SBN WAF integration: Acunetix and F5 BigIP ASM

The Acunetix API gives you the opportunity to automate tasks to increase efficiency – especially when you can accelerate the integration of functionality with other components of your workflow. In this example, we will build on a previous article, where we’ve shown you how to use the Acunetix API in a Bash script: Managing Scans using Bash and the Acunetix API. We will add code to that Bash script to achieve the following automation:

  • In Acunetix:
    • Trigger the creation of an export file for subsequent import into a WAF
    • Monitor the status of the export until it is completed
    • Download the export file
  • In BigIP ASM
    • Define a target
    • Define a security policy
    • Upload the export

Anatomy of the script additions

The script additions follow this structure:

  • Acunetix API tasks
    • The generation of the export file is triggered
    • A loop is created that checks the status of the export file generation every 10 seconds and waits for the status to become completed
    • The export file is downloaded
  • WAF API tasks
    • A virtual server is created for the target
    • The ID of the vulnerability assessment baseline is retrieved from the WAF
    • A security policy for Acunetix scans is created
    • The ID of the security policy is retrieved from the WAF
    • The scanner type for the security policy is set to Generic Scanner
    • The size of the export file is calculated
    • The export file is uploaded to the WAF
    • The export file is imported into the security policy

Bash script additions


# ... previous script above this line
 
# Declare variables for Acunetix
MyTargetIP=`getent hosts testphp.vulnweb.com | awk '{ print $1 }`
ExportTypeID="21111111-1111-1111-1111-111111111113" # F5 BigIP
 
# Declare variables for F5 BigIp
MyTargetDomain=`echo "$MyTargetURL" | sed -e 's|^[^/]*//||' -e 's|/.*$||'`
MyBigIpUser="admin"
MyBigIpPass="adminpass123%"
MyBigIpHost="192.168.72.128"
 
MyExportResult=`curl -i -sS -k -X POST $MyAXURL/exports -H "Content-Type: application/json" -H "X-Auth: $MyAPIKEY" --data "{"export_id":"$ExportTypeID","source":{"list_type":"scan_result","id_list":["$MyScanResultID"]}}"`
 
MyExportElement=`echo "$MyExportResult" | grep "Location: " | sed "s/Location: /api/v1/exports///" | sed "s/r//g" | sed -z "s/n//g"`
MyExportURL=`echo "$MyAXURL/exports/$MyExportElement"`
MyExportID=`echo "$MyExportResult" | grep -Po '"report_id": *K"[^"]*"' | tr -d '"'`
 
while true; do
  MyExportStatus=`curl -sS -k -X GET "$MyAXURL/exports/{$MyExportID}" -H "Accept: application/json" -H "X-Auth: $MyAPIKEY"`
 
  if [[ "$MyExportStatus" == *""status": "processing""* ]]; then
    echo "Export status: Processing - waiting 10 seconds"
  elif [[ "$MyExportStatus" == *""status": "queued""* ]]; then
    echo "Export status: Queued - waiting 10 seconds"
  elif [[ "$MyExportStatus" == *""status": "completed""* ]]; then
    echo "Export status: Completed"
    # Break out of loop
    break
  else
    echo "Invalid export status - aborting"
    # Clean up and exit script
    cleanup
    exit 1
  fi
  sleep 10
done
 
MyExportFile=`echo $MyExportStatus | sed 's/.*[ "/api/v1/reports/download/([^]]*)" ].*/1/g'`
echo "Export file: $MyExportFile"
 
# Download export file from Acunetix
Dummy=`curl -sS -k "$MyAXURL/reports/download/$MyExportFile" -o $MyExportFile`
 
# Create a virtual server for your target
Dummy=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/ltm/virtual" -H "Content-type: application/json" --data '{"name":"MyWebApplication","destination":"'"$MyTargetIP"':80","ipProtocol":"tcp"}'`
echo "Created a virtual server"
 
# Get the ID of the vulnerability assessment baseline policy
MyBigIpVulnBaselineID=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X GET "https://$MyBigIpHost/mgmt/tm/asm/policy-templates" -H "Content-type: application/json" | jq -r '.items[] | select(.title == "Vulnerability Assessment Baseline") | .id'`
 
# Create a security policy for Acunetix scans
MyBigIpPolicyResponse=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/asm/policies" -H "Content-type: application/json" --data '{"name":"AcunetixPolicy","description":"Import from Acunetix Scan Results","virtualServers":["/Common/MyWebApplication"],"type":"security","enforcementMode":"blocking","templateReference":{"link":"https://$MyBigIpHost/mgmt/tm/asm/policy-templates/'"$MyBigIpVulnBaselineID"'"}}'`
MyBigIpPolicyID=`echo $MyBigIpPolicyResponse | jq -r '.id'`
echo "Security policy ID: $MyBigIpPolicyID"
 
# Set scanner type to Generic scanner
Dummy=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X PATCH "https://$MyBigIpHost/mgmt/tm/asm/policies/$MyBigIpPolicyID/vulnerability-assessment" -H "Content-type: application/json" --data '{"scannerType":"generic"}'`
echo "Scanner type set to Generic scanner"
 
# Get file size
MyExportFileSize=`stat --printf="%s" $MyExportFile`
 
# Upload the file to the WAF
Dummy=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/asm/file-transfer/uploads/$MyExportFile" -H "Content-type: application/octet-stream" -H "Content-Range: 0-$((MyExportFileSize-1))/$MyExportFileSize" --data-binary @$MyExportFile`
echo "Acunetix export file uploaded to the WAF"
 
# Import the file into the security policy
Dummy=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/asm/tasks/import-vulnerabilities" -H "Content-type: application/json" --data '{"policyReference":{"link":"https://'"$MyBigIpHost"'/mgmt/tm/asm/policies/'"$MyBigIpPolicyID"'"},"filename":"'"$MyExportFile"'","importAllDomainNames":false,"domainNames":["'"$MyTargetDomain"'"]}'`
echo "Acunetix export file imported to the security policy"
 
# Get the vulnerabilities collection object
MyVulnerabilities=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X GET "https://$MyBigIpHost/mgmt/tm/asm/policies/$MyBigIpPolicyID/vulnerabilities"`
MyVulnerabilitiesItems=`echo $MyVulnerabilities | jq '.totalItems'`
echo "Number of vulnerabilities imported: $MyVulnerabilitiesItems"
if [[ $MyVulnerabilitiesItems -eq 0 ]]; then
  echo "No vulnerabilities imported; exiting"
  exit 1;
fi
 
echo "$MyVulnerabilitiesItems vulnerabilities imported. You now need to configure resolution parameters for each vulnerability."
THE AUTHOR
Kevin Attard Compagno
Technical Writer

Kevin Attard Compagno is a Technical Writer working for Acunetix. A technical writer, translator, and general IT buff for over 30 years, Kevin used to run Technical Support teams and create training documents and other material for in-house technical staff.

*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Kevin Attard Compagno. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/2wcOZYGqbNM/