You can run interactive security testing (IAST) with Invicti Shark in your web application in order to confirm more vulnerabilities and further minimize false positives.
Invicti provides industry-leading dynamic application security testing (DAST) capabilities to help find vulnerabilities in the target web application. Using Shark enables Invicti to provide additional information from the back-end while scanning your web application.
By adding IAST capabilities with the Shark, Invicti provides the following benefits:
- Showing the exact location of the issue and reporting debug information
- Providing additional details to help security teams uncover more vulnerabilities
- Complementing existing Proof-based Scanning™ functionality to automatically prove even more vulnerabilities and simplify remediation efforts
- Ensuring that the entire web application is scanned, including any hidden and unlinked locations that may be inaccessible to the crawler
For Invicti Shark to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.
Deploying the Shark Agent is optional. Invicti is still best in class as a black-box scanner, and the Shark Agent improves accuracy and vulnerability results when scanning .NET, Java, Node.js, and PHP web applications.
Shark has only a very minimal impact on resources on the target machine — less than 1% in lab test results.
Recommendation for Invicti Shark
Invicti Shark works best in specific environments. To get the best out of Invicti Shark, you need to use it in the right environment. The following points provide the best practice in using the Shark:
- You need to install Invicti Shark on your staging servers. This is the best place to perform IAST analysis.
- You may install Invicti Shark on virtual machines to perform IAST analysis as part of CI/CD pipelines. In this case, the Shark installation would need to be done as part of the CI/CD pipeline.
- We do not recommend installing Invicti Shark on production servers. Your production environment may run slower although Invicti Shark consumes limited resources.
For further information, see Changing the DAST Game with Invicti IAST.
Invicti Shark fields
This table lists and explains the fields on the Shark (IAST) page.
This is the section that lets you download the required file to use on your server.
This lets you select the server to download the required files for your server, such as PHP, Java.
This lets you override settings for the default Shark Token and Bridge URL/Port.
Bridge URL and Port
Validate Shark Settings
This lets you validate that the request is forwarded to the bridge and the sensor sends the request to the bridge.
This is only available in Invicti Standard.
Downloading Shark Sensors in Invicti Enterprise On-Premises
Ready to use Invicti Shark? Contact us.
To do this, follow these steps: From the main menu, go to Scans > New Scan > Shark, then select I'm Interested in Adding Shark.
Once approved, you are ready to download.
Using Invicti Enterprise On-Demand? See Deploying Shark (IAST) in Invicti Enterprise On-Demand.
How to download Shark sensors in Invicti Enterprise On-Premises
- Log in to Invicti Enterprise
- From the main menu, select Scans > New Scan.
- From the Scan Settings, select Shark (IAST and SCA).
- From the Shark Settings section, select Enable Shark.
- From the Installation Files section, select a platform from the Server Platform drop-down, then click Save As. The download starts immediately.
If you change any of the following settings after the download, please re-download your files.
If you change your token or Bridge URL after installing the Invicti Shark sensor, you must have a clean installation so that the changes take effect.
Whitelist the Bridge URL (https://iast.invicti.com)
- From the Advanced Settings, if required, you can do the following:
- If you have a token already, select the I have a token I would like to reuse checkbox and enter your token.
- Enter your Bridge URL and Port only if you want to override the default bridge URL and Port.
Setting a custom bridge service for Invicti Shark (IAST)
You can use the bridge service provided by Invicti. OR, you can install Invicti IAST Bridge to set up a custom bridge service.
- Install Invicti IAST Bridge
How to set up a custom bridge service
- Press the Windows logo key
- Type Services.
- Make sure the Invicti IAST Bridge is running.
By default, the Invicti IAST Bridge runs at the 7880 port.
- Log in to Invicti Enterprise.
- From the main menu, select Settings > General.
- Go to the IAST Bridge section.
- Enter your custom URL to the Default Bridge URL field. (You can enter your custom URL like this: http://126.96.36.199:7880)
- Select Save.
If you change your bridge URL after installing the Invicti Shark sensor, you must re-install these sensors, so the changes can take effect.
Deploying Invicti Shark in your server is explained in related topics:
- How to install the PHP Shark
- How to install the .NET Shark
- How to install the JAVA Shark
- How to install the Node.js Shark