Shark for PHP

Deploying Invicti Shark for PHP

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

Invicti Shark enables you to carry out interactive security testing (IAST) in your web application in order to confirm more vulnerabilities and further minimize false positives. For Invicti Shark to operate, you need to download an agent and deploy it on your server.

Please note that this agent is generated uniquely for each target website for security reasons. To deploy Shark, you need to keep in mind that the mechanism you need to use is to invoke the PHP directive “auto_prepend_file” and point this directive to the Shark PHP file.

This topic explains how to download and copy the Shark files to your hard disk and configure your web server to use these files.

PHP Versions supported are from 5.6 to 8.

Deploying Invicti Shark in PHP consists of 3 steps:

1. Downloading the Shark agent

You can find the required instructions to download the Shark agent in Deploying Invicti Shark.

2. Copying the Shark agent

You need to create a dedicated folder inside the root folder of your operating system to hold the Shark agent.

  • For Windows:
    • Create a file in C: and name it Shark
    • Copy the Shark.php file into “C:\Shark”
  • For Linux: (Execute the following commands by using terminal)
  • Run mkdir /shark/
  • Locate the folder that contains the Shark agent file by using cd
  • Then, run cp Shark.php /Shark

3. Configuring your web server

Invoking auto_prepend_file changes for different web servers. Instructions for each web server are provided below.

In order to invoke auto_prepend_file, you need to identify the INI file and make changes as instructed below.

  • If your website has its own INI file (typically a “.user.ini” file in your website’s root folder), you need to add the specified line below to that website’s specific INI file.
  • Otherwise, you will need to add the specified line to the general php.ini file. Note that this operation affects all websites on the web server.

For further information, see Locating php.ini in your web server

  • Internet Information Services (IIS):

  • Locate the php.ini file that contains the PHP directives for your website.
  • Add auto_prepend_file=”c:\Shark\Shark.php” to the website’s INI file.
  • Apache:

  • There are two options in Apache.
    • Option 1: Add php_value auto_prepend_file c:\Shark\Shark.php to the .htaccess file in the root folder of your website.
    • Option 2: Add auto_prepend_file=”c:\Shark\Shark.php” to the website’s INI file.
  • NGINX:

  • There are two options in Nginx
    • Option 1:
  • Identify Nginx config file
  • Add fastcgi_param PHP_VALUE “auto_prepend_file = /Shark/Shark.php”;  in the section for “location ~ \.php$”,
  • Add auto_prepend_file=”c:\Shark\Shark.php” to the website’s INI file

Locating php.ini in your web server

Temporarily create a simple PHP file with phpinfo(); – the “Loaded Configuration File” is the general php.ini file you will need to change.

You should always remove any phpinfo() pages from your web application. The information disclosed by such a file is itself a vulnerability and provides attackers with essential information.
This information may allow attackers to potentially craft an exploit targeting your web application

  • Docker

The simple Docker example below is applicable for Apache + PHP + Shark.

1. Prepare an example website. For this single-page example, here are the contents of /home/myuser/www/index.php:

<?php echo "Hello World!"; ?>
<?php phpinfo(); ?>

2. Configure loading of Shark agent for the website; contents of /home/myuser/www/.htaccess:

php_value auto_prepend_file /var/www/mysite/Shark.php

3. Then, Configure Apache configuration for the website: contents of /home/myuser/mysite-apache.conf:

<VirtualHost *:80>


  DocumentRoot /var/www/mysite

  <Directory /var/www/mysite/>

      Options Indexes FollowSymLinks MultiViews

      AllowOverride All

      Order deny,allow

      Allow from all


  ErrorLog ${APACHE_LOG_DIR}/error.log

  CustomLog ${APACHE_LOG_DIR}/access.log combined


4. Copy the Shark.php file in /home/myuser/www

5. Configure the Docker file for building the container: contents of /home/myuser/Dockerfile:

FROM ubuntu:latest
# Install apache, PHP
RUN apt-get update
RUN apt-get -y upgrade
RUN DEBIAN_FRONTEND=noninteractive apt-get -y install apache2 php libapache2-mod-php
# Expose apache
# Copy website and Shark agent into place
COPY www /var/www/mysite
# Update the default apache site with the website config
COPY mysite-apache.conf /etc/apache2/sites-enabled/000-default.conf
# Start up apache in the foreground
CMD /usr/sbin/apache2ctl -D FOREGROUND

6. Build the container, then run the following commands from the docker machine:

cd /home/myuser
docker build -t mysite

Uninstalling Shark

You may choose to uninstall the Shark files from your server. You can take the following steps below to uninstall.

  1. Reverse changes in the configuration file to invoke the auto_prepend_file directive
  2. Next, Remove the Shark agent file as follows
  • For Windows:
    • Remove the C:\Shark\Shark.php file
    • Then, Remove the C:\Shark folder
  • For Linux: (Write the following commands by using terminal)
  • rm -rf /shark/

Although the Invicti Shark agent is secured with a unique strong built-in password, it is recommended that the Shark client files are uninstalled and removed from the web application if they are no longer in use

Invicti Help Center

Our Support team is ready to provide you with technical help.

Go to Help Center This will redirect you to the ticketing system.