Support
Secret and Encryption Management

Integrating Invicti Enterprise with HashiCorp Vault

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

Invicti Enterprise integrates with HashiCorp Vault Key-Value (KV) to provide the following benefits:

  • Eliminate the need to share sensitive credentials for vulnerability scanning on password-protected web pages.
  • Automate credential retrieval to carry out vulnerability assessment on the target website.
  • Manage credentials easily while also ensuring that vulnerability scanning is carried out.

For further information, refer to What systems does Invicti integrate with? and Privileged Access Management and Invicti.

This article explains how to integrate Invicti Enterprise with HashiCorp Vault using authentication via token or TLS certificate.  

IMPORTANT: To reduce security risk, we recommend using the minimum privilege required to integrate Invicti Enterprise with HashiCorp Vault.

Invicti Enterprise uses three paths to integrate with HashiCorp Vault:

  • auth/* - used for TLS certificate authentication
  • secret/* - used for storing key-value
  • auth/{certUploadedPath}/login - used for TLS certificate authentication

Before setting up the integration, we recommend creating your policy using these paths and attaching them to your HashiCorp Vault admin token or TLS certificate.

What is HashiCorp Vault?

HashiCorp Vault is a secret management system that provides access to (secret key values), such as passwords and API keys, in a secure way. Due to its centralized system, HashiCorp Vault also records an audit log to check who accessed different features, such as a database. In addition to these benefits, HashiCorp Vault also encrypts secrets at rest and in transit, and provides applications with access to these secrets for a limited time.  

How to integrate Invicti Enterprise with HashiCorp Vault

  1. Log in to Invicti Enterprise.
  2. In the main menu, select Integrations > New Integration.

  1. From the Secrets and Encryption Management section, select HashiCorp Vault.

  1. Enter a Name for the integration.
  2. Enter your HashiCorp Vault Public Cluster URL.
  3. Select an authentication type:
  • Token: Authentication is performed using your HashiCorp Vault admin token.
  • TLS Certificate: Authentication is performed using a TLS certificate that you provide.

  1. Continue by following the relevant instructions below depending on your choice of authentication.

Token Authentication

  1. Enter your Namespace if you have one. (For more information about HashiCorp Vault namespaces, refer to Vault Enterprise namespaces.)
  2. Under Agent Mode, select an option:
  • Cloud: Invicti verifies the connection with a cloud agent available in the Invicti Enterprise environment.
  • Internal: Invicti verifies the connection with an authentication verifier agent installed on your environment. For further information, refer to Configuring internal agents for secrets management services.
  1. Click Verify and Save to test the connection and save it. (If you have more than one authentication verifier agent, there is a drop-down to select the verifier agent.)

TLS Certificate Authentication

  1. Select Certificate File… and upload the required file.
  2. If your certificate has a password configured, enter the password in the Certificate Password field. Leave this field blank if your certificate does not require a password.
  3. If your certificate is installed using the default path, then you do not need to enter anything into the Path field. The default path is: cert 
    If your certificate is installed in a different location, enter the path in the
    Path field.

  1. Enter your Namespace if you have one. (For more information about HashiCorp Vault namespaces, refer to Vault Enterprise namespaces.)
  2. Under Agent Mode, select an option:
  • Cloud: Invicti verifies the connection with a cloud agent available on the Invicti Enterprise environment.
  • Internal: Invicti verifies the connection with an authentication verifier agent installed on your environment. For further information, refer to Configuring internal agents for secrets management services.
  1. Click Verify and Save to test the connection and save it. (If you have more than one authentication verifier agent, there is a drop-down to select the verifier agent.)

Verifying form authentication with HashiCorp Vault

After successfully integrating HashiCorp Vault, you can use this integration to verify a form authentication before launching a new scan.

This table lists and explains the fields in the HashiCorp Vault Settings dialog.

Field

Description

Integrations

This is the name of the integration that you entered in the New Vault Integration window.

KV Version

This section contains the Key-Value Version. There are two options: V1 and V2. Please select the relevant one.

Secret Engine

This is the name you entered in the Vault for your engine.

Secret

This is the name you entered in the Vault for the target website.

Username Key

This holds the username value.

Enable the Use static username checkbox only if you plan not to change a username routinely.

Password Key

This holds the password value.

How to use the Vault integration to verify form authentication

  1. Sign in to Invicti Enterprise.
  2. In the main menu, select Scans > New Scan.
  3. Enter the Target URL.
  4. From the Authentication settings, select the Form tab.
  5. Select Form Authentication.
  6. Click the New Persona drop-down, and select HashiCorp Vault.

  1. Complete the fields in the HashiCorp Vault Settings dialog box. 
  2. Select Test Vault Settings to test the connection.
  3. Select Save.

  1. From the Personas section, select Verify Login & Logout to test the new Persona.

TIP: Select Test Value Settings to verify the username and password.


« Back to the Invicti Support Page