Support
Working with Scans

Using the business logic recorder

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

You can use the business logic recorder (BLR) feature in Invicti Enterprise to scan web applications without extensive manual work or additional non-automated tools.

  • Business logic is real-world business rules put into computer code and shown in a computer program via a user interface. The logic also determines how data may be shown, stored, created, and altered.
  • This logic is most evident in its role in creating workflows that pass data between users and software systems. The web application processing this logic may behave differently depending on the data that the user selects or enters.
  • OWASP regards the business logic flaws as the most critical in terms of consequences as they are deeply tied into the company’s process.

This is why you need a tool that lets you explain what can happen when users enter different data. Invicti’s business logic recorder covers such scenarios, ensuring that Invicti can cover them for vulnerability testing.

Identifying more vulnerabilities

Covering such scenarios helps Invicti to increase its scan coverage, so it can detect more issues in your web application. Thanks to the BLR feature, Invicti can effectively test particular scenarios which would otherwise make it impossible for a scanner to reach all areas of a web application.

The BLR allows you to define:

  • Multiple input sequences to help Invicti reach and test all variations of multi-step web forms or other web application workflows.
  • Input sequences that fulfill particular constraints to reach parts of a web application that an automated scanner would otherwise not be able to reach and test.

This article explains how to use the business logic recorder to save and edit a business logic.

Using the business logic recorder in Invicti Enterprise

You can create a business logic recording in the New Scan and Scheduling Scan pages. On both pages, the process is the same.

You can create and save more than one recording.

How to access BLR in Invicti Enterprise
  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > New Scan. (OR Scheduling > Schedule Scan.)
  3. In the Target URL field, enter the URL.
  4. From the Scan Settings section, select Business Logic Recorder.

The scanner agent and the authentication verifier agent are required for internal targets.

How to record steps using the business logic recorder
  1. From the Record Business Logic section, select New Recording.

Selecting New Recording opens a page where the record is automatically on.
You can specify the page you want to record steps either by changing the URL in the address bar or clicking to navigate to the specific URL.

  1. From the Business Logic Recorder page, navigate to the element on the website where you need to record business logic.
  1. Change or modify the steps, if necessary.
  • Select arrows ( or ) to change steps in the recording.
  • Select  to add a new step to the recording or  to delete a step from the recording.
  • From the Action Properties section, modify the target, timeout, and value.
  1. Select Play to playback the recording.
  2. Select Save to save the recording and close the page.
  3. Enter a name, if necessary, for your script.

This saves your BLR script.

How to edit the recording
  1. Next to your saved recording, select the edit button.
  1. From the Business Logic Recorder page, select any step to edit.
  • Select arrows ( or ) to change steps in the recording.
  • Select  to add a new step to the recording or  to delete a step from the recording.
  • From the Action Properties section, modify the target, timeout, and value.
  1. Select Play to playback the recording.
  2. Select Save to save and close the page.
How to download the recording
  1. Next to your recording, select the download button.
  1. From the Save as page, select a location to download the script.
  2. Select Save to download the script.
How to delete the recording
  1. Next to your recording, select the delete button.
  1. From the Delete Recording pop-up, select Delete Recording.

This deletes your recording.

How to import a BLR script
  1. Log in to Invicti Enterprise.
  2. From the main menu, go to Scans > New Scan > Business Logic Recorder. (OR Scheduling > Schedule Scan > Business Logic Recorder)
  1. Select Import Recording.
  2. From the Open window, select your BLR recording to import.

Once completed, this process imports your recording into Invicti Enterprise.