Support
Scanning APIs

Importing links from supported tools

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

The Imported Links feature allows you to add links to determine web pages that you want scanned. This gives the scanner a head start and achieves greater coverage during scanning. You can also ensure that data already captured using other tools is included in the scan.

This guide explains the file types that can be imported into Invicti Enterprise and Invicti Standard and explains how to import them. For more information on how to import links for additional websites in both Invicti Enterprise and Invicti Standard, refer to Importing links and API definitions.

NOTE: In Invicti Enterprise, the maximum individual file size limit is 10MB, and the maximum total upload size is 100MB (combined total for all uploaded files). If the file size is bigger, you can split the files into separate files to be able to upload them.

What file types can be imported?

An Invicti scan can be fed using output from the following tools:

Acunetix Xml

You can import an Acunetix XML file to Invicti Standard for vulnerability scanning.

How to export an XML file from Acunetix Online

  1. Log in to Acunetix Online.
  2. From the main menu, select Scans.
  3. From the list of scans, select the scan you want to export.
  4. From the Export to drop-down, select XML. The file will begin to download to your default downloads folder.

ASP.NET Project File (.csproj, .vbproj)

ASP.NET project files can be used in the previous version of ASP.NET, prior to ASP.NET Core. This project file can store resource links used in an ASP.NET project, such as JavaScript files, CSS files, and multimedia resources such as images or static content.

You can import ASP.NET Project Files to your Invicti product, and if it encounters a .csproj or .vbproj file during crawling, it will parse and extract new URLs from those files too.

Burp Saved Items

You can use the Burp Suite to save links and add them to your Invicti product for vulnerability scanning.

How to export URLs from Burp

  1. Open Burp.
  2. Ensure that Burp is configured to listen to the proxy.
  3. Visit the URLs at the target website after configuring it to listen to the proxy.
  4. From the main ribbon, select Proxy > HTTP history.

  1. Right-click to select and save the targets, and select Save items. A dialog box is displayed.
  2. Enter a filename and select Save.

Comma Separated Values

You can use an Excel document to create a list of URLs in a CSV file that you can import into a vulnerability scan. This is a manual process that lets you include URLs that are unlinked from the target website.

How to use Microsoft Excel to create a CSV upload file

  1. Open Microsoft Excel.
  2. In a blank document, type each URL into a separate cell in one column.

  1. Save the document as a CSV file.

Fiddler

Fiddler is a debugging proxy server application that captures HTTP and HTTPS traffic, and logs it for you to review. Since the program is able to capture the traffic, you can save the URLs to import into your Invicti product for vulnerability scanning. You can download Fiddler Classic 4.0 via this link.

How to configure Fiddler to capture HTTPS Connections

  1. Open Fiddler.
  2. Ensure that Fiddler is configured to listen to the proxy.
  3. From the main ribbon, select Tools > Options.
  4. From the Options window, select the HTTPS tab.
  5. From the HTTPS tab, select the Capture HTTPS CONNECTs and Decrypt HTTPS traffic.

  1. Select Yes to continue.
  2. From the Security Warning window, select Yes to continue.
  3. From the Add certificate to the Machine Root List? window, select Yes to continue.

Fiddler added its root certificate to the Machine Root list. Now, it is configured to capture HTTPS traffic. You can visit your target website so that Fiddler can capture the traffic to scan this website in Invicti Enterprise.

How to export URLs from Fiddler

  1. Open Fiddler.
  2. Visit the URLs at the target website.
  3. From the Session List tab, select your targets.

  1. Right-click, and select Save > Selected sessions > in ArchiveZIP. A dialog box is displayed.
  2. Enter a filename, and select Save.

HTTP Archives

HAR (HTTP Archive) is a file format that logs session data between the client and the server. It is a JSON-formatted archive file that saves the information of all web responses and requests made with the browser, which helps detect performance issues. Since you can log your session, you can easily export URLs that you visited into your Invicti product for scanning.

TIP: With browsers, you can save HAR files. No additional program is required. In this procedure, Google Chrome is used to create a HAR file.

How to export URLs from Chrome

  1. Open Chrome.
  2. Press F12 on your keyboard to open Developers tools and then select the Network tab.

  1. Ensure the Preserve log box is checked and Network traffic (red dot) is logged.
  2. Delete the traffic already appearing in the window.
  3. Visit the URLs at the target website.

  1. Right-click and select Save all as HAR with content. A dialog box is displayed.
  2. Enter a filename and select Save.

I/O Docs

I/O Docs is a live, interactive documentation system for RESTful web APIs. When the method, resources, and parameters of APIs are defined in JSON format, I/O Docs will automatically generate a JavaScript client interface to test exposed API functions. URLs can be imported from I/O Docs files to feed the Invicti link pool.

Invicti Session File

URL importing allows you to upload an Invicti Session File. You can upload an AutoSave file created by Invicti Standard or a report file generated by either Invicti Enterprise or Invicti Standard. The scanner identifies any URLs in these files and imports them into your Invicti product.

How to import URLs as an Invicti Session File from Invicti Enterprise

  1. Log in to Invicti Enterprise.
  2. From the main menu, select Scans > New Scan.
  3. On the New Scan page, select the Links/API Definitions tab.
  4. From the Import Links drop-down, select Invicti Session File, then upload the saved file.
  5. You can view the imported links when the upload is successful.

How to import URLs as an Invicti Session File from Invicti Standard

  1. Open Invicti Standard.
  2. In the Home tab, select New.
  3. On the Start a New Website or New Service Scan window, select the Imported Links tab.

  1. From the Imported Links drop-down, select Invicti Session File, then upload the saved file.

  1. You can view the imported links when the upload is successful.

OWASP ZAP

Zed Attack Proxy (ZAP) by Checkmarx (previously 'OWASP ZAP') is a free, open-source penetration testing tool designed specifically for testing web applications.

You can export all of the URLs recorded by ZAP using the top-level menu:
Report > Export All URLs to a File… However, first, you need to install the Report Generation Add-on from the ZAP Marketplace.

Postman Collections

Postman is an API testing tool that offers integration capacity with the CI/CD pipeline. It also helps you to create mock-up tests and API documentation.

You can create request collections and API test suites in Postman. You can also use request collections prepared in Postman in your Invicti product when you're auditing your web application or API security.

NOTE: Invicti Standard and Invicti Enterprise support the Collection Variables.

How to export URLs in Postman

  1. Open Postman.
  2. Create a request collection and requests individually. (If you already have collections, go to the next step.)
  3. Next to your request collection, select the ellipsis button to display the menu.

  1. Select Export.
  2. On the Export Collection window, select the required format, and select Export.

  1. In the window that opens, select a location, and Save.

RAML

The RESTful API Modeling Language (RAML) is a way to describe RESTful APIs so that both humans and computers can read them. It describes resources, methods, parameters, responses, and media types in a clear way. Providing a structured and clear format for API, RAML makes it easy to manage the entire API lifecycle. RAML can also describe those APIs that do not obey all the constraints of REST.

Open API

Open API is a technical specification that describes certain APIs. It allows humans and computers to discover and understand the capabilities of a service that does not require access to source code, additional documentation, or the inspection of network traffic.

Web Application Description Language

WADL (the Web Application Description Language) is an XML description of HTTP-based web services that a machine can read. Aiming to simplify and promote the reuse of web services based on the existing HTTP, WADL describes the resources provided by a service and the relationships between them.

Web Services Description Language

WSDL (Web Services Description Language) is an XML file that tells the client application what the web service does. It also provides all the information necessary to connect to the web service and use all the functionality provided by the web service.

WordPress REST API

WordPress is a popular open-source content management        system. With JSON (JavaScript Object Notation) format, WordPress REST API provides an interface for other websites and software to interact with your WordPress site in sending and receiving data.