Application Security Platform
Invicti IAST

Deploying Invicti PHP IAST sensor

This document is for:
Invicti Platform

Before deploying the Invicti PHP IAST sensor, note the list of supported servers and frameworks.

🔍 Supported Servers and Frameworks

PHP Language

  • 5.6.x
  • 7.x
  • 8.x

Application Frameworks

  • Laravel
  • Symfony
  • CodeIgniter
  • Yii
  • Zend v3
  • Slim v2, v3, v4
  • Smarty v3, v4

Web Servers

  • Apache
  • Nginx

Database Engines

  • MySQL
  • PostgreSQL
  • Microsoft SQL Server
  • DB2
  • Ingres
  • Oracle
  • FireBird/InterBase
  • Sybase
  • Mongo DB v2.6 or later, using Mongodb PHP Extension 1.3 or later

Package Manager

  • Composer

To deploy Invicti IAST, you should keep in mind that the mechanism we need to use is to invoke the PHP directive "auto_prepend_file" and point this directive to the Invicti PHP IAST sensor file.

Deploying the Invicti IAST agent is a 3-step process.

Step 1: Download Invicti IAST for your Target

The instructions to download the Invicti IAST agent file can be found here: https://www.invicti.com/support/application-security-platform/introduction-to-invicti-iast/.

Step 2: Copy the Invicti IAST agent to the Target

For the purposes of this document, we will assume that we will be creating a dedicated folder inside the ROOT folder of your operating system to hold the Invicti IAST agent.

  • Under Windows:
  • Create a folder "C:\iastsensor\"
  • Copy the iastsensor.php file into "C:\iastsensor\"
  • Under Linux:
  • Run the following command: mkdir /iastsensor/
  • Use "cd" to navigate to the folder which contains your downloaded Invicti IAST agent file and run the following command: cp iastsensor.php /iastsensor/

Step 3: Configure your web server to invoke the "auto_prepend_file" directive

  • Under Windows with IIS:
  • Identify the php.ini file which contains the PHP directives for your website. If your website has its own INI file (typically a ".user.ini" file in your website's root folder), you need to add a line to that website's specific INI file. Otherwise, you will need to add a line to the general php.ini file - keeping in mind it will affect all websites on the web server. The line to be added is:

auto_prepend_file="c:\iastsensor\iastsensor.php"

  • Under Windows with Apache:
  • Option 1: add this line to the .htaccess file in the root folder of your website:

php_value auto_prepend_file C:\iastsensor\iastsensor.php

  • Option 2: Identify the php.ini file which contains the PHP directives for your website. In a 64-BIT "wampserver" installation, typically the file to be edited would be "C:\wamp64\bin\php\php7.3.12\phpForApache.ini". Add this line to the file:

auto_prepend_file="c:\iastsensor\iastsensor.php"

  • Under Linux with Apache:
  • Option 1: add this line to the .htaccess file in the root folder of your website:

php_value auto_prepend_file /iastsensor/iastsensor.php

  • Option 2: Identify the php.ini file which contains the PHP directives for your website. If your website has its own INI file (typically a ".user.ini" file in your website's root folder), you need to add a line to that website's specific INI file. Otherwise, you will need to add a line to the general php.ini file - keeping in mind it will affect all websites on the web server. The line to be added is:

auto_prepend_file = /iastsensor/iastsensor.php

  • Under Linux with NGINX:
  • Option 1: Identify your NGINX conf file (eg /etc/nginx/sites-enabled/mysite.conf), and in the section for "location ~ \.php$", add a line as follows:

auto_prepend_file = /iastsensor/iastsensor.php

  • Option 2: Identify the php.ini file which contains the PHP directives for your website. If your website has its own INI file (typically a ".user.ini" file in your website's root folder), you need to add a line to that website's specific INI file. Otherwise, you will need to add a line to the general php.ini file - keeping in mind it will affect all websites on the web server. The line to be added is:

fastcgi_param PHP_VALUE "auto_prepend_file = /iastsensor/iastsensor.php";

Where is my general php.ini file?

Temporarily create a simple PHP file with phpinfo(); - the "Loaded Configuration File" is the general php.ini file you will need to change.

Remember: You should ALWAYS remove any phpinfo() pages from your web application - the information disclosed by such a file is in itself a vulnerability, and provides malicious hackers with essential information with which to potentially craft an exploit targeting your web application.

Simple Docker Example for Apache + PHP + Invicti IAST

Step 1: Prepare example website. For this single-page example, here are the contents of /home/myuser/www/index.php:

auto_prepend_file = /iastsensor/iastsensor.php

Step 2: Configure loading of Invicti IAST agent for the website; contents of /home/myuser/www/.htaccess:

php_value auto_prepend_file /var/www/mysite/iastsensor.php

Step 3: Configure Apache configuration for the website: contents of /home/myuser/mysite-apache.conf:

<VirtualHost *:80>
 ServerAdmin me@mydomain.com
 DocumentRoot /var/www/mysite
 <Directory /var/www/mysite/>
     Options Indexes FollowSymLinks MultiViews
     AllowOverride All
     Order deny,allow
     Allow from all
 </Directory>
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Step 4: Place the iastsensor.php file in /home/myuser/www

Step 5: Configure the Dockerfile for building the container: contents of /home/myuser/Dockerfile:

FROM ubuntu:latest

# Install apache, PHP
RUN apt-get update
RUN apt-get -y upgrade
RUN DEBIAN_FRONTEND=noninteractive apt-get -y install apache2 php libapache2-mod-php

# Expose apache
EXPOSE
80

# Copy website and Invicti IAST agent into place
COPY www /var/www/mysite

# Update the default apache site with the website config
COPY mysite-apache.conf /etc/apache2/sites-enabled/
000-default.conf

# Start up apache in the foreground
CMD /usr/sbin/apache2ctl -D FOREGROUND

Step 6: Build the container. Run the following commands from the docker machine:

cd /home/myuser
docker build -t mysite .

Uninstall Invicti IAST

  • First you will need to reverse the changes made to your configuration files to invoke the "auto_prepend_file" directive
  • Next, remove the Invicti IAST sensor file as follows:
  • Under Windows, remove the "C:\iastsensor\iastsensor.php" file and then remove the "C:\iastsensor" folder
  • Under Linux, run the following command:
  • rm -rf /iastsensor/

Note: Although Invicti IAST files are secured with a unique strong built-in password, it is recommended that the Invicti IAST files be uninstalled and removed from the web application if they are no longer in use.

Share This Article