Support
Scan Policies

Configuring Scan Policies

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

A scan policy is a set of settings for web application security scans. It determines the security tests to be conducted when initiating a scan. You can choose pre-defined policies, customize them based on your target's characteristics, or create new ones. Additionally, you can share policies within a group or duplicate them from a group.

How to configure a New Scan Policy in Invicti Enterprise

  1. Log in to Invicti Enterprise.
  2. From the main menu, select Policies  > New Scan Policy.
  3. Fill in the Name and Description fields.
  4. Select the Shared checkbox, if required (refer to Sharing Scan Policies).
  5. Complete the remaining fields. (Each tab is explained in the Scan Policy Fields tables below.)
  6. Click Save when you have finished configuring your scan policy.

108

How to configure a New Scan Policy in Invicti Standard

  1. From the Home tab, select Scan Policy Editor. The Scan Policy Editor dialog is displayed with all existing Scan policies listed at the top.
  2. Select New. A New Scan Policy line is displayed at the bottom of the list.

  1. Double-click on New Scan Policy and enter a new Name.
  2. Select the next cell and enter a Description.
  3. Complete the remaining fields. (Each tab is explained in the Scan Policy Fields tables below.)
  4. Select OK.

How to share Scan Policies

There are four types of Scan Policies:

  • Default: Unless set as Shared, these are exclusively for your use.
  • Share: These policies are available for others to utilize.
  • Private: Reserved solely for your own use, these policies cannot be accessed by others.
  • Mine: Referring to the policies you have personally created.

When you share your Scan Policy, other users gain access to it for use and cloning. Scan Policies that you create and do not share with your team members are labeled as "Mine" and "Private" in the Type column.

NOTE: The user who has the Account Administrator role can see the private policies of the team members.

  1. Navigate to the New Scan Policy window.
  2. Enable the Shared field. A new section, Website Groups, is displayed.
  3. Select all the Website Groups the Scan Policy should be shared with. This means that anyone who has access to those groups can use your Scan Policy. 

Scan Policy Fields

This section lists and explains the tabs in the New Scan Policy window in Invicti Enterprise and in the Scan Policy Editor dialog in Invicti Standard.

General

This table lists and explains the fields in the Policy tab. The General tab is displayed in Invicti Enterprise only.

Field

Description

Name

This is the name of the Scan Policy.

Description

This is a description that helps explain the policy's features to anyone else who may also use it.

Shared

Select to enable others to have access to the policy.

This field is displayed in Invicti Enterprise only.

Security Checks

In this tab, select the categories and Security Checks for the Scan Policy. By default, most security checks are enabled.

For further information, refer to Security Checks.

The table lists and explains the additional settings available for some of the Security Checks.

Item

Description

Generate Proof

Select Yes to enable the generation of proof for the current security check group (default: True).

Proof Sharing

Enable or disable sharing the same proof across vulnerabilities (default: True).

Only Run on the Start Path (RoR)

Select Yes to restrict attacking to the Start Path only. Otherwise, every directory will be attacked (default: False).

Resource Finder Limit

During the scan, Invicti tries to reveal some common directories that might not be publicly viewable. To do this, Invicti has a list of common directories. Enter a number to set the maximum number of hidden resources and folders to look for in each folder (default: 125).

Include/Exclude

This option is related to cookie-based checks. You can control which cookies will be included in cookie-related security controls, such as checking cookie attributes:

  • Select Include to include the specified cookie names in the security check
  • Select Default to include all cookies

Cookie Names

Enter the cookie names that will be managed during the scan.

Check All Pages

Select True to conduct CORS checks on all pages. Otherwise, only unique directories will be checked (default: True).

Prepend Original Value

Prepend the original value to the Cross-Site Scripting payloads. This can make the scan more accurate. (default: False).

Attack Referer

You can use this option to opt out of attacking the Referer header. If the Referer value is required by the target application, you can disable it by selecting False (default: True).

Possible Admin Interface

This option controls whether Invicti can detect possible administration pages in the scope HTML Content check group (default: Enabled).

Maximum Path Count

Enter a number to set the maximum number of paths to check against HTTP methods.

Database Type

Select which databases your application uses in order to tailor the Boolean SQL injection payloads to the specific database type.

Upload Folders

Invicti will search the uploaded files in these website directories. You can add more directories in a comma-separated format.

Search Upload Folders

This determines whether the upload folders should be visited to locate the uploaded file (default: True).

Crawling

This table lists and explains the fields in the Crawling tab.

Field

Description

Crawling Page Limit

Enter a number to set the maximum number of pages to crawl. Once this number is reached, Invicti ends the crawling phase and starts to attack (default: 2,500).

Maximum Signature

Enter a number to set the maximum number of samples to collect from pages with similar URL signatures (default: 9). The URL signature consists of path, HTTP method and parameter name. For instance /?name=one, /?name=two.

Maximum Page Visits

Enter a number to set the maximum number of times the crawler visits a page (e.g. /index.php or /page.php). If this number is exceeded, Invicti will stop crawling that page, even new parameters have not yet been crawled (default: 40).

For further information, refer to Scanning Parameter-Based Navigation Websites.

Maximum URL Rewrite Signature

Enter a number to set the maximum number of samples to collect from pages that match the same URL rewrite signature (default: 9).

Wait for the Resource Finder to finish

Enable to ensure Invicti waits for the Resource Finder to finish before ending the crawling phase. Depending on the website, this search for hidden folders and resources can take a significant amount of time, perhaps longer than the crawling phase (default: Disabled).

Text Parser

Enable to ensure the static HTML/Text Parser can search for links in HTML comments and similar locations. The Text Parser cannot parse JavaScript (default: Enabled).

Text Parser Extensions

The Text Parser parses files for links. If you want the Text Parser to find links in files with an extension that is not listed in the default extension list below, specify their extension in this setting. Separate extensions with a comma, whitespace or semicolon.

Default extensions include: .asa, .asax, .ascx, .ashx, .asmx, .asp, .aspx, .cfc, .cfm, .cgi, .config, .dll, .htm, .html, .inc, .include, .js, .jsp, .php, .php3, .php5, .phtm, .phtml, .shtm, .shtml, .xhtm, and .xhtml.

Parse SOAP Web Services

Check to enable SOAP Web Service discovery by parsing WSDL files (default: Enabled).

Parse REST Web Services

Check to enable REST Web Service discovery by parsing OpenAPI (Formerly Swagger) and WADL files (default: Enabled).

Parse URI Fragments

Check to enable parsing URI fragments to discover parameters in the fragment. For example: http://example.com/#page=foo.php (Default: Enabled)

Fallback to GET

Invicti uses HEAD requests to find hidden resources. Check to enable Invicti to fallback to GET requests when HEAD requests don't work. This might increase scan time (default: Disabled).

Add Related Links

Check to specify whether all related links should be crawled when a new link is found (default: Enabled).

Enable Parameter-Based Navigation

Check to enable Parameter-Based Navigation if the target website uses parameter based navigation instead of pages to serve different content, for example e.g. /?page=home, /?page=contact instead of /home.php or /contact.php (default: Disabled).

Enable Query-Based Navigation

Check to enable that only query-string parameters will be recognized as navigation parameters. Navigational Parameter RegEx won’t match POST or other parameter types.

Navigational Parameter RegEx

Enter a regular expression. If a parameter name matches the regular expression, it will be considered as a navigational parameter (refer to Scanning Parameter-Based Navigation Websites).

Maximum Page Visits

Enter a maximum number of visits to a page containing navigational parameters. This value must be between 1 and 1000 (default: 999).

JavaScript

This table lists and explains the fields in the JavaScript tab.

Field

Description

Analyze JavaScript/AJAX

Check to enable Invicti to analyze JavaScript and AJAX to find relevant links and pages in the target application. This option is CPU-intensive. Please disable it if you experience performance issues (default: Enabled).

Select / Load  a Pre-defined Preset

Invicti can scan different kinds of JavaScript applications ranging from occasional JavaScript-generated content to large Single Page Applications.

The options are:

  • Default
  • SPA (Single Page Application)
  • Large SPA

DOM Load Timeout

Enter a number to set the amount of time (milliseconds) to wait for the page to load, including the downloading and browser rendering time, before Invicti begins to analyze the JavaScript DOM simulation  (default: 30000 milliseconds).

DOM Simulation Timeout

Enter a number to set the amount of time (milliseconds) to wait before JavaScript ends DOM simulation. This is the timeout for the whole simulation operation of a single page. In case of a large application, it might not be feasible to scan all of the application since the parameters are typically identified until the timeout is reached. The value of this timeout can have an impact on the scan duration (default: 45000 milliseconds).

Interevent Timeout

Enter a number to set the amount of time (milliseconds) to wait after triggering a JavaScript event, before the next event is triggered. During this time, no other DOM/JS events will be triggered by the scanner. Increase this number if the target website has high latency AJAX calls that modify the DOM (default: 100 milliseconds).

Max Simulated Elements

Enter a number to set the maximum number of DOM elements the parser will simulate before terminating the simulation for this page  (default: 500).

Skip Threshold

Enter a number to set the number of elements to simulate before skipping elements. Enter '0' to disable sampling (default: 300).

Elements to Skip

Enter a number to set the number of elements to skip simulation after the Skip Threshold has been exceeded (default: 10).

This setting and Skip Threshold are used to specify how many elements should be parsed before the parser starts skipping (Elements to Skip) some elements. For example, if the Skip Threshold is set to 1000 and Elements to Skip is set to 10, after simulating 1000 elements, the parser will not simulate elements 1001 to 1009. Element 1010 will be simulated. The idea behind these settings is to diversify the simulation.

Max Modified Element Depth

Enter a number to limit the simulation to a set number of nested elements. The value must be between 0 and 100.

This setting specifies the maximum number of levels the DOM parser should follow when a DOM modification is triggered due to another simulation or modification. This can be used as a sort of infinite loop protection.

For example, imagine a case where a button is clicked and another button is created. When this new button is clicked it will create another one, and so on. This depth setting allows you to control the maximum depth that the simulation will go in such cases (default: 4).

Pre-simulation Wait

Enter a number to set the amount of time (milliseconds) the scanner should wait before starting the simulation, after the page has loaded (default: 0). This can be used to configure the scanner to wait for custom page loading logic of dynamic pages.

Exclude by CSS Selector

Exclude HTML elements such as logout buttons from event simulation by CSS selectors. All matched elements will be excluded with their children. To test, try your selector in the Developer Toolbar's Console Tab in the browser you use (press F12 to open it). After opening the Developer Toolbar’s Console Tab using the document.querySelectorAll JavaScript function, you can list the CSS selectors that you want to exclude. Please note that if the selector is not very specific i.e. many items match the selector at any time, it will affect scan performance (and possibly coverage) negatively.

Maximum Option Elements

Enter a number to set the maximum number of option elements, per select element, to simulate. The value must be between 1 and 1000. The suggested maximum is 20 (default: 10).

Persistent JavaScript Cookies

Enter the names of cookies (separated by semicolons) that are set in JavaScript via document.cookie and not from HTTP Headers, that should persist across authentication and DOM simulation.

Open Redirect Conf. Timeout

Enter a number to set the time (milliseconds) to wait before ending JavaScript DOM simulation for Open Redirection confirmation. The value must be between 1 and 21600000. (Default: 45000)

XSS Confirmation Timeout

Enter a number to set the time (milliseconds) to wait before ending JavaScript DOM simulation for XSS confirmation. The value must be between 1 and 21600000 (default: 45000).

Exclude by Javascript Events

Enter a JavaScript event that DOM excludes from the simulation. To enter multiple events, you can separate them via a comma.

Cache by CSS Selector

Enter elements to be cached via CSS selectors. All matched elements will be cached, including their children. To enter multiple selectors at once, you can separate them via a comma. Cached elements, such as footer and header, will be simulated only once.

This is available only in Invicti Standard.

Maximum Cache Elements

Enter a number to set the maximum number of cache elements per host. The value must be between 1 and 100000 (default: 1000).

This is available only in Invicti Standard.

Filter Document Events

Check to filter events that are attached to a document by name to a constant set (e.g. mousedown, keyup), to reduce triggered event counting during the simulation (default: Disabled).

Ignore document events

Check to ignore the triggering events that are attached to the document object (default: Disabled).

Filter Colon Events

Check to filter events that contain a colon (:) in their name, to reduce triggered event counting during the simulation. They are usually used by frameworks and would be triggered by other events (default: Disabled).

Extract Static Resources

Check to extract static resources from DOM elements (default: Enabled).

Allow out-of-scope XML HTTP (AJAX) requests during simulation

Check if the target website fails to load when some requests cannot be loaded because of the scan profile's out-of-scope settings (default: Enabled).

Generate Debug Info

Check to enable the debugger to generate debug information during the scan.

When this option is enabled, the DOM parser will write the diagnostics information to a log file in the scan folder, including data about the coverage. When this option is enabled, the scan may be slowed down and will use some additional disk space (default: None).

Block navigation on SPAs

Check to enable Invicti to block extra navigation on single-page applications.

Attacking

This table lists and explains the fields in the Attacking tab.

Field

Description

Maximum Number of Parameters to Attack on a Single Page

Enter a number to set the maximum number of parameters that Invicti should attack on a single page (default: 24).

Once the maximum is reached, Invicti will stop attacking that page.

Enable Proof Generation

Check to generate a Proof of Exploit after a vulnerability is confirmed  (default: Enabled).

Attack Parameter Names

Enable to generate extra attacks which place attack payloads into the name of a request parameter (default: Enabled).

Attack Referer Header

Enable to generate extra attacks which place attack payloads into the Referer header (default: Disabled).

Attack User-Agent Header

Enable to generate extra attacks which place attack payloads into the User-Agent header (default: Disabled).

Attack Cookies

Enable to generate extra attacks which place payloads on cookie name and values (default: Disabled).

Optimize Header Attacks

Enable to issue header attacks on each unique link path (otherwise, all links will be attacked) (default: Enabled).

Override Version Vulnerability Severities

Invicti overrides the severity of out of date library findings according to the highest known issue in the outdated library. For example, if an out-of-date Javascript library has a XSS vulnerability; Invicti increases the severity of the issue to High as is in XSS. (Default: Enabled)

Optimize Attacks to Recurring Parameters

Enable to detect recurring parameters in different URLs (e.g. search widgets, newsletter subscription forms). It will attack the number of links that are allowed in the Recurring Parameters Attack Limit field. (default: Disabled).

Recurring Parameters Attack Limit

Enter a number to set the maximum number of pages to attack for recurring parameters. Once the maximum is reached, Invicti will stop attacking recurring parameters on the remaining pages (default: 10).

Anti-CSRF Token Field Names (Comma Separated)

Anti-CSRF token is a prevention mechanism that uses a unique, unpredictable value for CSRF attacks. These form field values should be kept as they are, so forms that are sent are not rejected by target applications. This option can be used to instruct Invicti not to attack these fields. Enter the Anti-CSRF Token Field Names

*token*, *csrf*, ViewStateUserKey, __RequestVerificationToken, protect_from_forgery, *xsrf*, nonce.

Attack CSRF Token

Check to enable CSRF attacks.

Enable Random Parameter Attacks in Cross-site Scripting checks

Enable to attempt to add extra parameters to pages to detect Cross-site Scripting vulnerabilities (default: Enabled).

Custom 404

This table lists and explains the fields in the Custom 404 tab.

Field

Description

Auto Custom 404

Check to select an automatic 404 Error page.

Manual Custom 404

Check to select a manual 404 Error page.

Disabled

Check to disable the 404 Error page.

Maximum 404 Signatures

Enter a number to set the maximum number of 404 Error page samples to collect (default: 1000). The maximum value is 2500.

Maximum 404 Pages to Attack

Enter a number to set the maximum number of 404 samples to crawl and attack (default: 10).

(Scan) Scope

This table lists and explains the fields in the Scope tab.

Field

Description

Case Sensitive

Invicti does not differentiate between case-sensitive and insensitive URLs. In other words, by default, Invicti does not differentiate between uppercase and lowercase URLs. Both these URLs are treated as the same URL:

  • http://example.com/dir/index.php
  • http://example.com/DiR/IndEX.php

Enable the Case Sensitive checkbox if you want to change this behaviour because your target uses case-sensitive URLs. When enabled, and (for example) there is an SQL Injection in both index.php and IndEX.php, they will be reported as separate issues.

Default: Disabled

Bypass Scope for Static checks

When enabled, Invicti will make requests to resources that are out of scope. This means Invicti will check for static vulnerabilities (e.g. Crossdomain.xml, Robots.txt), even when the Scan Scope does not cover the root.

For example, if your target URL is http://example.com/test and your Scope is set to Entered Path and Below, Invicti will still send requests to the root domain, (e.g. http://example.com/Crossdomain.xml).

Static checks do not include invasive requests. So, in many cases, it is advised to enable this option. However, it is disabled by default, to avoid potential legal issues in tests conducted with strict scan scopes. Default: Disabled

Ignore These Extensions

Enter the extensions of those test files you do not want Invicti to crawl or test.

If the files include a query parameter, they will still be crawled and attacked regardless of the extension.

This is only available in Invicti Standard.

Enable Content -Type Checks

By default, Invicti excludes a number of files from the scan based on their content type. For example, fields such as PDF and compressed files do not need to be scanned during a web vulnerability scan. Invicti checks the Content-type HTTP response header of the file, and if it matches a header listed in this list, it will ignore it.

You can also exclude a file or page from a scan based on its content-type header or remove any excluded content type from the exclusion from the Ignore these Content Types option in the Scope section when configuring a Scan Policy.

Enable to analyze pages that have a listed content-type header. Default: Disabled

Ignore These Content Types

Enter the extensions of those test files you do not want Invicti Enterprise to crawl or test.

If the files include a query parameter, they will still be crawled and attacked regardless of the extension.

Block Ad Networks

During a scan, Invicti loads the crawled pages into an internal browser to simulate specific DOM events (e.g., click, mouse over, form submit) to find more attack surfaces. If a page loads resources from advertising networks continuously, this will affect the loading time and might even result in a timeout.

Enable to stop sending requests to known ad networks.

Default: Enabled

Ignored Parameters

This table lists and explains the fields in the Ignored Parameters tab.

For further information, refer to Excluding Parameters From a Scan.

Field

Description

Name

This is a friendly name for your reference/the parameter (e.g. 'ASP Session ID (COOKIE)').

Pattern

This is the actual name of the parameter to be excluded from the scan (e.g. ASPSESSIONID*).

Pattern matching is case-sensitive, so use the correct capitalization.

You can also use any of these pattern options (wildcards) to match the patterns in the parameter name:

  • ? - any single character
  • * - zero or more characters
  • # - any single digit (0-9)
  • [charlist] - any single character in charlist
  • [!charlist] - any single character not in charlist

The parameters will be ignored only during the attack phase.

For further information, refer to Pattern Options.

Type

This is the parameter type (e.g. COOKIE).

The dropdown options are:

  • POST
  • GET
  • COOKIE
  • WEBSTORAGE
  • ALL

If you want to ignore GET and POST parameters with this name or match, create two entries, one with POST and one with GET.

If you want to ignore GET, POST and COOKIE parameters, create one entry with ALL.

Form Values

This table lists and explains the fields in the Form Values tab.

Field

Description

Name

This is a friendly name for your reference.

Type

This is the form input type. 

The options are:

  • hidden
  • text
  • textarea
  • submit
  • reset
  • button
  • image
  • file
  • radio
  • select
  • checkbox
  • password
  • color
  • date
  • datetime
  • datetime-local
  • email
  • month
  • number
  • range
  • search
  • tel
  • time
  • url
  • week
  • output

The type should be a valid input type.

Pattern

This is the value that the HTML attribute value will be matched against based on the selected Match.

Pattern should be a valid regular expression if the Match dropdown is set to RegEx.

Target

This is the match target.

The options are:

  • Select All
  • Name
  • Label
  • Placeholder
  • Id

It is possible to select one or more options.

Match

This is the match type for the Pattern field.

The options are:

  • RegEx
  • Exact
  • Contains
  • Starts
  • Ends

Value

This is the value Invicti will submit to the input parameter when the match is successful.

Force

When this option is enabled Invicti will submit the provided value even when the parameter is already populated with some other value.

For further information, including Regex definitions, refer to Configuring Pre-Defined Web Form Values.

IndexedDB

This table lists and explains the fields in the IndexedDB tab. IndexedDB lets you persistently store data inside a user's browser. This tab is only displayed in Invicti Standard.

Field

Description

Name

This is a friendly name for your reference.

  • Do not enter duplicate pairs to the database, storage, and row fields
  • Enter key and value pair in the row field.

Origin

Enter storage data for a specific origin. (Otherwise leave it empty to allow the DOM parser to pass it for any origin.)

Send To Actions

This table lists and explains the fields in the Auto Send To Actions tab.

This tab is only displayed in Invicti Standard. Invicti will send issues to integrated systems that match the criterias you defined in the Auto Send To tab.

Field

Description

Send To Action

Click Send to Action Settings.

The options are:

  • Asana
  • Azure Boards
  • Bitbucket
  • Bugzilla
  • Clubhouse
  • Email
  • FogBugz
  • FreshService
  • GitHub
  • GitLab
  • Jazz Team Server
  • JIRA
  • Kenna
  • Microsoft Teams
  • Pivotal Tracker
  • Redmine
  • ServiceNow
  • TFS
  • Trello
  • Unfuddle
  • Webhook
  • YouTrack
  • Zapier

For further information, refer to Send to Actions.

Severities

This is the vulnerability severity level. You can select more than one (refer to Vulnerability Severity Levels).

Only Confirmed

Check this to trigger actions only for confirmed vulnerabilities and not for possible vulnerabilities.

Brute Force

This table lists and explains the fields in the Brute Force tab.

Field

Description

Authentication Brute Force (Basic, NTLM, Digest)

Check to enable Authentication Brute Force.

Maximum Username/Password Combinations to Test

Enter a number to set the maximum number of Username/Password combinations to test.

By default, this is set to 10.

InvictiHawk

This table lists and explains the fields in the Invicti Hawk tab. This tab is only displayed in Invicti Enterprise On-Premises and Invicti Standard.

Field

Description

Invicti Hawk URL (NE OP)

Invicti Hawk server that will respond to Out-of-Band and SSRF-related attacks that were initiated by Netsparker.

Invicti Hawk URI (NS)

Invicti Hawk server that will respond to Out-of-Band and SSRF-related attacks that were initiated by Netsparker.

Validate DNS Settings

Click to validate the DNS settings of Invicti Hawk server.

Validate Invicti Hawk

Click to validate whether Invicti Hawk server can report vulnerabilities.

Clear

Click to clear the logs shown below.

Autocomplete

This table lists and explains the fields in the Autocomplete tab.

Invicti Enterprise will only issue an alert if Autocomplete is enabled on a text input that matches one of these values.

Field

Description

Input Name

Enter a value to be matched with the input name to detect whether autocomplete is enabled for the input.

The Input Name can contain any valid wildcard characters, such as '?' '*' or '#'.

Ignored Email Addresses

This table lists and explains the fields in the Ignored Email Addresses tab.

Field

Description

Email Pattern

Enter any email address you'd like the scan to ignore.

Email Pattern can contain any valid wildcard characters (? * #).

Invicti will ignore any Email Disclosure vulnerability if it matches one of these patterns. Invicti will also ignore email addresses that start with the most common words (e.g. admin, billing, contact, support). You can amend this list, which is located at C:\Users\{USER}\\Documents\Netsparker\Resources\Configuration\GenericEmails.txt.

CSRF Settings

This table lists and explains the fields in the CSRF tab.

Field

Description

Checkbox

Select if you want to enable CSRF checks for authenticated scans only.

User Name Inputs

Enter a list of strings to indicate a username that includes one of these.

Login Form Values

Enter a list of strings to indicate a login form that includes one of these.

Non-CSRF Form Values

Enter a list of strings to indicate non-CSRF form values whose name or action includes one of these. Invicti won't report CSRF on these forms even if the form does not have a CSRF token..

Non-CSRF Input Values

Enter a list of strings to indicate non-CSRF input values whose name or value includes one of these. If Invicti cannot deduct the goal of the form by looking at its name or action, it will attempt to deduct it by looking at the name of the input it contains. This list defines these values.

Captcha Indicators

Enter a list of strings that indicates forms that contain Captcha against CSRF.

Web Storage

This table lists and explains the fields in the Web Storage tab.

Field

Description

Type

This is the type of Web Storage mechanism that will be used.

From the dropdown, select an item.

The options are:

  • Local
  • Session

Key

This is the name of the key you want to create.

Value

This is the value you want to give the key you are creating.

Origin

Enter storage data for a specific origin. (Otherwise, leave it empty to allow the DOM parser to pass it for any origin.)

Extensions

This table lists and explains the fields in the Extensions tab.

Field

Description

Extension

This is a list of file extensions to which the specified Crawling and Attacking activity will be applied.

For further information, refer to Crawl and Attack Options.

Crawl

Select the required Crawling activity for the file type (Extension).

The options are:

  • Do Not Crawl
  • Crawl
  • Crawl Only Parameter (default)

Attack

Select the required Attacking activity for the file type (Extension).

The options are:

  • Do Not Attack
  • Attack Parameters (default)
  • Attack Parameters and Query String

Request

This table lists and explains the fields in the Request tab. This tab is displayed in both editions. (In Invicti Standard, it is displayed once you click on the HTTP tab.)

Field

Description

(Pre-defined) User Agent(s)

Select or Enter the User Agent string to be used in all HTTP requests during scans.

Force this value

Enable to force Invicti to use the User Agent, even if the HTTP request has a User-Agent value.

In Invicti Standard, this feature is called ‘Force to use selected User Agent'.

Request

Enter a number to set the interval (seconds) to wait for a response from the target before it is considered to have timed out.

Depending on the configuration, if a request times out, Invicti will try to send it again or cancel it.

  • Connection Timeout (sec) - This is the number of seconds to wait before the HTTP Request times out.
  • Read/Write Timeout (sec) - Depending on the context, Invicti will retry the request (or cancel it) when reading from the response or writing to request that the stream takes longer than the given time. (This is only available in Invicti Standard.)
  • Request Timeout (sec): This is the interval in seconds that Invicti Enterprise should wait for a response from the target before the request is considered to have timed out. Depending on the configuration, in case of a connection timeout, Invicti Enterprise will try to send the request again or cancel it. (This is only available in Invicti Enterprise.)

Concurrent Connections

Enter the maximum number of simultaneous connections Invicti should open when scanning the target system. Depending on the target application, a high number of simultaneous connections may cause connectivity or Denial of Service issues.

Requests per second

Move the slider left or right to set the maximum [number] of requests initiated per second. Depending on the target application, setting this figure too high might cause connectivity or Denial of Service issues. The recommendation is 30.

HTTP Keep Alive

Enable to improve the server's performance and decrease the load  (default: Enabled).

Support Gzip/Deflate

Enable to complete the scan in less time, if the target web server supports Gzip or Deflate (default: Enabled).

Support Cookies

Enable to support HTTP cookies (default: Enabled).

Capture HTTP Requests

Enable to save HTTP requests during scans using the Fiddler session file format. This option exists only in Invicti Enterprise.

Headers

This table lists and explains the fields in the Headers tab. (In Invicti Standard, it is displayed once you click on the HTTP tab.)

Field

Description

Enabled

Enable so that the custom header is added to all HTTP requests.

Name

The Name field in the HTTP Header should only contain ASCII characters. As the HTTP headers construct name and value pairs, this field is for the name part.

Value

A header value to be used in attacks with the corresponding header.

Attack Mode

The options are:

  • None (default)
  • Optimized: Only the attack payloads that are suitable for the header will be used
  • Full: All attack payloads will be fuzzed into the header

SSL/TLS

This table lists and explains the fields in the HTTP SSL/TLS tab. (In Invicti Standard, it is displayed once you click on the HTTP tab.)

Field

Description

Security Protocol

Select the security protocol(s) that is used while making requests.

The options are:

  • SSLv3: This is disabled by default.
  • TLS 1.0: This is enabled by default.
  • TLS 1.1: This is enabled by default.
  • TLS 1.2: This is enabled by default.
  • TLS 1.3: This is disabled by default.

Untrusted Certificates

This indicates the action taken when Invicti encounters an untrusted certificate in either the Target, Additional Websites or External Websites.

The options are:

  • Accept untrusted certificate
  • Reject untrusted certificate

Proxy

This table lists and explains the fields in the Proxy tab. This tab is only displayed in Invicti Enterprise On-Premises and Invicti Standard. (In Invicti Standard, it is displayed once you click on the HTTP tab.)

Field

Description

Use Application (Global) Proxy

Enable to use the Application Proxy.

The Applications Proxy can be defined at the Proxy tab in the Options dialog.

Use System (Internet Explorer) Proxy

Enable to use the System Proxy. This is the default.

The System Proxy is the system-wide proxy that is used by every program by default.

Use Custom Proxy

Enable to use and configure a Custom Proxy.

The Custom Proxy should be configured explicitly to be used unlike System Proxy. It is scan policy specific and valid in the scope of the policy.

Don't use proxy server for local (intranet) addresses

Enable so that no proxy will be used.

Use this proxy server for the requests other than the target website(s)

Enable so that this proxy is used instead of the proxy server in the agent configuration.

Knowledge Base

This table lists and explains the fields in the Knowledge Base tab.

Field

Description

Enable Knowledge Base

Check to enable Knowledge Base checks.

Disabling this option means that some issues may not be reported (default: Enabled).

Sensitive Keyword Pattern

The Sensitive Keyword Pattern should be a valid regular expression. Invicti uses these patterns to find sensitive keywords in the code’s comments.

Browser Settings

This table lists and explains the fields in the Browser Settings tab.

Field

Description

Browser Settings

  • Default Browser Parameters: These are the default browser parameters that Invicti uses when it launches a Chromium instance to scan your website. You can deselect any parameters to disable it. Or, you can add a new parameter.

  • Headful Browser Parameters: These are the headful browser parameters that Invicti uses when it launches a Chromium instance to authenticate with your website. You can deselect any parameters to disable it. Or, you can add a new parameter.

NOTE: By default, authentication verifier agents use incognito mode on Chromium browsers.