AWVS进阶 之 IAST插装深度扫描

1
2
3
4
5
6
7
8
9
10

# pull 拉取下载镜像
docker pull secfa/docker-awvs

# 将Docker的3443端口映射到物理机的 13443端口
docker run -it -d -p 13443:3443 secfa/docker-awvs

# 容器的相关信息
awvs13 username: [email protected]
awvs13 password: Admin123
AWVS版本：13.0.201006145

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

2.3.1 Deploying AspectJWeaver into your web application

To download and deploy AspectJWeaver, run the following commands:

wget -c https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.5/aspectjweaver-1.9.5.jar
sudo mv aspectjweaver-1.9.5.jar /opt/tomcat9/lib
sudo ln -s /opt/tomcat9/lib/aspectjweaver-1.9.5.jar /opt/tomcat9/lib/aspectjweaver.jar
2.3.2  Deploying AcuSensor into your web application

Download the Acunetix JAVA AcuSensor from the Acunetix UI
Copy the Acunetix JAVA AcuSensor (AcuSensor.jar) to %TOMCAT-HOME%lib - based on the assumptions above, you would copy the AcuSensor.jar file to /opt/tomcat9/lib
2.3.3 Configure Tomcat to use AspectJWeaver and AcuSensor

Launch Tomcat with Load Time Weaving enabled. This can be done by adding a -javaagent parameter with the path to aspectjweaver.jar when launching Tomcat, and optionally a parameter to enable AcuSensor debug logging
For Centos 8.1 and RHEL 8.1, you will need to add 2 parameters into the Tomcat setenv.sh script (normally you will be creating a new file):
run the command: sudo nano /opt/tomcat9/bin/setenv.sh
at the end of the file, add the line: JAVA_OPTS="$JAVA_OPTS -javaagent:$CATALINA_HOME/lib/aspectjweaver.jar -Dacusensor.debug.log=ON"
save the file
run the command: sudo systemctl restart tomcat9


Note: The parameter "-Dacusensor.debug.log=ON" is optional, and can be omitted. If this parameter is retained, this will output AcuSensor logging as additional lines in the Tomcat logs starting with "[Acunetix-debug]".



2.3.4 Disabling and Removing AcuSensor for JAVA

To remove and disable the sensor from your website you need to revert the changes done during the deployment of the Agent. Based on the assumptions above:

Remove the Acunetix JAVA AcuSensor (AcuSensor.jar) from the folder where it was deployed with:
rm /opt/tomcat9/lib/AcuSensor.jar
Remove aspectjweaver.jar with:
sudo rm /opt/tomcat9/lib/aspectjweaver.jar
sudo rm /opt/tomcat9/lib/aspectjweaver-1.9.5.jar
Reconfigure Tomcat with Load Time Weaving disabled:
remove the "JAVA_OPTS" line added earlier in the setenv.sh file
run the command: sudo systemctl restart tomcat9


Note: Although the Acunetix AcuSensor agent is secured with a strong password, it is recommended that the AcuSensor client files are uninstalled and removed from the web application if they are no longer in use.