In this glossary, you can find an explanation of commonly used terms in Invicti.
This is the user that has all the permissions in a Invicti Enterprise account.
This is an issue that has been addressed and whose state has been updated.
- Scan Agent: This lets you scan your website. The agent will conduct the actual scan job and then report the results back to Invicti Enterprise. For further information, see Installing Internal Agents.
- Authentication Verifier Agent: This carries out the form authentication so that you can run an authenticated scan in your network. For further information, see Authentication Verifier for Internal Agents.
This displays whether the agent is scanning or an authentication verifier agent.
Application and Service Discovery
This service enables you to become aware of an enterprise’s online assets, web applications, and services.
This lets you save a custom script for form authentication in Invicti and use it many times for different websites. When configured, Invicti uses this custom script to authenticate itself against the target website. For further information, see Authentication Profiles.
Bi-directional Integration (2-way sync)
This is an integration method that helps Invicti and an issue tracker system to synchronize issues between the applications. For further information, see Integrations.
This is the likelihood of that vulnerability being present.
Invicti classifies vulnerabilities in various standards like CWE, CVSS, PCI, and HIPAA.
This indicates that Invicti is 100% certain about an issue identified. Invicti verifies vulnerabilities by exploiting them in a read-only and safe manner. For further information, Proof-Based Scanning.
This is an attack method that can be used to scan a link with selected parameters and engines.
Heuristic Web Vulnerability Scanner
Invicti is a heuristic scanner and does not use a signature database as traditional antivirus software does. So, it’s able to identify zero-day vulnerabilities in any type of custom web application. For further information, see the Advantage of Heuristic over Signature Based Web Vulnerability Scanners.
This allows scanning of newly introduced and amended pages since the initial scan. Invicti also checks whether the vulnerabilities identified previously still exist.
This is a vulnerability identified by Invicti.
This is an HTTP Request for Invicti. This can be a web page, submit button at the end of a form, or AJAX requests.
This is the pool where Invicti collects all links while crawling the web application or website. Invicti also uses this link pool to attack these links to identify vulnerabilities.
This is a process that is used to scan parts of a web application that cannot be crawled automatically. This feature also lets you scan mobile web applications and native desktop applications. For further information, see Manual Crawling in Proxy Mode.
This lets Invicti detect out-of-band vulnerabilities. For further information, see How Invicti Hawk Finds Vulnerabilities.
Invicti Shark (IAST)
This adds interactive security scanning (IAST) capabilities to Invicti Enterprise. For further information, see Deploying Invicti Shark.
This lets you and your users be informed immediately about the status of a web application security scan or when specific vulnerabilities are detected by it. For further information, see Notifications.
Invicti’s Proof-Based Scanning technology actively and automatically verifies detected vulnerabilities, confirming that they are real and not false positives, by exploiting them in a read-only and safe manner.
It’s completely safe. For example, when exploiting a SQL injection vulnerability and generating a proof of exploit for it, the scanners only try to read data from the database, not write or delete data from the database.
Proof of Concept
Proof of Concept is the actual exploit that proves that the vulnerability exists. For example, after exploiting cross-site scripting (XSS) vulnerability, Invicti will report the payload that was used to inject code. Apart from providing evidence of the vulnerability, a proof of concept can also help developers isolate the exact issue that made exploitation possible.
Proof of Exploit
A proof of exploit is used to report the data that can be extracted from the vulnerable target once the vulnerability is exploited, demonstrating the impact an exploited vulnerability can have and proving that it is not a false positive.
Invicti scanners can generate proof when they identify the following vulnerability types:
- SQL Injection
- Boolean SQL Injection
- Blind SQL Injection
- Remote File Inclusion (RFI)
- Command Injection
- Blind Command Injection
- XML External Entity (XXE) Injection
- Remote Code Evaluation
- Local File Inclusion (LFI)
- Server-side Template Injection
- Remote Code Execution
- Injection via Local File Inclusion
This is a list of reporting settings for web security scan results and reports. For further information, see Overview of Report Policies.
Invicti allows you to work with HTTP requests. Thanks to the request builder, you can, for example, craft your own HTTP requests, send requests to targets, and modify the imported HTTP requests. For further information, see HTTP Request Builder.
This is a feature of Invicti that checks files and folders that can lead to security risks even when they are not linked in the web application. These files, for example, can be admin, login, or backups.
This allows the scanning of the vulnerable pages after the fix.
This allows you to determine what kind of responsibilities a team member has within Invicti Enterprise. For further information, see Managing Roles in Invicti Enterprise.
This shows the importance of vulnerability identified. For further information, see Vulnerability Severity Levels.
This lets you schedule scans in advance. You can schedule full, incremental, and group scans. For further information, see Scheduling Scans.
This lets Invicti create a scan group based on your scan configuration although these scans are related to the same host/domain name. So, you can view relevant dashboards, issue trends, etc. based on the scan group you selected. For further information, see Scan Groups in Invicti Enterprise.
This is a list of web application security scan settings. When you want to run a Scan, you attach it to a Scan Policy. For further information, see Overview of Scan Policies.
Scan Policy Optimizer
This is a built-in wizard that helps you narrow down the security checks that will be run against your web application. Thanks to the optimizer, you can tweak the scanner to only run, for instance, Apache-related security checks while ignoring ISS-related checks. For further information, see Scan Policy Optimizer.
This lets you save scan settings for future scans. Scan Profiles can be reconfigured at any time. For further information, see Scan Profiles.
This allows you to define which parts of the target web application should be crawled. For further information, see Scan Scope.
This is the target URL of the website, including the path.
This is the person who is responsible for the website or vulnerability.
This provides correlated, trending data about the status of those vulnerabilities identified in your web application across several scans. For further information, see Trend Matrix Report.
A website is defined in Invicti as a fully qualified domain name (FQDN). An FQDN is the complete domain name for a specific target and consists of two parts: the hostname and the domain name.
The below examples are considered to be 1 website as they share the same FQDN.
Subdomains and ports share the same FQDN but are considered to be different websites. For example:
Invicti lets you group websites to ease the management of multiple websites and scans. Grouping websites also is important for the multiple team feature in Invicti as you can assign a team or members only to website groups. For further information, see Website Groups in Invicti Enterprise.
This is the database Invicti rests on to report known technologies, their versions, and their vulnerabilities. The database is periodically updated. For further information, see the Vulnerability Database.