Support
Scanning APIs

Importing links and API definitions

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

This guide shows you how to import links and API definition files from either a file or a URL to Invicti Enterprise and Invicti Standard. This lets you specify pages for scanning that may not be linked from any other part of your website.

Overview

When Invicti crawls and scans a target, it tries to reach all parts of the website. However, there may be input points and resources that are not linked to the target, which can prevent Invicti from identifying all vulnerabilities on the website. By importing links or API definition files, you can specify all the web pages you want to be scanned. You have the option to import links or API definition files from either a file or a URL. You can also make sure Invicti considers data from other third-party tools during the scan.

For more information about importing links from third-party tools, refer to Importing links from supported tools.

How to import links and API definitions to Invicti Enterprise

  1. Open Invicti Enterprise.
  2. From the main menu, select Scans > New Scan.
  3. Populate the Target URL and Scan Profile.
  4. In the Scan Settings menu, select Links/API Definitions.

  1. To specify the links for import, use one of the following options:
  • Enter Links: Add your links manually in the Enter Links section.
  • From File: Select the relevant third-party tool in the From File section and import the file. With this option, you will be required to import the file again every time you edit it.

NOTE: The maximum individual file size limit is 10MB, and the maximum total upload size is 100MB (combined total for all uploaded files).

  • From URL: Select the relevant third-party tool in the  From URL section and enter the URL of the file. With this option, when you make changes to the document, there is no need to reupload it because it is already linked. For example, in the case of GraphQL, even if you edit the schema repeatedly, you do not need to import the file to Invicti because the scanner can already access it via the URL.
  1. Add Scan Tags and any Comments.
  2. Select Launch to start the scan.

How to import links and API definitions to Invicti Standard

  1. Open Invicti Standard.
  2. From the Home tab, select New.
  3. Populate the Target URL.
  4. From the Start a New Website or New Service Scan, click the down arrow to expand the Options menu.

  1. On the left-hand side, select Links/API Definitions.

  1. To specify the links for import, use one of the following options:
  • From File: Select the icon of the relevant third-party tool and import the file. With this option, you will be required to import the file again every time you edit it.
  • From URL: Select the icon of the relevant third-party tool and enter the URL of the file. With this option, when you make changes to the document, there is no need to reupload it because it is already linked. For example, in the case of GraphQL, even if you edit the schema repeatedly, you do not need to import the file to Invicti because the scanner can already access it via the URL.
  • Imported Links: Manually enter the URL information for one or more URLs. Refer to the section below for more detailed information about how to manually enter URLs.

There are two ways to enter the URLs:

  1. By using the Enter Links button:

  1. The Enter Links/HTTP Requests window is displayed. Select the appropriate option from the Link Format dropdown:

  1. Type the URLs and press OK.
  1. By adding the details of a single link or request through the Add button:
  1. Press Add:

  1. Add the request details.
  2. On the bottom left-hand corner of the Add New Link window, there is the Enable Raw Request Body checkbox. If you select this option, the POST parameters in the request form will be ignored.

  1. Select Save to save the data you entered and close the window.
  1. Click Start Scan.

NOTE: You can also choose to only scan the imported links. To do this, click the drop-down arrow next to Start Scan, then select Scan Imported Links Only. Note that when you choose to scan only imported links, Invicti's "Find and Follow New Links" option is automatically disabled. This means that Invicti cannot identify any new links based on the imported links provided, potentially resulting in missed vulnerabilities.