Scans

How to create and run different types of scans and how to optimize scan settings, profiles, and scopes.

• Introduction to Scanning
  • Web Application Security Scanning Flow
    • Knowing Your Web Application
    • Preparing and Configuring Scans
    • Scanning Your Web Applications
    • Reviewing and Comparing Scan Results with Previous Scans
    • Fixing Issues
    • Retesting Fixed Issues
    • Generating Reports
  • Scanning Production Environments
  • Stages of Scanning
    • Stage 1: Crawling
    • Stage 2: Attacking
    • Stage 3 and 4: Recrawling and Late Confirmation
  • Overview of Scanning
    • Types of Scans
• Launching Scans
  • Running informal PCI DSS Compliance Scans
  • Running official PCI DSS Scans and PCI DSS Group Scans
  • Defining PCI DSS scan policy in Invicti Standard
  • Scanning single-tab targets with Invicti Standard
  • Creating a New Scan
    • How to scan a website in Invicti Enterprise
    • How to run an Incremental Scan in Invicti Enterprise
    • Invicti Standard New Scan Fields
    • How to scan a website in Invicti Standard
  • Scheduling Scans in Invicti Enterprise
  • Best practices for creating effective scan schedules in Invicti Enterprise
  • Scheduling Scans in Invicti Standard
  • Setting up incremental scans
  • Retrieving Mend SAST and SCA scan results
• Scan Results
  • Recent Scans
    • Recent Scans Columns
    • Viewing Recent Scans in Invicti Enterprise
    • Filtering scans
    • Viewing Recent Scans in Invicti Standard
  • Reviewing Scan Results
  • Viewing Mend SAST and SCA scan results in Invicti Enterprise
  • Viewing detected technologies
  • Checking the VDB version in Invicti Enterprise On-Premises
• Working with Scans
  • Suspending, pausing, and resuming scans
  • Manual Crawling in Proxy Mode
    • How to Run a Manual Crawl with Invicti Standard
    • How to Combine Automated and Manual Crawling in a Web Security Scan
    • Using Selenium for Manual Crawling
  • Excluding Parts of a Website From a Scan
  • Excluding and Including Links from the Sitemap After Crawling
    • Excluding a URL or Parameter from a Web Security Scan
    • Include Resources Back in the Scan (Reversing the Exclusion)
  • Configuring Additional Websites
    • The Scan Profile and Settings Used for the Additional Websites
    • Reporting Scan Activity and Issues Identified in Additional Websites
  • Scanning Applications in an IP Range
  • Configuring URL Rewrite Rules
  • Scan Groups in Invicti Enterprise
  • Pre-Request Scripts
    • Writing a Pre-Request Script
    • Testing Pre-Request Scripts
    • Scanning with pre-request scripts in Invicti Enterprise On-Demand
    • Saving Pre-Request Scripts into the Invicti Directory
    • Writing Pre-Request Scripts
    • Use Cases and Presets
    • Debugging Pre-Request Scripts Using Helper Functions
    • Verifying Pre-Request Scripts
  • Using the business logic recorder
  • Performance Analysis in Invicti
    • Is Your Website Public?
    • Most Common Reasons for Performance Issues
  • Importing and Exporting Scan Sessions in Invicti Standard
    • How to Import a Scan Session into Invicti Standard from Invicti Enterprise
    • How to Import a Scan Session to Invicti Standard from Your Local Machine
    • How to Export the Current Scan Session from Invicti Standard to Your Local Machine
    • How to Export the Current Scan Session from Invicti Standard to Invicti Enterprise
    • How to Bulk Export Selected Scans from Invicti Standard to Invicti Enterprise
  • Scan Time Window
  • Checking scan coverage and addressing gaps
  • Factors leading to longer scan times
  • Reducing scan times
  • Scan Search in Invicti Standard
  • Adding a custom header to your scans in Invicti Enterprise
  • Adding a custom header to your scans in Invicti Standard
  • Queued scan failure settings
• Scan Profiles
  • Overview of Scan Profiles in Invicti Enterprise
  • Configuring Scan Profiles in Invicti Enterprise
  • Configuring Scan Profiles in Invicti Standard
• Security Checks
  • Security Checks
  • WAF Identifier
    • How to Disable the WAF Identifier Security Check in Invicti Enterprise
    • How to Disable the WAF Identifier Security Check in Invicti Standard
  • GraphQL Library Detection
  • Identifying MongoDB injection vulnerabilities
  • BREACH Attack
  • Forced Browsing
  • Login Page Identifier
  • Malware Analyzer
    • How to Configure the Malware Analyzer in Invicti Enterprise
  • Custom Scripts for Security Checks in Invicti Enterprise
    • Executing a custom script on a web page
    • Scanning a website with a custom security script
  • Custom Scripts for Security Checks in Invicti Standard
    • Deciding Which Vulnerability Type Will be Detected
    • Identifying a Sample Vulnerable Web Page
  • Custom Security Checks via Scripting
  • Identifying sensitive data
  • How Invicti reports vulnerabilities
    • Apache Struts RCE
    • Code Evaluation
    • Command Injection (CI)
    • Cross Site Scripting (XSS)
    • File Inclusion
    • Header Injection
    • NoSQL Injection
    • Server-Side Request Forgery (SSRF)
    • SQL Injection
    • Static Resources
    • XML External Entity (XXE)
    • Arbitrary Files (IAST)
    • BREACH Attack
    • Configuration Analyzer (IAST)
    • Content Security Policy
    • Content-Type Sniffing
    • Cookie
    • Cross Frame Options Security
    • Cross-Origin Resource Sharing (CORS)
    • Cross-Site Request Forgery
    • Drupal Remote Code Execution
    • Expression Language Injection
    • File Upload
    • GraphQL Library Detection
    • Header Analyzer
    • Heartbleed
    • HSTS
    • HTML Content
    • HTTP Methods
    • HTTP Status
    • HTTP.sys (CVE-2015-1635)
    • IFrame Security
    • Insecure JSONP Endpoint
    • Insecure Reflected Content
    • JavaScript Libraries
    • JSON Web Token
    • Login Page Identifier
    • Malware Analyzer
    • Mixed Content
    • Open Redirection
    • Oracle WebLogic Remote Code Execution
    • Referrer Policy
    • Reflected File Download
    • Signatures
    • Software Composition Analysis (SCA)
    • SSL
    • Unicode Transformation (Best-Fit Mapping)
    • WAF Identifier
    • Web App Fingerprint
    • Web Cache Deception
    • WebDAV
    • Windows Short Filename
• HTTP Request Builder
  • HTTP Request Builder
    • Working with HTTP Requests and the Request Builder
    • HTTP Headers and Parameters
    • Optional: Add a Request Body in the HTTP Request
• Command Line Interface
  • Command Line Interface
• Authentication
  • Authentication – Overview
    • Supported Authentication Methods in Invicti
  • Form Authentication – Configure and verify
  • Form authentication with OTP – Configuration
  • Form authentication – Custom script basics and examples
  • Form authentication – Introduction of custom scripts
  • Form authentication – Create custom scripts
  • Form authentication – Custom script editor fields
  • Form authentication – Troubleshooting, tips, and tricks
  • Authentication profiles
    • Configuring Authentication Profile in Invicti Enterprise
    • Configuring Authentication Profile in Invicti Standard
  • Configuring Basic, Digest, NTLM/Kerberos and Negotiate Authentication
    • Basic, Digest, NTLM/Kerberos and Negotiate Authentication Fields
  • Configuring Client Certificate Authentication
  • Configuring OAuth2 Authentication
    • OAuth2 Authentication Fields
  • Configuring Header Authentication
  • Logout detection – Introduction and tips
  • Logout detection – Configuration
  • Logout detection – Issues
  • Invicti Standard – Form authentication – Configuration
    • Configuring a Login Form URL
    • Configuring Multiple Sets of Credentials and URLs
    • Configuring Form Authentication Using an OTP
    • Configuring Form Authentication Using an OTP from a QR Code
    • Problems with Form Authentication Login
  • Invicti Standard – Form authentication – Verification
    • How to Verify the Form Authentication Configuration by Simulating the Login and Detecting the Logout Pattern
  • Invicti Standard – Manual Authentication
  • Invicti Standard – Smart Card authentication – Configuration
    • Smart Card Authentication Fields
  • Invicti Standard – HMAC Authentication via Scripting
    • Sample Postman Pre-Request Script
    • How to configure HMAC Authentication via Scripting in Invicti Standard
  • Invicti Standard – Interactive Logins
    • How to Configure CAPTCHA, One-Time Tokens, and Two-factor Authentication Mechanisms
  • Invicti Standard – Form Authentication API
    • Methods
  • Invicti Standard – Form authentication – Create and verify custom scripts
  • Invicti Standard – Logout detection – Configuration
  • Invicti Standard – Logout detection – Issues
• Working with Scan Scopes
  • Scan Scope
  • Excluding file types from a scan
    • Excluding Binary Files
    • Crawl and Attack Options
• Scan Agents
• Authentication Verifier Agents