible. Vulnerabilities verified through out-of-band testing are marked with the Invicti OOB label. Vulnerabilities detected with Invicti OOB are never false positives.

How to identify Invicti OOB-detected vulnerabilities

1. Select Vulnerabilities from the left-side menu.
2. In the View by Vulnerability list, look for the Invicti OOB icon.

3. Click the selected vulnerability to display its details on the right-hand side. The information will appear in the details.

Invicti IAST

Invicti IAST is an IAST solution, a piece of code integrated into your application to pinpoint the exact location of vulnerabilities within the code. By installing and using Invicti IAST, Invicti Platform enhances visibility into the backend of your web application, providing more detailed insights into detected vulnerabilities.

Invicti can verify vulnerabilities with or without Invicti IAST, although the sensor does help in the verification of some vulnerabilities. For more information about installing and using Invicti IAST, refer to the Introduction to deploying Invicti IAST document.

Beyond vulnerability confirmation, IAST in Invicti IAST offers additional capabilities such as runtime Software Composition Analysis (SCA), API Discovery, Zombie API detection, and assessment of application configurations. Together, these features provide comprehensive security insights for modern applications.

How to identify Invicti IAST-detected vulnerabilities

1. Select Vulnerabilities from the left-side menu.
2. In the View by Vulnerability list, look for the Invicti IAST icon.

3. Click the selected vulnerability to display its details on the right-hand side. The Invicti IAST label will also appear within the vulnerability details.

Verified badge

The Verified badge indicates vulnerabilities detected with 100% certainty during a scan, confirming their existence in the scanned web application and eliminating the need for manual verification. Invicti can assign the verified badge to vulnerabilities with or without Invicti IAST, although Invicti IAST can assist in confirming some vulnerabilities.

Vulnerabilities not marked with the verified badge are generally valid; however, the detection method may prevent Invicti from being completely certain of their existence. Nonetheless, Invicti maintains a very low false positive rate.

How to identify vulnerabilities with the Invicti Verified badge

1. Select Vulnerabilities from the left-side menu.
2. Check the Confidence column for a value of 100% to identify the vulnerabilities.

3. Click the selected vulnerability to display its details on the right-hand side. The Verified badge appears within the vulnerability details.