Generating Exploits for Vulnerabilities in Invicti Standard
Generate Exploit is a feature of Invicti Standard that demonstrates vulnerabilities that occur in the client side, such as Cross-site Scripting (XSS) and Cross-Site Request Forgery (CSRF).
- Invicti can exploit identified vulnerabilities automatically thanks to its Proof-Based ScanningTM technology. This technology eliminates the need to manually verify the vulnerability and makes sure that identified vulnerabilities are not false positives.
- While Invicti provides the Proof of Exploit for issues such as SQL and Command Injection, the scanner presents Proof of Concept (PoC) for vulnerabilities such as XSS and CSRF as these vulnerabilities occur in the client-side or originate from the client side practices.
What is Proof of Concept?
Proof of Concept is the term we used to describe the actual exploit that proves that a detected vulnerability exists.
For certain vulnerabilities – XSS and CSRF – Invicti generates an HTML exploit code snippet. When you download the HTML code and run it on your computer, the scanner demonstrates how attackers can exploit the identified vulnerability, showing you its potential impact.
- In XSS vulnerabilities for example, the scanner provides such proof because the cookie value that can be obtained after a successful exploitation will appear as a different value in another client.
- Similarly, the state change caused by a Cross Site Request Forgery (CSRF) vulnerability on the web application side is unpredictable for a black-box scanner, since it cannot access the web application’s source code and predict what its request may cause.
The Generate Exploit button is displayed only in the case of XSS and CSRF vulnerabilities.
How to Generate Exploits for Vulnerabilities in Invicti Standard
- Open Invicti Standard
- From the ribbon, select the File tab. Local Scans are displayed. Doubleclick the relevant scan to display its results.
- From the Sitemap or Issues panel, select an XSS or CSRF vulnerability.
- In the Vulnerability tab, click Generate Exploit.
- The Save As dialog box is displayed.
- Select a save location and click Save.
- You can view the HTML file in the Save location.