Netsparker扫描器IAST使用

0x00 前言

之前测试了AWVS扫描器的IAST功能，使用上不是很方便，需要对每个服务启动一个扫描任务才可以进行扫描，比较主动，无法作为独立的被动式扫描器使用，脏数据也是比较多

对比awvs和netsparker，在前后端分离场景下，awvs扫描器可以分析swagger文件进行全接口自动化安全扫描，开发人员可以使用该功能增加后端系统的安全测试效率。在多人协作的测试场景下，netsparker扫描器可以开启代理端口，充分导入有效流量进行自动化安全测试，发现隐蔽的安全漏洞

0x01 扫描器安装

x版下载https://pan.baidu.com/s/18lY8xIXoQDcfLRqKFah9kQ 提取码：6cvp

Netsparker Professional Edition v6.0.0.29750 [ Licensed ]

Windows双击安装，打开

image.png

0x02 IAST使用

Netsparker Shark使您可以在Web应用程序中进行交互式安全测试（IAST），以确认更多漏洞并进一步减少误报。为了使Netsparker Shark能够运行，您需要下载一个代理并将其部署在您的服务器上。请注意，出于安全原因，该代理是为每个目标网站唯一生成的。

参考官方文档进行安装 https://www.netsparker.com/support/deploying-netsparker-shark-for-java-windows/

2.1 生成iast agent

添加扫描目标 - http://192.168.244.129:8080/

选择扫描设置 - Shark - 勾上enable shark，选择服务平台 java，保存为shark.jar

image.png

2.2 使用iast

这里使用和awvs类似

1
2
3
4
5
6
7
8
9
10

1. Deploying AspectJWeaver into your web application

Download AspectJWeaver: https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.5/aspectjweaver-1.9.5.jar
From the download folder, select aspectjweaver-1.9.5.jar and rename it aspectjweaver.jar
Copy aspectjweaver and paste it intoC:Program Files (x86)Apache Software FoundationTomcat 9.0/lib
2. Deploying Shark into your web server

Download the Netsparker Shark JAVA from Netsparker
Copy the Netsparker Shark JAVA (Shark.jar) to %TOMCAT-HOME%lib
If installing on Windows where Tomcat 9 was installed using the official "32-bit/64-bit Windows Service Installer", copy the Shark.jar file to C:Program Files (x86)Apache Software FoundationTomcat 9.0lib

image.png

1
2
3
4
5
6

3. Configuring Tomcat to use AspectJWeaver and Shark

Launch Tomcat with Load Time Weaving enabled. This can be done by adding a -javaagent parameter with the path to aspectjweaver.jar when launching Tomcat, and optionally a parameter to enable the Shark debug logging.
Add two parameters into the Apache Tomcat Configuration > Java options tab
-javaagent: C:Program Files (x86)Apache Software FoundationTomcat 9.0libaspectjweaver.jar (mandatory; adjust path depending on where you deployed the aspectjweaver.jar file)
-Dacusensor.debug.log=ON (optional; enables debug logging)

image.png

这里也在配置awvs时配置过了，跳过

Restart the Tomcat service

The parameter “-Dacusensor.debug.log=ON” is optional and can be omitted. If this parameter is retained, this will output the Shark logging as additional lines in the Tomcat logs starting with “[Netsparker-debug]”.

2.3 删除agent

Disabling and Removing Netsparker Shark for Java

To remove and disable the sensor from your website, you need to revert the changes done during the deployment of the Agent.

• Remove the Netsparker Shark (Shark.jar) from the folder where it was deployed

• Remove aspectjweaver.jar from the folder where it was copied to

• Reconfigure Tomcat with Load Time Weaving disabled, as follows:

• Remove the -javaagent and -Dacusensor.debug.log parameters in the Apache Tomcat Configuration > Java options tab

• Restart the Tomcat service

  Although the Netsparker Shark agent is secured with a strong password, it is recommended that the Shark client files are uninstalled and removed from the web application if they are no longer in use.

0x03 测试

image.png

配置完成之后如果直接点击start scan ，会类似AWVS的iast一样，先通过dast，然后再通过iast增加漏洞的准确性，这里依然会产生大量请求和脏数据

这里有一个代理模式，选择

image.png

首次打开会弹出安装证书

image.png

image.png

打开浏览器，设置代理， 10010端口，访问待测系统

image.png

流量抓取完成，开始扫描

image.png

image.png

这里单独使用iast的sql注入规则，产生8条脏数据

image.png

IAST相关规则

 还在等什么？赶紧点击下方名片关注学习吧！

原文始发于微信公众号（渗透测试网络安全）：Netsparker扫描器IAST使用