This document is for:

Invicti Enterprise on-demand, Invicti Enterprise on-premises

Deploy Invicti Shark for Node.js

You can use Invicti Shark to carry out interactive security testing (IAST) in your web application to confirm more vulnerabilities and further minimize false positives.

• Node.js is an open source server environment designed to build scalable network applications, as it is capable of handling a vast number of simultaneous connections with high throughput. Depending on the specific frameworks and libraries, debugging a Node.js application can be tricky though.
• You can take advantage of the Invicti Enterprise unique DAST-induced IAST approach to get an inside view into how security checks and test payloads are processed within these environments. These additional insights let you isolate the location and root cause of security defects quickly.

Before deploying Invicti Shark, note the list of supported servers and frameworks.

Environment	Supported servers and frameworks
NodeJS Runtime	Tested on Windows: v10, v12, v14, v16, v18, v20 Tested on Ubuntu 20: v10, v12, v14, v16, v18, v20
Database Clients	better-sqlite3 Knex (PostgreSQL, CockroachDB, MSSQL, MySQL, MariaDB, SQLite3, Better-SQLite3, Oracle, and Amazon Redshift) MySQL PostgreSQL Sequelize (Oracle, Postgres, MySQL, MariaDB, SQLite and SQL Server) SQLite3
Routers	Director Express find-my-way koa-router LoopBack 4 Restify Router
Templating	EJS Handlebars Pug
Others	Axios (http-request) ldapjs (ldapquery) Libxmljs (xmlparser) Needle (http-request) Nodemailer (sendmail)

For Invicti Shark to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.

To deploy Invicti Shark, you should keep in mind that the mechanism needed is to invoke the agent when launching the Node application.

Deploying Invicti Shark in Node.js consists of 3 steps:

Step 1: Download the Invicti Shark agent

• You can find the required instructions to download the Invicti Shark agent in Deploying Invicti Shark.

Step 2: Copy the Invicti Shark agent

You need to create a dedicated folder inside the root folder of your operating system to hold the Invicti Shark agent.

Windows

1. Create a folder in C: and name it shark.
2. Copy the Shark(IAST).tar file into C:\shark\.

Linux

1. Run mkdir /shark.
2. Locate the folder that contains the Invicti Shark agent file by using cd.
3. Run cp Shark(IAST).tar /shark/.

Step 3: Launch your Node.js web application invoking Invicti Shark

Windows

Use cd to navigate to the folder which contains your web application (where the app.js file resides) and run the following commands:

npm install \shark\Shark(IAST).tar --no-save
npx node-acusensor app.js

Linux

Use cd to navigate to the folder which contains your web application (where the app.js file resides) and run the following commands:

npm install /shark/Shark(IAST).tar --no-save
npx node-acusensor app.js

Uninstall Invicti Shark

You may choose to uninstall the Invicti Shark files from your server. You can follow the following steps to uninstall.

Windows

1. Navigate to the folder where the sensor is installed and run this command:

npm remove node-acusensor

2. Remove the C:\shark\Shark(IAST).tar file and then remove the C:\shark folder.

Linux

1. Navigate to the folder where the sensor is installed and run these commands:

npm remove node-acusensor
rm -rf /shark/Shark(IAST).tar

info

Although the Invicti Shark agent is secured with a unique strong built-in password, it's recommended that the Invicti Shark client files are uninstalled and removed from the web application if they're no longer in use.

---

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center