Package: Invicti AppSec Core (on-demand), Invicti AppSec Enterprise (on-premise, on-demand)
DAST overview
What is Invicti DAST?
Invicti DAST (Dynamic Application Security Testing) is an automated scanner that identifies security vulnerabilities in running web applications, web services, and APIs. It operates as a black-box scanner, testing applications from the outside without requiring access to source code. This makes it technology-agnostic:it can scan applications regardless of the programming language, framework, or platform.
For Invicti AppSec Core, Invicti DAST is pre-activated and ready to use. No manual setup or integration is required.
How it works
Invicti DAST scans in four stages:
1. Crawling
The crawler maps the entire attack surface of the target application by behaving like a real user. It visits all detected links, clicks buttons, submits forms, and populates a list of all potential attack vectors. Crawling techniques include:
- Text parsing: parses web pages to acquire the HTML structure.
- DOM parsing: analyzes static HTML and dynamic JavaScript/AJAX interactions, with support for frameworks like jQuery and AngularJS.
- API definition parsing: parses SOAP, REST, and GraphQL API definitions (WSDL, WADL, OpenAPI/Swagger).
- Extra finders: probes for hidden files such as admin panels, backup files, and undiscovered resources.
2. Attacking
The scanner sends attack payloads to each discovered input point and analyzes responses for vulnerability patterns. This stage has three phases:
- Detection: identifies potential vulnerabilities from response patterns.
- Confirmation: conducts follow-on tests to confirm the finding isn't a false positive.
- Proof generation: safely exploits the confirmed vulnerability in a read-only manner and generates concrete proof of exploitability.
Crawling and attacking happen concurrently:the scanner continues discovering new pages while testing already-discovered ones.
3. Recrawling
The scanner recrawls the application because the attacking stage may have uncovered new links. This stage is also critical for detecting stored XSS and second-order vulnerabilities that only appear when the scanner revisits a page.
4. Late confirmation
Handles time-sensitive vulnerabilities such as Blind SQL Injection (which requires delayed responses) and out-of-band vulnerabilities.
What it can discover
Invicti DAST detects vulnerabilities across the following categories:
| Category | Examples |
|---|---|
| Injection | SQL Injection, NoSQL Injection, Command Injection, LDAP Injection, XXE Injection, Server-Side Template Injection |
| Cross-Site Scripting (XSS) | Reflected XSS, Stored XSS, DOM-based XSS |
| Remote code execution | RCE, Local File Inclusion, Remote File Inclusion, Directory Traversal |
| Server-Side Request Forgery | SSRF |
| Authentication and session | Authentication flaws, Session fixation, Cookieless session state |
| Security misconfigurations | Debug modes enabled, Mixed content over HTTPS, Unsafe CSP directives, Version disclosure |
| Known vulnerabilities | Outdated libraries, Log4Shell, and other CVEs in third-party components |
Invicti DAST supports detection and reporting against OWASP Top Ten 2021 and OWASP API Security Top Ten 2023.
Proof-based scanning
Invicti's proof-based scanning technology is what sets it apart from traditional DAST tools. Instead of only flagging potential issues, it safely exploits confirmed vulnerabilities in a read-only manner and generates a concrete proof-of-exploit. This practically eliminates false positives for confirmed findings, allowing teams to focus on real issues.
Invicti DAST editions
Invicti AppSec supports two editions of Invicti DAST:
| Edition | Package | Activation | Scan types |
|---|---|---|---|
| Invicti Platform | AppSec Core | Pre-activated, no setup required | Profile-based scanning |
| Invicti Enterprise | AppSec Enterprise | Requires manual activation under Integrations | New (full scan), Incremental, Retest |
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center