Scan Policy Fields
This document provides a comprehensive reference to all tabs and fields available in the New Scan Policy window within Invicti Enterprise and the Scan Policy Editor dialog in Invicti Standard. Understanding these configuration options is essential for creating effective and optimized scan policies tailored to your specific security testing requirements.
General
The General tab is displayed in Invicti Enterprise only and contains the fundamental policy identification and sharing settings.
| Field | Description |
|---|---|
| Name | The title of the scan policy |
| Description | Provides an overview of the policy's features for anyone who may use it |
| Shared | Select this option to allow others to access the policy |
Security Checks
In this tab, select the categories and Security Checks for the Scan Policy. Most security checks are enabled by default.
Best Practice
Configure security checks based on your specific application stack and compliance requirements. Review the default settings to ensure they align with your security testing objectives.
| Item | Description |
|---|---|
| Generate Proof | Select Yes to enable proof generation for the current security check group (default: True) |
| Proof Sharing | Enable or disable sharing the same proof across vulnerabilities (default: True) |
| Only Run on the Start Path (RoR) | Select Yes to restrict attacks to the Start Path only; otherwise, all directories will be attacked (default: False) |
| Resource Finder Limit | Sets the maximum number of hidden resources and folders Invicti searches for in each directory (default: 125) |
| Include/Exclude | Controls cookie-based security checks: Include – Specify cookie names to include in security checks; Default – Includes all cookies |
| Cookie Names | Enter cookie names to be managed during the scan |
| Check All Pages | Select True to perform CORS checks on all pages; otherwise, only unique directories are checked (default: True) |
| Prepend Original Value | Prepends the original value to Cross-Site Scripting payloads for increased accuracy (default: False) |
| Attack Referer | Opt out of attacking the Referer header. If the target application requires the Referer value, disable this option (default: True) |
| Possible Admin Interface | Determines whether Invicti detects potential administration pages within the scope of HTML Content checks (default: Enabled) |
| Maximum Path Count | Sets the maximum number of paths to check against HTTP methods |
| Database Type | Select the database type used by your application to optimize Boolean SQL injection payloads |
| Upload Folders | Specify directories where Invicti will search for uploaded files (comma-separated format) |
| Search Upload Folders | Determines whether upload folders should be visited to locate uploaded files (default: True) |
For more details on configuring specific security checks, refer to the Setting Security Check Options external documentation.
Crawling
This section outlines the crawling behavior and limits for discovering content and resources within your target application.
| Field | Description |
|---|---|
| Crawling Page Limit | Enter a number to set the maximum number of pages to crawl. Once this number is reached, Invicti ends the crawling phase and starts to attack (default: 2,500) |
| Maximum Signature | Enter a number to set the maximum number of samples to collect from pages with similar URL signatures (default: 9). The URL signature consists of path, HTTP method and parameter name |
| Maximum Page Visits | Enter a number to set the maximum number of times the crawler visits a page (default: 40). If this number is exceeded, Invicti will stop crawling that page |
| Maximum URL Rewrite Signature | Enter a number to set the maximum number of samples to collect from pages that match the same URL rewrite signature (default: 9) |
| Wait for the Resource Finder to finish | Enable to ensure Invicti waits for the Resource Finder to finish before ending the crawling phase (default: Disabled) |
| Text Parser | Enable to ensure the static HTML/Text Parser can search for links in HTML comments and similar locations (default: Enabled) |
| Text Parser Extensions | The Text Parser parses files for links. Specify additional file extensions (comma, whitespace or semicolon separated) beyond the default list |
| Parse SOAP Web Services | Check to enable SOAP Web Service discovery by parsing WSDL files (default: Enabled) |
| Parse REST Web Services | Check to enable REST Web Service discovery by parsing OpenAPI (Formerly Swagger) and WADL files (default: Enabled) |
| Parse URI Fragments | Check to enable parsing URI fragments to discover parameters in the fragment (Default: Enabled) |
| Fallback to GET | Check to enable Invicti to fallback to GET requests when HEAD requests don't work (default: Disabled) |
| Add Related Links | Check to specify whether all related links should be crawled when a new link is found (default: Enabled) |
| Enable Parameter-Based Navigation | Check to enable Parameter-Based Navigation if the target website uses parameter based navigation (default: Disabled) |
| Enable Query-Based Navigation | Check to enable that only query-string parameters will be recognized as navigation parameters |
| Navigational Parameter RegEx | Enter a regular expression. If a parameter name matches the regular expression, it will be considered as a navigational parameter |
| Maximum Page Visits | Enter a maximum number of visits to a page containing navigational parameters. This value must be between 1 and 1000 (default: 999) |
For detailed information about parameter-based navigation, see Scanning Parameter-Based Navigation Websites external documentation.
JavaScript
Configure how Invicti analyzes JavaScript and AJAX content to discover additional attack surfaces in modern web applications.
| Field | Description |
|---|---|
| Analyze JavaScript/AJAX | Check to enable Invicti to analyze JavaScript and AJAX to find relevant links and pages (default: Enabled) |
| Select / Load a Pre-defined Preset | Choose from Default, SPA (Single Page Application), or Large SPA configurations |
| DOM Load Timeout | Enter a number to set the amount of time (milliseconds) to wait for the page to load before analyzing JavaScript DOM simulation (default: 30000) |
| DOM Simulation Timeout | Enter a number to set the amount of time (milliseconds) to wait before JavaScript ends DOM simulation (default: 45000) |
| Interevent Timeout | Enter a number to set the amount of time (milliseconds) to wait after triggering a JavaScript event (default: 100) |
| Max Simulated Elements | Enter a number to set the maximum number of DOM elements the parser will simulate before terminating (default: 500) |
| Skip Threshold | Enter a number to set the number of elements to simulate before skipping elements. Enter '0' to disable sampling (default: 300) |
| Elements to Skip | Enter a number to set the number of elements to skip simulation after the Skip Threshold has been exceeded (default: 10) |
| Max Modified Element Depth | Enter a number to limit the simulation to a set number of nested elements (default: 4) |
| Pre-simulation Wait | Enter a number to set the amount of time (milliseconds) the scanner should wait before starting simulation (default: 0) |
| Exclude by CSS Selector | Exclude HTML elements such as logout buttons from event simulation by CSS selectors |
| Maximum Option Elements | Enter a number to set the maximum number of option elements, per select element, to simulate (default: 10) |
| Persistent JavaScript Cookies | Enter the names of cookies (separated by semicolons) that are set in JavaScript and should persist |
| Open Redirect Conf. Timeout | Enter a number to set the time (milliseconds) to wait before ending JavaScript DOM simulation for Open Redirection confirmation (Default: 45000) |
| XSS Confirmation Timeout | Enter a number to set the time (milliseconds) to wait before ending JavaScript DOM simulation for XSS confirmation (default: 45000) |
| Exclude by Javascript Events | Enter a JavaScript event that DOM excludes from the simulation (comma separated) |
| Cache by CSS Selector | Enter elements to be cached via CSS selectors (Invicti Standard only) |
| Maximum Cache Elements | Enter a number to set the maximum number of cache elements per host (default: 1000, Invicti Standard only) |
| Filter Document Events | Check to filter events that are attached to a document by name to a constant set (default: Disabled) |
| Ignore document events | Check to ignore the triggering events that are attached to the document object (default: Disabled) |
| Filter Colon Events | Check to filter events that contain a colon (:) in their name (default: Disabled) |
| Extract Static Resources | Check to extract static resources from DOM elements (default: Enabled) |
| Allow out-of-scope XML HTTP (AJAX) requests during simulation | Check if the target website fails to load when some requests cannot be loaded (default: Enabled) |
| Generate Debug Info | Check to enable the debugger to generate debug information during the scan (default: None) |
| Block navigation on SPAs | Check to enable Invicti to block extra navigation on single-page applications |
Attacking
Configure how Invicti performs security attacks against discovered parameters and endpoints.
| Field | Description |
|---|---|
| Maximum Number of Parameters to Attack on a Single Page | Enter a number to set the maximum number of parameters that Invicti should attack on a single page (default: 24) |
| Enable Proof Generation | Check to generate a Proof of Exploit after a vulnerability is confirmed (default: Enabled) |
| Attack Parameter Names | Enable to generate extra attacks which place attack payloads into the name of a request parameter (default: Enabled) |
| Attack Referer Header | Enable to generate extra attacks which place attack payloads into the Referer header (default: Disabled) |
| Attack User-Agent Header | Enable to generate extra attacks which place attack payloads into the User-Agent header (default: Disabled) |
| Attack Cookies | Enable to generate extra attacks which place payloads on cookie name and values (default: Disabled) |
| Optimize Header Attacks | Enable to issue header attacks on each unique link path (default: Enabled) |
| Override Version Vulnerability Severities | Invicti overrides the severity of out of date library findings according to the highest known issue (Default: Enabled) |
| Optimize Attacks to Recurring Parameters | Enable to detect recurring parameters in different URLs (default: Disabled) |
| Recurring Parameters Attack Limit | Enter a number to set the maximum number of pages to attack for recurring parameters (default: 10) |
| Anti-CSRF Token Field Names (Comma Separated) | Enter Anti-CSRF token field names that should be kept as they are |
| Attack CSRF Token | Check to enable CSRF attacks |
| Enable Random Parameter Attacks in Cross-site Scripting checks | Enable to attempt to add extra parameters to pages to detect XSS vulnerabilities (default: Enabled) |
Custom 404
Configure how Invicti handles and detects custom error pages.
| Field | Description |
|---|---|
| Auto Custom 404 | Check to select an automatic 404 Error page |
| Manual Custom 404 | Check to select a manual 404 Error page |
| Disabled | Check to disable the 404 Error page |
| Maximum 404 Signatures | Enter a number to set the maximum number of 404 Error page samples to collect (default: 1000) |
| Maximum 404 Pages to Attack | Enter a number to set the maximum number of 404 samples to crawl and attack (default: 10) |
(Scan) Scope
Define the boundaries and extent of your security scan.
Legal Considerations
Ensure scan scope settings comply with your authorization and testing agreements. Inappropriate scope configuration may lead to legal issues.
| Field | Description |
|---|---|
| Case Sensitive | Enable if you want to change the default behavior because your target uses case-sensitive URLs (Default: Disabled) |
| Bypass Scope for Static checks | When enabled, Invicti will make requests to resources that are out of scope for static vulnerability checks (Default: Disabled) |
| Ignore These Extensions | Enter the extensions of those test files you do not want Invicti to crawl or test (Invicti Standard only) |
| Enable Content-Type Checks | Enable to analyze pages that have a listed content-type header (Default: Disabled) |
| Ignore These Content Types | Enter the content types of those test files you do not want Invicti Enterprise to crawl or test |
| Block Ad Networks | Enable to stop sending requests to known ad networks during scanning (Default: Enabled) |
Ignored Parameters
Configure which parameters should be excluded from security testing.
| Field | Description |
|---|---|
| Name | This is a friendly name for your reference/the parameter (e.g. 'ASP Session ID (COOKIE)') |
| Pattern | This is the actual name of the parameter to be excluded from the scan (e.g. ASPSESSIONID*). Pattern matching is case-sensitive |
| Type | This is the parameter type (POST, GET, COOKIE, WEBSTORAGE, ALL) |
For more detailed information, refer to Excluding Parameters From a Scan external documentation.
Form Values
Configure predefined values for form fields during scanning.
| Field | Description |
|---|---|
| Name | This is a friendly name for your reference |
| Type | This is the form input type (hidden, text, textarea, submit, reset, button, image, file, radio, select, checkbox, password, color, date, datetime, datetime-local, email, month, number, range, search, tel, time, etc.) |
| Pattern | This is the value that the HTML attribute value will be matched against based on the selected Match |
| Target | This is the match target (Select All, Name, Label, Placeholder, Id) |
| Match | This is the match type for the Pattern field (RegEx, Exact, Contains, Starts, Ends) |
| Value | This is the value Invicti will submit to the input parameter when the match is successful |
| Force | When enabled, Invicti will submit the provided value even when the parameter is already populated |
For comprehensive guidance, see Configuring Pre-Defined Web Form Values external documentation.
InvictiHAWK
This table lists and explains the fields in the Invicti Hawk tab. This tab is only displayed in Invicti Enterprise On-Premises and Invicti Standard.
| Field | Description |
|---|---|
| Invicti Hawk URL (NE OP) | Invicti Hawk server that will respond to Out-of-Band and SSRF-related attacks that were initiated by Netsparker. |
| Invicti Hawk URI (NS) | Invicti Hawk server that will respond to Out-of-Band and SSRF-related attacks that were initiated by Netsparker. |
| Validate DNS Settings | Click to validate the DNS settings of Invicti Hawk server. |
| Validate Invicti Hawk | Click to validate whether Invicti Hawk server can report vulnerabilities. |
| Clear | Click to clear the logs shown below. |
Autocomplete
This table lists and explains the fields in the Autocomplete tab. Invicti Enterprise will only issue an alert if Autocomplete is enabled on a text input that matches one of these values.
| Field | Description |
|---|---|
| Input Name | Enter a value to be matched with the input name to detect whether autocomplete is enabled for the input. The Input Name can contain any valid wildcard characters, such as '?' '*' or '#'. |
Ignored Email Addresses
This table lists and explains the fields in the Ignored Email Addresses tab.
| Field | Description |
|---|---|
| Email Pattern | Enter any email address you'd like the scan to ignore. Email Pattern can contain any valid wildcard characters (? * #) Invicti will ignore any Email Disclosure vulnerability if it matches one of these patterns. Invicti will also ignore email addresses that start with the most common words (e.g. admin, billing, contact, support). You can amend this list, which is located at C:\Users{USER}\Documents\Netsparker\Resources\Configuration\GenericEmails.txt. |
CSRF Settings
This table lists and explains the fields in the CSRF tab.
| Field | Description |
|---|---|
| Select if you want to enable CSRF checks for authenticated scans only. | |
| Enter a list of strings to indicate a username that includes one of these. | |
| Enter a list of strings to indicate a login form that includes one of these. | |
| Enter a list of strings to indicate non-CSRF form values whose name or action includes one of these. Invicti won't report CSRF on these forms even if the form does not have a CSRF token. | |
| Enter a list of strings to indicate non-CSRF input values whose name or value includes one of these. If Invicti cannot deduct the goal of the form by looking at its name or action, it will attempt to deduct it by looking at the name of the input it contains. This list defines these values. | |
| Enter a list of strings that indicates forms that contain Captcha against CSRF. |
Web Storage
This table lists and explains the fields in the Web Storage tab.
| Field | Description |
|---|---|
| Type | This is the type of Web Storage mechanism that will be used. From the dropdown, select an item. The options are: Local or Session |
| Key | This is the name of the key you want to create. |
| Value: Checkbox / User Name Inputs / Login Form Values / Non-CSRF Form Values / Non-CSRF Input Values / Captcha Indicators | This is the value you want to give the key you are creating. |
| Origin | Enter storage data for a specific origin. (Otherwise, leave it empty to allow the DOM parser to pass it for any origin.) |
Extensions
This table lists and explains the fields in the Extensions tab.
| Field | Description |
|---|---|
| Extension | This is a list of file extensions to which the specified Crawling and Attacking activity will be applied. |
| Crawl | Select the required Crawling activity for the file type (Extension). The options are: Do Not Crawl / Crawl/ Crawl Only Parameter (default) |
| Attack | Select the required Attacking activity for the file type (Extension). The options are: Do Not Attack / Attack Parameters (default) / Attack Parameters and Query String |
HTTP Configuration
Request
This table lists and explains the fields in the Request tab. This tab is displayed in both editions. (In Invicti Standard, it is displayed once you click on the HTTP tab.)
| Field | Description |
|---|---|
| (Pre-defined) User Agent(s) | Select or Enter the User Agent string to be used in all HTTP requests during scans |
| Force this value | Enable to force Invicti to use the User Agent, even if the HTTP request has a User-Agent value |
| Connection Timeout (sec) | This is the number of seconds to wait before the HTTP Request times out |
| Read/Write Timeout (sec) | Time to wait when reading from response or writing to request stream (Invicti Standard only) |
| Request Timeout (sec) | Interval in seconds that Invicti Enterprise should wait for a response (Invicti Enterprise only) |
| Concurrent Connections | Enter the maximum number of simultaneous connections Invicti should open when scanning |
| Requests per second | Set the maximum number of requests initiated per second (recommendation: 30) |
| HTTP Keep Alive | Enable to improve the server's performance and decrease the load (default: Enabled) |
| Support Gzip/Deflate | Enable to complete the scan in less time, if the target web server supports compression (default: Enabled) |
| Support Cookies | Enable to support HTTP cookies (default: Enabled) |
| Capture HTTP Requests | Enable to save HTTP requests during scans using the Fiddler session file format (Invicti Enterprise only) |
Headers
This table lists and explains the fields in the Headers tab. (In Invicti Standard, it is displayed once you click on the HTTP tab.)
| Field | Description |
|---|---|
| Enabled | Enable so that the custom header is added to all HTTP requests |
| Name | The Name field in the HTTP Header should only contain ASCII characters |
| Value | A header value to be used in attacks with the corresponding header |
| Attack Mode | The options are: None (default), Optimized (only suitable attack payloads), Full (all attack payloads) |
SSL/TLS
This table lists and explains the fields in the HTTP SSL/TLS tab. (In Invicti Standard, it is displayed once you click on the HTTP tab.)
| Field | Description |
|---|---|
| Security Protocol | Select the security protocol(s) used while making requests (SSLv3, TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3) |
| Untrusted Certificates | Action taken when encountering untrusted certificates (Accept or Reject) |
Proxy
This table lists and explains the fields in the Proxy tab. This tab is only displayed in Invicti Enterprise On-Premises and Invicti Standard. (In Invicti Standard, it is displayed once you click on the HTTP tab.)
| Field | Description |
|---|---|
| Use Application (Global) Proxy | Enable to use the Application Proxy. The Applications Proxy can be defined at the Proxy tab in the Options dialog. |
| Use System (Internet Explorer) Proxy | Enable to use the System Proxy. This is the default. The System Proxy is the system-wide proxy that is used by every program by default. |
| Use Custom Proxy | Enable to use and configure a Custom Proxy. The Custom Proxy should be configured explicitly to be used unlike System Proxy. It is scan policy specific and valid in the scope of the policy. |
| Don't use proxy server for local (intranet) addresses | Enable so that no proxy will be used. |
| Use this proxy server for the requests other than the target website(s) | Enable so that this proxy is used instead of the proxy server in the agent configuration. |
Additional Configuration Tabs
IndexedDB (Invicti Standard Only)
Configure IndexedDB storage data for browser-based testing.
| Field | Description |
|---|---|
| Name | This is a friendly name for your reference |
| Origin | Enter storage data for a specific origin (leave empty for any origin) |
Browser Setting
This table lists and explains the fields in the Browser Settings tab.
| Field | Description |
|---|---|
| Browser Settings | Default Browser Parameters: These are the default browser parameters that Invicti uses when it launches a Chromium instance to scan your website. You can deselect any parameters to disable it. Or, you can add a new parameter. Headful Browser Parameters: These are the headful browser parameters that Invicti uses when it launches a Chromium instance to authenticate with your website. You can deselect any parameters to disable it. Or, you can add a new parameter. |
Send To Actions (Invicti Standard Only)
Configure automatic issue forwarding to integrated systems.
| Field | Description |
|---|---|
| Send To Action | Select integration target (Asana, Azure Boards, Bitbucket, Bugzilla, GitHub, JIRA, etc.) |
| Severities | Select vulnerability severity levels to trigger actions |
| Only Confirmed | Check to trigger actions only for confirmed vulnerabilities |
Brute Force
Configure authentication brute force testing.
| Field | Description |
|---|---|
| Authentication Brute Force (Basic, NTLM, Digest) | Check to enable Authentication Brute Force |
| Maximum Username/Password Combinations to Test | Enter a number to set the maximum combinations to test (default: 10) |
Knowledge Base
Configure sensitive keyword detection and knowledge base checks.
| Field | Description |
|---|---|
| Enable Knowledge Base | Check to enable Knowledge Base checks (default: Enabled) |
| Sensitive Keyword Pattern | Enter a valid regular expression to find sensitive keywords in code comments |
Need help?
Invicti Support team is ready to provide you with technical help. Go to Help Center
Was this page useful?