Deploying Invicti PHP IAST sensor
Before deploying the Invicti PHP IAST sensor, note the list of supported servers and frameworks.
🔍 Supported Servers and Frameworks | |
PHP Language |
|
Application Frameworks |
|
Web Servers |
|
Database Engines |
|
Package Manager |
|
To deploy Invicti IAST, you should keep in mind that the mechanism we need to use is to invoke the PHP directive "auto_prepend_file" and point this directive to the Invicti PHP IAST sensor file.
Deploying the Invicti IAST agent is a 3-step process.
Step 1: Download Invicti IAST for your Target
The instructions to download the Invicti IAST agent file can be found here: https://www.invicti.com/support/application-security-platform/introduction-to-invicti-iast/.
Step 2: Copy the Invicti IAST agent to the Target
For the purposes of this document, we will assume that we will be creating a dedicated folder inside the ROOT folder of your operating system to hold the Invicti IAST agent.
- Under Windows:
- Create a folder "C:\iastsensor\"
- Copy the iastsensor.php file into "C:\iastsensor\"
- Under Linux:
- Run the following command: mkdir /iastsensor/
- Use "cd" to navigate to the folder which contains your downloaded Invicti IAST agent file and run the following command: cp iastsensor.php /iastsensor/
Step 3: Configure your web server to invoke the "auto_prepend_file" directive
- Under Windows with IIS:
- Identify the php.ini file which contains the PHP directives for your website. If your website has its own INI file (typically a ".user.ini" file in your website's root folder), you need to add a line to that website's specific INI file. Otherwise, you will need to add a line to the general php.ini file - keeping in mind it will affect all websites on the web server. The line to be added is:
auto_prepend_file="c:\iastsensor\iastsensor.php" |
- Under Windows with Apache:
- Option 1: add this line to the .htaccess file in the root folder of your website:
php_value auto_prepend_file C:\iastsensor\iastsensor.php |
- Option 2: Identify the php.ini file which contains the PHP directives for your website. In a 64-BIT "wampserver" installation, typically the file to be edited would be "C:\wamp64\bin\php\php7.3.12\phpForApache.ini". Add this line to the file:
auto_prepend_file="c:\iastsensor\iastsensor.php" |
- Under Linux with Apache:
- Option 1: add this line to the .htaccess file in the root folder of your website:
php_value auto_prepend_file /iastsensor/iastsensor.php |
- Option 2: Identify the php.ini file which contains the PHP directives for your website. If your website has its own INI file (typically a ".user.ini" file in your website's root folder), you need to add a line to that website's specific INI file. Otherwise, you will need to add a line to the general php.ini file - keeping in mind it will affect all websites on the web server. The line to be added is:
auto_prepend_file = /iastsensor/iastsensor.php |
- Under Linux with NGINX:
- Option 1: Identify your NGINX conf file (eg /etc/nginx/sites-enabled/mysite.conf), and in the section for "location ~ \.php$", add a line as follows:
auto_prepend_file = /iastsensor/iastsensor.php |
- Option 2: Identify the php.ini file which contains the PHP directives for your website. If your website has its own INI file (typically a ".user.ini" file in your website's root folder), you need to add a line to that website's specific INI file. Otherwise, you will need to add a line to the general php.ini file - keeping in mind it will affect all websites on the web server. The line to be added is:
fastcgi_param PHP_VALUE "auto_prepend_file = /iastsensor/iastsensor.php"; |
Where is my general php.ini file?
Temporarily create a simple PHP file with phpinfo(); - the "Loaded Configuration File" is the general php.ini file you will need to change.
Remember: You should ALWAYS remove any phpinfo() pages from your web application - the information disclosed by such a file is in itself a vulnerability, and provides malicious hackers with essential information with which to potentially craft an exploit targeting your web application.
Simple Docker Example for Apache + PHP + Invicti IAST
Step 1: Prepare example website. For this single-page example, here are the contents of /home/myuser/www/index.php:
auto_prepend_file = /iastsensor/iastsensor.php |
Step 2: Configure loading of Invicti IAST agent for the website; contents of /home/myuser/www/.htaccess:
php_value auto_prepend_file /var/www/mysite/iastsensor.php |
Step 3: Configure Apache configuration for the website: contents of /home/myuser/mysite-apache.conf:
<VirtualHost *:80> |
Step 4: Place the iastsensor.php file in /home/myuser/www
Step 5: Configure the Dockerfile for building the container: contents of /home/myuser/Dockerfile:
FROM ubuntu:latest |
Step 6: Build the container. Run the following commands from the docker machine:
cd /home/myuser |
Uninstall Invicti IAST
- First you will need to reverse the changes made to your configuration files to invoke the "auto_prepend_file" directive
- Next, remove the Invicti IAST sensor file as follows:
- Under Windows, remove the "C:\iastsensor\iastsensor.php" file and then remove the "C:\iastsensor" folder
- Under Linux, run the following command:
- rm -rf /iastsensor/
Note: Although Invicti IAST files are secured with a unique strong built-in password, it is recommended that the Invicti IAST files be uninstalled and removed from the web application if they are no longer in use.