Support
Deploy Invicti Shark

Deploying Shark (IAST) in Invicti Enterprise On-Premises

This document is for:
Invicti Enterprise On-Premises

You can run interactive security testing (IAST) with Invicti Shark in your web application in order to confirm more vulnerabilities and further minimize false positives.

Invicti provides industry-leading dynamic application security testing (DAST) capabilities to help find vulnerabilities in the target web application. Using Shark enables Invicti to provide additional information from the back-end while scanning your web application.

By adding IAST capabilities with the Shark, Invicti provides the following benefits:

  • Showing the exact location of the issue and reporting debug information
  • Providing additional details to help security teams uncover more vulnerabilities
  • Complementing existing Proof-based Scanning™ functionality to automatically prove even more vulnerabilities and simplify remediation efforts
  • Ensuring that the entire web application is scanned, including any hidden and unlinked locations that may be inaccessible to the crawler

For Invicti Shark to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.

Deploying the Shark Agent is optional. Invicti is still best in class as a black-box scanner, and the Shark Agent improves accuracy and vulnerability results when scanning .NET, Java, Node.js, and PHP web applications.

Shark has only a very minimal impact on resources on the target machine — less than 1% in lab test results.

Recommendation for Invicti Shark

Invicti Shark works best in specific environments. To get the best out of Invicti Shark, you need to use it in the right environment. The following points provide the best practice in using the Shark:

  • You need to install Invicti Shark on your staging servers. This is the best place to perform IAST analysis.
  • You may install Invicti Shark on virtual machines to perform IAST analysis as part of CI/CD pipelines. In this case, the Shark installation would need to be done as part of the CI/CD pipeline.
  • We do not recommend installing Invicti Shark on production servers. Your production environment may run slower although Invicti Shark consumes limited resources.

For further information, see Changing the DAST Game with Invicti IAST.

Invicti Shark fields

This table lists and explains the fields on the Shark (IAST) page.

Button/Section/Field Description
Installation Files This is the section that lets you download the required file to use on your server.
Server Platform This lets you select the server to download the required files for your server, such as PHP, Java.
Advanced Settings This lets you override settings for the default Shark Token and Bridge URL/Port.

    • If you want to override the default token and bridge settings, make sure to change them before downloading any files for your server.
Shark Token
  • This token secures communication between the Invicti scanner and the IAST Shark agent. A unique token is automatically generated for each website’s installation of the Shark agent.
  • If you have a token already, select the I have a token I would like to reuse checkbox and enter your token.
  • This field is mandatory.
Bridge URL and Port
  • This is the URL and port number of the IAST bridge. The bridge is used to relay information from the Shark agent to the Invicti Scanning Engine.
  • You can set the default bridge URL and port on the General Settings page. This setting on the Shark configuration page lets you override the default bridge URL for each website.
  • As a bridge URL, you can use the URL provided by Invicti. OR, you can set up a custom bridge. For further information, see Setting a custom bridge URL for Invicti Shark (IAST).
  • Make sure that the Shark can connect to the address/port specified.
  • This field is only mandatory for Java, .NET, and Node.js.
Validate Shark Settings This lets you validate that the request is forwarded to the bridge and the sensor sends the request to the bridge.

This is only available in Invicti Standard.

Downloading Shark Sensors in Invicti Enterprise On-Premises

Ready to use Invicti Shark? Contact us.

To do this, follow these steps: From the main menu, go to Scans > New Scan > Shark, then select I’m Interested in Adding Shark.

Once approved, you are ready to download.

Using Invicti Enterprise On-Demand? See Deploying Shark (IAST) in Invicti Enterprise On-Demand.

How to download Shark sensors in Invicti Enterprise On-Premises
  1. Log in to Invicti Enterprise
  2. From the main menu, select Scans > New Scan.
  3. From the Scan Settings, select Shark (IAST and SCA).

  1. From the Shark Settings section, select Enable Shark.
  2. From the Installation Files section, select a platform from the Server Platform drop-down, then click Save As. The download starts immediately.

If you change any of the following settings after the download, please re-download your files.

If you change your token or Bridge URL after installing the Invicti Shark sensor, you must have a clean installation so that the changes take effect.

Allowlist the Bridge URL (https://iast.invicti.com)

  1. From the Advanced Settings, if required, you can do the following:
  • If you have a token already, select the I have a token I would like to reuse checkbox and enter your token.
  • Enter your Bridge URL and Port only if you want to override the default bridge URL and Port.

Setting a custom bridge service for Invicti Shark (IAST)

You can use the bridge service provided by Invicti. OR, you can install Invicti IAST Bridge to set up a custom bridge service.

Prerequisite:

How to set up a custom bridge service
  1. Press the Windows logo key
  2. Type Services.
  3. Make sure the Invicti IAST Bridge is running.

By default, the Invicti IAST Bridge runs at the 7880 port.

  1. Log in to Invicti Enterprise.
  2. From the main menu, select Settings > General.
  3. Go to the IAST Bridge section.
  4. Enter your custom URL to the Default Bridge URL field. (You can enter your custom URL like this: http://52.58.213.161:7880)
  5. Select Save.

If you change your bridge URL after installing the Invicti Shark sensor, you must re-install these sensors, so the changes can take effect.

Deploying Invicti Shark in your server is explained in related topics: