Support
Authentication Verifier Agents

Installing Authentication Verifier Agents

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

You can download and install authentication verifier agents to verify that you run authenticated scans in your local environment.

To help secure all parts of your web applications, you can download and install authentication verifier agents. 

  • In order to scan a website located on your internal network, and not accessible from the internet, you can install and configure a scan agent on your network. The agent will conduct the actual scan job and then report the results back to Invicti Enterprise.
  • You can download and install an internal verifier agent to perform the authentication, so you can make sure that your scan is authenticated.

For further information about the internal authentication verifier, see Streamline authenticated scanning with Invicti’s verifier agents.

This topic explains how to install, update, and uninstall authentication verifier agents on Windows. Using Linux? See Installing Authentication Verifier Agent on Linux (Debian Distribution). For the RedHat distributions, see Installing Authentication Verifier Agent on Linux (RedHat Distribution).

The Authentication Verifier Agent is an optional component. 

Download and install the authentication verifier agent if you need to scan websites with form or basic authentication or OAuth2. The authentication verifier agents also work for the Authentication Profiles, Custom Scripts for Form Authentication, CyberArk Vault, HashiCorp Vault, and AzureKey Vault.

Downloading and configuring authentication verifier agent

There are 3 steps in this process:

  1. Downloading an authentication verifier agent
  2. Configuring an authentication verifier agent
  3. Setting an authentication verifier agent as a Windows Service

Prerequisites

Software Requirements

  • Windows Server 2016 or above (Windows Server 2019 recommended)

Hardware Requirements

  • 1.4 GHz Processor (2.0 GHz or faster recommended)
  • 4 GB RAM or higher recommended
  • 10 GB Free Disk space for each internal agent

If you select TLS 1.3 as a security protocol from the Scan Policy, make sure you have Windows 11 or Windows Server 2022 or higher versions.

Network Requirements

  • Agent should be configured so that it can reach your internal website through HTTP/HTTPS
  • Agent needs to be able to access the Invicti Enterprise Application Server’s HTTP(S) (443) port

Allowlisting Requirements

  • www.invicti.com
  • r87.me
  • Allowlist the following addresses according to your region:
    • US region: 34.237.50.127, us-avservice.netsparkercloud.com, s3.us-east-1.amazonaws.com
    • EU region: 18.193.27.197, eu-avservice.netsparker.cloud, s3.eu-central-1.amazonaws.com
    • CA region: 52.60.130.46, ca-avservice.netsparker.cloud, s3.ca-central-1.amazonaws.com

Required Access

  • User(s) must have administrator privileges to run the required commands and agent service.

Step 1. Downloading the authentication verifier agent

You need to download the authentication verifier agent and install it on a machine in your internal network.

How to download the authentication verifier agent
  1. Log in to Invicti Enterprise.
  2. From the main menu, go to Agents > Manage Agents > Configure New Agent.
  3. From the Authentication Verifier section, select Windows to download the file.

When you download the zip file, you can configure the authentication verifier agent.

Step 2. Configuring authentication verifier agent

How to configure the authentication verifier agent
  1. Navigate to the folder you downloaded the zip file.
  2. Extract the contents of the zip file to C:\NC_VerifierAgent. (You can use another location, but this instruction will use this path.)
  3. Open the C:\NC_VerifierAgent\appsettings.json file with your preferred text editor.
  4. Edit the following attributes before running the agent, listed under AgentInfo:
    • AgentName: This can be anything you want. (If you are going to install more than one instance of the agent, you must set a unique agentName value for each instance, something you will use later.)
    • ApiToken: In Invicti Enterprise, the Agent Token is displayed in the Configure New Agent window. Copy the value into the apiToken.

Do not edit the ApiRootUrl address. If edited, your authentication verifier agent may not work.

Allowlist the ApiRootUrl address so that the authentication verifier agents can access the verifier server for the form authentication.

Make sure the machine where the authentication verifier agent is installed can access the ApiRootURL.

  1. Save and close the C:\NC_VerifierAgent\appsettings.json file.

Changing default data folder for the authentication verifier agent

You can change the default location in which the scanner agent saves its data. For further information, refer to Changing default data folder for the authentication verifier agent.

Setting proxy in authentication verifier agent

You can set a proxy for the authentication verifier agent in Invicti Enterprise. Invicti supports Basic Authentication but not Digest and NTLM.

You are required to manually enter proxy settings into the appsettings.json file with your preferred text editor.

This table lists and explains the entries in the Proxy settings.

FieldDescription
Proxy ModeEnter your proxy settings if you want the Agent to use or not to use the proxy. There are three modes: 
NoProxy: The Agent does not use a proxy even if you configure the server’s proxy settings.
SystemProxy: The Agent uses the System Proxy that was defined on the server.
CustomProxy: The Agent uses Custom Proxy that you define in the appsettings.json file.
Use Default CredentialsEnter true if you authenticate to the proxy via the user that the Agent service is defined.
UsernameEnter a username for authentication
PasswordEnter a password for authentication
DomainEnter a domain name
AddressEnter a proxy address. Only IP address or hostname without schema and port is allowed.
PortEnter a port for the proxy
Bypass on LocalEnter a value that indicates whether to bypass the proxy server for local addresses.
Bypass ListEnter the address(es) that do not use the proxy server. Enter the address(es) as RegEx.

The following shows some possible bypass list expressions:
“example\\.com”,
“;*\\.example\\.com”,
“192\\.168\\.1\\.1”,
“www\\.example\\.com”,
“www\\.example\\.com:8080”,
“100\\.;*\\.;*\\.;*

Using Proxy Auto-Configuration file

You can use Proxy Automatic Configuration (PAC) to configure your proxy. A PAC file lets you describe the proxy configuration in a file using JavaScript, so you can manage your proxy settings.

To use a PAC file, you must set the Proxy Mode to System Proxy in the appsetting.json file.

How to use a Proxy Auto-Configuration file on Windows
  1. Go to Settings > Network & Internet > Proxy.
  2. Turn on the Use setup script toggle.
  3. In the Script address field, enter the PAC file’s URL address.
  1. Select Save.

Step 3. Setting authentication verifier agent as a Windows Service

An internal authentication verifier agent should be configured as a Windows service so that it can poll the Invicti Enterprise servers regularly and can take the verification initiation command from the server.

How to set the authentication verifier agent as a Windows Service
  1. Open a command prompt in Administrator mode and navigate to the agent’s folder.
  2. Run the following command to install the Invicti Enterprise Authentication Verifier Agent as a Windows Service: netsparker.cloud.agent -i
  3. Press Windows+R, type ‘services.msc’ and press Enter.
  4. Find ‘Invicti Enterprise Scanning Service – [YOUR_AGENT_NAME]’.
  1. Right-click on it and select Properties.
  2. Make sure Startup type is set to Automatic, and select Start.
  1. Select Apply and OK, then exit the Properties window.

Although this service is set to start automatically, it may not restart until the PC is restarted too.

After these steps, the Invicti Enterprise Authentication Verifier Agent should be running on your network. To view your verifier agents, from the main menu, select Agents > Manage Verifiers.

Any change in the appsetting.json file, such as setting proxy and changing API Token, requires restarting the service so that the changes can take effect.

Updating authentication verifier agents

There are three methods to update your authentication verifier agent.

  • When a new verifier agent version has been published, you can update your Agents manually using installation files on the machines on which agents are installed.
  • You can update agents manually by selecting Update Agent (visible only when the Enable Auto Update is not configured and the new version of the Agent is available). While the update is in progress, the State field will display ‘Updating’.
  • You can enable the auto update feature. The target verifier agent updates itself as soon as possible when it’s idle.
How to enable automatic Authentication Verifier Agent updates
  1. From the main menu, select Agents > Manage Verifiers.
  2. Next to the relevant agent, select the Command drop-down, then Enable Auto Update.

Changing default data folder for the authentication verifier agent

You can change the default location where the authentication verifier agent saves its data. This helps you avoid running out of free space due to accumulating data. 

By default, the authentication verifier agent saves the data to the C:/Invicti Enterprise folder. But, you can choose to save the data in a different location to prevent filling up your free space. 

The following instruction explains how to change the location where the authentication verifier agent saves its data. The instruction is valid for new agents or existing agents:

How to change the default data folder 
  1. Navigate to the agent’s folder you want to change the default folder.
  2. Open appsettings.json file with your preferred text editor.
  3. Add the following attribute listed under AgentInfo: "ScanDataFolderPath": "FullPath"

Write the full path as shown in the following example: C:\\Users\\[User]\\Documents\\ScanData

  1. Save and exit.

If you modified the existing agent’s configuration file, you need to restart the agent service. So, Open services.msc, find ‘Netsparker Cloud Scanning Service – [YOUR_AGENT_NAME]’, and restart the agent service.

This restart does not affect your saved data. To move the existing data, you need to copy the data and paste it into the new folder.

If this is a new agent, continue following this instruction: Step 2. Configuring authentication verifier agent

Installing multiple authentication verifier agents on Windows

  1. Copy all files from the default Verifier Agent’s folder to the new Agent’s folder. The path is: C:\Invicti Enterprise Agent.
    For example, if you decided to use Agent-2 as the new Agent name, you could use this command to copy all files to new Agent’s folder:
    xcopy "C:\Invicti Enterprise Agent\*.*" "C:\Invicti Enterprise Agent-2" /yie
    This creates a new directory in C:\Invicti Enterprise Agent-2 and copies in all the required files.
  2. Locate the new Agent’s folder and open the appsettings.json file with a text editor. Set the new Agent’s name.
  3. Open a command prompt in Windows with Administrator rights and install the new Agent as a Windows Service using these commands:
    • This command changes the current folder to the new Agent’s folder: cd C:\Invicti Enterprise Agent-2
    • This command installs the new Agent as a Windows Service: Netsparker.Cloud.Agent.exe -i

Uninstalling the authentication verifier agent

You can uninstall verifier agents.

How to uninstall the authentication verifier agent
  1. Open a command prompt in Administrator mode and navigate to the agent’s folder.
  2. Run the following command to stop and delete the Invicti Enterprise Authentication Verifier Agent as a Windows Service:
    • sc stop "Invicti Cloud Scanning Service - YourAgentName"
    • sc delete "Invicti Cloud Scanning Service - YourAgentName"

These commands stop and delete the verifier agent service. If required, you can delete the related folder.