Integrating Invicti Enterprise with HashiCorp Vault

HashiCorp Vault is a secret management system that provides access to (secret key values), such as password and API keys, in a secure way. Due to its centralized system, HashiCorp Vault also records an audit log to check who accessed different features, such as a database. In addition to these benefits, it also encrypts secrets at rest and in transit, and provides applications with access to these secrets for a limited time.  

Invicti Enterprise provides integration with HashiCorp Vault Key-Value (KV) to provide the following benefits:

• To eliminate the need to share sensitive credentials for vulnerability scanning on password-protected webpages.
• To automate credential retrieval to carry out vulnerability assessment on the target website.
• To manage credentials easily while also ensuring that vulnerability scanning is carried out.

For further information, refer to What Systems Does Invicti Integrate With? and Privileged Access Management and Invicti.

How to integrate Invicti Enterprise with HashiCorp Vault

1. Sign in to Invicti Enterprise.
2. In the main menu, select Integrations > New Integration.

3. From the Secrets and Encryption Management section, select HashiCorp Vault.

4. Enter a Name for the integration.
5. Enter your base HashiCorp Vault URL.
6. Select an authentication type:

• Token: Authentication is performed using access tokens provided by the Vault.
• TLS Certificate: Authentication is performed using a TLS certificate that you provide.

7. Continue by following the relevant instructions below depending on your choice of authentication.

Token Authentication

8. Under Agent Mode, select an option:

• Cloud: Invicti verifies the connection with a cloud agent available in the Invicti Enterprise environment.
• Internal: Invicti verifies the connection with an authentication verifier agent installed on your environment. For further information, refer to Configuring internal agents for secrets management services.

9. Click Verify and Save to test the connection and save it. (If you have more than one authentication verifier agent, there is a drop-down to select the verifier agent.)

TLS Certificate Authentication

8. Select Certificate File… and upload the required file.
9. If your certificate has a password configured, enter the password in the Certificate Password field. Leave this field blank if your certificate does not require a password.
10. If your certificate is installed using the default path, then you do not need to enter anything into the Path field. The default path is: cert 
    If your certificate is installed in a different location, enter the path in the Path field.
11. Under Agent Mode, select an option:

• Cloud: Invicti verifies the connection with a cloud agent available on the Invicti Enterprise environment.
• Internal: Invicti verifies the connection with an authentication verifier agent installed on your environment. For further information, refer to Configuring internal agents for secrets management services.

12. Click Verify and Save to test the connection and save it. (If you have more than one authentication verifier agent, there is a drop-down to select the verifier agent.)

Verifying form authentication with HashiCorp Vault

After successfully integrating HashiCorp Vault, you can use this integration to verify a form authentication before launching a new scan.

This table lists and explains the fields in the HashiCorp Vault Settings dialog.

How to use the Vault integration to verify form authentication

1. Sign in to Invicti Enterprise.
2. In the main menu, select Scans > New Scan.
3. Enter the Target URL.
4. From the Authentication settings, select the Form tab.
5. Select Form Authentication.
6. Click the New Persona drop-down, and select Hashicorp Vault.

7. Complete the fields in the HashiCorp Vault Settings dialog box. 
8. Select Test Vault Settings to test the connection.
9. Select Save.

10. From the Personas' section, select Verify Login & Logout to test the new Persona.