2021-05-14

AWVS扫描器IAST使用

× 文章目录

1. 0x00 前言
2. 0x01 扫描器部署
3. 0x02 开启IAST插装模式
4. 0x03 测试
5. 0x04 测试结果
1. 5.1. 4.1 常规漏洞项测试
2. 5.2. 4.2 脏数据测试

0x00 前言

很久没有更新blog了，这次把几个笔记分享一下，AWVS自带的IAST功能，很多人都不知道，这里记录一下IAST如何使用

0x01 扫描器部署

这里笔记写的较早，版本还是awvs13

# pull 拉取下载镜像
docker pull secfa/docker-awvs

# 将Docker的3443端口映射到物理机的 13443端口
docker run -it -d -p 13443:3443 secfa/docker-awvs

# 容器的相关信息
awvs13 username: [email protected]
awvs13 password: Admin123
AWVS版本：13.0.201006145

浏览器访问

https://192.168.244.130:13443/#/login

0x02 开启IAST插装模式

2.1 新建目标

2.2 开启AcuSensor

AcuSensor 允许扫描程序从您的 PHP、.NET 或 Java web 应用程序收集更多信息，用于改善扫描结果，并减少误报。请于运行 Web 扫描前，下载并安装与目标对应的 AcuSensor。

注意：避免在生产系统中使用 AcuSensor。

使用介绍：https://www.acunetix.com/support/docs/installing-acusensor/

针对JAVA程序使用：https://www.acunetix.com/support/docs/installing-acusensor-java/

传感器是针对每个网站唯一生成的

Acunetix JAVA Acusensor需要Tomcat（7+）和Java（1.7+）

2.3 安装切面和传感器

Java AcuSensor要求：

将Aspectjweaver.jar部署到您的Web服务器中-提供AcuSensor与您的应用程序一起使用所需的集成
将Acunetix Java AcuSensor部署到Web服务器中-这对于每个Target都是唯一的，可以使用“下载JAVA AcuSensor”按钮进行下载
配置您的Web服务器以使用加载时间编织（AspectJWeaver）

https://www.acunetix.com/support/docs/wvs/deploying-acusensor-java-centos-rhel/

2.3.1 Deploying AspectJWeaver into your web application

To download and deploy AspectJWeaver, run the following commands:

wget -c https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.5/aspectjweaver-1.9.5.jar
sudo mv aspectjweaver-1.9.5.jar /opt/tomcat9/lib
sudo ln -s /opt/tomcat9/lib/aspectjweaver-1.9.5.jar /opt/tomcat9/lib/aspectjweaver.jar
2.3.2  Deploying AcuSensor into your web application

Download the Acunetix JAVA AcuSensor from the Acunetix UI
Copy the Acunetix JAVA AcuSensor (AcuSensor.jar) to %TOMCAT-HOME%\lib - based on the assumptions above, you would copy the AcuSensor.jar file to /opt/tomcat9/lib
2.3.3 Configure Tomcat to use AspectJWeaver and AcuSensor

Launch Tomcat with Load Time Weaving enabled. This can be done by adding a -javaagent parameter with the path to aspectjweaver.jar when launching Tomcat, and optionally a parameter to enable AcuSensor debug logging
For Centos 8.1 and RHEL 8.1, you will need to add 2 parameters into the Tomcat setenv.sh script (normally you will be creating a new file):
run the command: sudo nano /opt/tomcat9/bin/setenv.sh
at the end of the file, add the line: JAVA_OPTS="$JAVA_OPTS -javaagent:$CATALINA_HOME/lib/aspectjweaver.jar -Dacusensor.debug.log=ON"
save the file
run the command: sudo systemctl restart tomcat9


Note: The parameter "-Dacusensor.debug.log=ON" is optional, and can be omitted. If this parameter is retained, this will output AcuSensor logging as additional lines in the Tomcat logs starting with "[Acunetix-debug]".



2.3.4 Disabling and Removing AcuSensor for JAVA

To remove and disable the sensor from your website you need to revert the changes done during the deployment of the Agent. Based on the assumptions above:

Remove the Acunetix JAVA AcuSensor (AcuSensor.jar) from the folder where it was deployed with:
rm /opt/tomcat9/lib/AcuSensor.jar
Remove aspectjweaver.jar with:
sudo rm /opt/tomcat9/lib/aspectjweaver.jar
sudo rm /opt/tomcat9/lib/aspectjweaver-1.9.5.jar
Reconfigure Tomcat with Load Time Weaving disabled:
remove the "JAVA_OPTS" line added earlier in the setenv.sh file
run the command: sudo systemctl restart tomcat9


Note: Although the Acunetix AcuSensor agent is secured with a strong password, it is recommended that the AcuSensor client files are uninstalled and removed from the web application if they are no longer in use.

注：官方案例中使用tomcat9 ，本地tomcat8中未找到改sh文件

这里在catalina.sh中cygwin=false这行上面加入以下代码

JAVA_OPTS="$JAVA_OPTS -javaagent:/www/server/tomcat/lib/aspectjweaver.jar -Dacusensor.debug.log=ON"

这里重启tomcat即可开始iast插装扫描

0x03 测试

对比awvs扫描，开启AcuSensor，开启后扫描目标会有AcuSensor图标

为了确保漏洞覆盖，这里使用BURP录制一份测试靶场的流量，导入到AWVS中

新建目标，导入文件

0x04 测试结果

4.1 常规漏洞项测试

默认配置，结果不准确

常规漏洞测试项	扫描结果	IAST检测
目录遍历	√	√
任意文件读取	√	√
命令执行	×	×
XXE	×	×
文件上传	√	×
反序列化漏洞	×	×
ssrf	×	×
sql注入	√	√
xss	√	×
struts命令执行	√	×
fastjson反序列化	×	×
逻辑漏洞（越权）	×	×