Skip to main content

Secrets

This document is for:
Invicti Standard, Invicti Enterprise On-Premises, Invicti Enterprise On-Demand

The Secrets feature allows you to store your secret value encrypted in the Invicti scanner and used as a global variable that can be dynamically referred to during the scan. Using the secret improves the security of your sensitive data.

This document explains how to create and use a secret.

Create a secret

important

While creating a secret is possible in Invicti Enterprise On-Demand, using it with Pre-Request Script or Post-Request Script requires access to those features. Please refer to the linked documentation for information on how to enable them.

Create a secret in Invicti Enterprise

  1. Select Scans > New Scan from the left-side menu.
  2. In the Scan Settings section click Secrets.
  3. Click + New Secret to add a new secret.
Add new secret in Invicti Enterprise
  1. Type a secret's Name and Value in the text fields.
Secret Name and Value fields
  1. You can now refer to the Secret in a Pre-Request Script, Post-Request Script, or Header Authentication.
  2. Click Save Profile to save the settings of the scan for future use or Launch to run the scan.

Create a secret in Invicti Standard

  1. Click New in the Home tab.
  2. In the Scan Settings section click Secrets.
  3. Type a secret's Name and Value in the text fields.
Secret fields in Invicti Standard
  1. You can now refer to the Secret in a Pre-Request Script, Post-Request Script, or Header Authentication.
  2. Click Start Scan to run a scan.

How to use a secret

Refer to the Secret using Pre-Request or Post-Request Script or Header Authentication.

Use a secret with a script

To dynamically refer to the secret, use the following example code in your script:

var myToken = invicti.getGlobalVariable("MySecret");
note

For more information regarding scripts, refer to the Pre-request scripts and Post-request scripts documents.

Use a secret with header authentication

To refer to the secret in Header authentication use the name of your secret in curly braces as a Value, for example: {MySecret}.

Using secret in header authentication

The encrypted secret will be visible in the HTTP Request/Response > Raw tab in the Scan summary.

Secret visible in HTTP Request/Response
note

For more information, refer to the Configuring header authentication document.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?