Importing links and API definitions
You can import links or an API definition file to Invicti from a file or a URL. This feature lets you specify pages that you would like to scan, which are not linked from anywhere on the website.
Invicti crawls the target website to reach maximum coverage. When you launch a scan, Invicti acts as a search engine bot. This means the scanner visits every link that it detects and makes requests to all input points in detected resources including the URLs used to reach these resources.
However, there may be parts of the website that are not linked from the website. This can prevent Invicti from achieving maximum coverage and identifying all vulnerabilities on the target website.
- The Links and API Definitions feature in Invicti enables you to add links and files to determine the web pages you want to be scanned.
- You can also ensure that Invicti includes data already captured by using other tools in the scan.
Difference between From File and From URL
You can import your links and API definitions from a file or from a URL.
- The From File option lets you import your document to Invicti. This requires you to import the file over and over again whenever you edit it.
- Instead, you can upload this file in your environment that Invicti can access via a URL.
- In the case of GraphQL, for example, even if you edit the schema repeatedly, you do not need to import the file to Invicti, as the scanner can access it via the URL.
For further information about importing links from third-party tools, see Importing links from supported tools.
This topic explains how to import links and API definitions from a file or from a URL to Invicti.
Links/API Definitions Fields
This table lists and describes the fields in the Links/API Definitions tab.
|From File||Specify a file to import your links/API definitions.|
|From URL||Specify a URL to import your links/API definitions. This is only available in Invicti Enterprise.|
|Enter Links||Specify the links that you want to scan.|
|Add||Specify the pages that you want to scan. This is only available in Invicti Standard.|
|Imported Links||Select a file for importing links from the drop-down.|
Importing links/API definitions in Invicti Enterprise
How to import links/API definitions in Invicti Enterprise
- Open Invicti Enterprise.
- From the main menu, select Scans > New Scan.
- On the New Scan page, select Links/API Definitions.
- To specify links, you can do one of the following:
- From the From File section, select the third-party tool’s icon to select and update the supported file.
- From the From URL section, select the third-party tool’s icon to enter the URL.
- From the Enter Links section, add your links manually.
- Select Launch to start the scan.
Importing links/API definitions in Invicti Standard
How to import links/API definitions in Invicti Standard
- Open Invicti Standard.
- From the Home tab, select New.
- From the Start a New Website or New Service Scan window, select Links/API Definitions.
- Specify links, you can do one of the following:
- From the From File section, double-click the tool icon to select and update the supported file.
- From the From URL section, double-click the tool icon to enter the URL.
- From the Imported Links section, enter only the URL information for one or more URLs manually:
- Select Enter Links. The Enter Links/HTTP Requests dialog is displayed.
- Select the Link Format drop-down and select the appropriate option.
- Add in the new link details.
- Select OK.
- By adding the details of a single link or request:
- Select Add.
- On the Add New Link window, add the details for the whole request.
- Enable the Enable Raw Request Body checkbox, to allow you to add a raw request body. If you enable this option, the POST parameters in the request form will be ignored.
- Select Save.
- From the Start Scan button, select Start Scan.
You can only scan the imported links. From the Start Scan drop-down, select Scan Imported Links Only. Please note that when you choose to scan only imported links, Invicti’s “Find and Follow New Links” option is automatically disabled. This means that Invicti cannot identify any new links based on the imported links provided, potentially resulting in missed vulnerabilities.