0x00 前言
之前测试了AWVS扫描器的IAST功能,使用上不是很方便,需要对每个服务启动一个扫描任务才可以进行扫描,比较主动,无法作为独立的被动式扫描器使用,脏数据也是比较多
对比awvs和netsparker,在前后端分离场景下,awvs扫描器可以分析swagger文件进行全接口自动化安全扫描,开发人员可以使用该功能增加后端系统的安全测试效率。在多人协作的测试场景下,netsparker扫描器可以开启代理端口,充分导入有效流量进行自动化安全测试,发现隐蔽的安全漏洞
0x01 扫描器安装
破解版下载https://pan.baidu.com/s/18lY8xIXoQDcfLRqKFah9kQ 提取码:6cvp
Netsparker Professional Edition v6.0.0.29750 [ Licensed ]
Windows双击安装,打开
0x02 IAST使用
Netsparker Shark使您可以在Web应用程序中进行交互式安全测试(IAST),以确认更多漏洞并进一步减少误报。为了使Netsparker Shark能够运行,您需要下载一个代理并将其部署在您的服务器上。请注意,出于安全原因,该代理是为每个目标网站唯一生成的。
参考官方文档进行安装 https://www.netsparker.com/support/deploying-netsparker-shark-for-java-windows/
2.1 生成iast agent
添加扫描目标 - http://192.168.244.129:8080/
选择扫描设置 - Shark - 勾上enable shark,选择服务平台 java,保存为shark.jar
2.2 使用iast
这里使用和awvs类似
1 2 3 4 5 6 7 8 9 10 |
1. Deploying AspectJWeaver into your web application Download AspectJWeaver: https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.5/aspectjweaver-1.9.5.jar From the download folder, select aspectjweaver-1.9.5.jar and rename it aspectjweaver.jar Copy aspectjweaver and paste it intoC:Program Files (x86)Apache Software FoundationTomcat 9.0/lib 2. Deploying Shark into your web server Download the Netsparker Shark JAVA from Netsparker Copy the Netsparker Shark JAVA (Shark.jar) to %TOMCAT-HOME%lib If installing on Windows where Tomcat 9 was installed using the official "32-bit/64-bit Windows Service Installer", copy the Shark.jar file to C:Program Files (x86)Apache Software FoundationTomcat 9.0lib |
1 2 3 4 5 6 |
3. Configuring Tomcat to use AspectJWeaver and Shark Launch Tomcat with Load Time Weaving enabled. This can be done by adding a -javaagent parameter with the path to aspectjweaver.jar when launching Tomcat, and optionally a parameter to enable the Shark debug logging. Add two parameters into the Apache Tomcat Configuration > Java options tab -javaagent: C:Program Files (x86)Apache Software FoundationTomcat 9.0libaspectjweaver.jar (mandatory; adjust path depending on where you deployed the aspectjweaver.jar file) -Dacusensor.debug.log=ON (optional; enables debug logging) |
这里也在配置awvs时配置过了,跳过
Restart the Tomcat service
The parameter “-Dacusensor.debug.log=ON” is optional and can be omitted. If this parameter is retained, this will output the Shark logging as additional lines in the Tomcat logs starting with “[Netsparker-debug]”.
2.3 删除agent
Disabling and Removing Netsparker Shark for Java
To remove and disable the sensor from your website, you need to revert the changes done during the deployment of the Agent.
- Remove the Netsparker Shark (Shark.jar) from the folder where it was deployed
- Remove aspectjweaver.jar from the folder where it was copied to
- Reconfigure Tomcat with Load Time Weaving disabled, as follows:
- Remove the -javaagent and -Dacusensor.debug.log parameters in the Apache Tomcat Configuration > Java options tab
- Restart the Tomcat service
Although the Netsparker Shark agent is secured with a strong password, it is recommended that the Shark client files are uninstalled and removed from the web application if they are no longer in use.
0x03 测试
配置完成之后如果直接点击start scan ,会类似AWVS的iast一样,先通过dast,然后再通过iast增加漏洞的准确性,这里依然会产生大量请求和脏数据
这里有一个代理模式,选择
首次打开会弹出安装证书
打开浏览器,设置代理, 10010端口,访问待测系统
流量抓取完成,开始扫描
这里单独使用iast的sql注入规则,产生8条脏数据
IAST相关规则
发布者:常山赵子龙,转载请注明出处:https://www.qztxs.com/archives/science/technology/12106
微信扫一扫 
支付宝扫一扫 
