Deploying Invicti Shark for .NET – AWS Elastic Beanstalk

The following article shows you how you can run a .NET application in AWS Elastic Beanstalk and then use Invicti Shark (IAST) to run an interactive application security testing (IAST) scan for that application.

Step 1. Creating your target in Invicti Enterprise

For this example, we assume that the URL for your target is http://eb.acunetixexample.com. Create a target with your URL, enable Invicti Shark, download the Shark agent file -Shark(IASTandSCA).zip-, and save this file to use later on.

Step 2. Creating your web application using Visual Studio

1. From the menu, select File > New > Project.

2. From the Create a new project window, search for “web application”.
3. Select ASP.NET Web Application (.NET Framework), then Next.

4. Enter a friendly name for your project. (For this illustration, we use axexample-dotnet.)
5. Select Create.

6. From the Create a new ASP.NET Web Application window, select Empty, unselect Configure for HTTPS, then select Create.

7. Right-click on the axexample-dotnet project name.
8. Select Add > HTML Page.

9. On the Specify Name for Item dialog, enter index to the Item name field and select OK.
10. Edit your index.html file to read as follows:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8" />
    <title></title>
</head>
<body>
    <h1>Test dotNET Site Example for AWS Elastic Beanstalk</h1>
    <br>
    Hello World! - Main Page
    <br>
    <a href="/page1.html">Goto Page 1</a>
</body>
</html>

11. Do the same to create a page1.html file; edit your page1.html file to read as follows:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8" />
    <title></title>
</head>
<body>
    <h1>Test dotNET Site Example for AWS Elastic Beanstalk</h1>
    <br>
    Hello World! - Page 1
    <br>
    <a href="/">Goto Main Page</a>
</body>
</html>

12. Save your changes to index.html and page1.html files.
13. Right-click on the axexample-dotnet project name and select Publish.

14. From the Publish window, select Web Server (IIS), then Next.

15. Select Web Deploy Package.
16. Select Next.

17. Now, set your Package location to C:\axexample-dotnet\axexample-dotnet.zip, set your site name to axexample-dotnet.
18. Select Finish. (If necessary, create the C:\axexample-dotnet folder to hold your files)

19. Select Publish.

20. Using Windows Explorer, navigate to the C:\axexample-dotnet folder and remove the following files:
    • axexample-dotnet.deploy.cmd
    • axexample-dotnet.deploy-readme.txt
    • axexample-dotnet.SourceManifest.xml
21. At this stage, the C:\axexample-dotnet folder should contain the following two files:
    • axexample-dotnet.zip
    • axexample-dotnet.SetParameters.xml

Step 3. Completing your application source code bundle

This simple web application will be defined through the following file structure:

C:\axexample-dotnet\.ebextensions
C:\axexample-dotnet\.ebextensions\acesensor.config
C:\axexample-dotnet\aws-windows-deployment-manifest.json
C:\axexample-dotnet\axexample-dotnet.SetParameters.xml
C:\axexample-dotnet\axexample-dotnet.zip
C:\axexample-dotnet\Shark(IASTandSCA).zip

1. Build the source code bundle from the command line with:

files:
  "C:\\Program Files\\Amazon\\ElasticBeanstalk\\hooks\\appdeploy\\post\\90create_folder.bat":
    content: mkdir C:\shark
  "C:\\Program Files\\Amazon\\ElasticBeanstalk\\hooks\\appdeploy\\post\\91extract_shark.bat":
    content: powershell Expand-Archive -force C:\staging-previous\Shark(IASTandSCA).zip -DestinationPath C:\shark
  "C:\\Program Files\\Amazon\\ElasticBeanstalk\\hooks\\appdeploy\\post\\92inject_shark.bat":
    content: "C:\shark\.NET Framework\injector.exe" -m inject -t http://localhost:80/

2. Create your C:\axexample-dotnet\aws-windows-deployment-manifest.json file to read as follows:

{
  "manifestVersion": 1,
  "deployments": {
    "msDeploy": [
      {
        "name": "axexample-dotnet",
        "parameters": {
          "appBundle": "axexample-dotnet.zip",
          "iisPath": "/"
        }
      }
    ]
  }
}

3. Copy the Shark(IASTandSCA).zip file you created earlier into C:\axexample-dotnet\Shark(IASTandSCA).zip
4. Build the source code bundle from the command line with:

powershell Compress-Archive -Path C:\axexample-dotnet\* -DestinationPath %USERPROFILE%\Desktop\axexample-dotnet-aws.zip

5. Retain your zip file for the deployment steps as specified in the following section.

Step 4. Deploying your web application to AWS Elastic Beanstalk

1. From your AWS Dashboard, navigate to Elastic Beanstalk > Environments.
2. Select Create a new environment.

3. Set your environment tier to the Web server environment.

4. Click Select. 
5. In the Elastic Beanstalk > Create environment page:
   1. Set the Application name field to the name for your web application. (For this illustration, we use axexample-dotnet.)
   2. From the Platform drop-down, choose .NET on Windows Server.
   3. Enable Upload your code.
   4. Select Choose file.
   5. Select your axexample-dotnet.zip source code bundle for upload.
   6. Select Create environment.
6. AWS Elastic Beanstalk will now create your environment; this can take a few minutes. When the process is complete, you are redirected to your environment’s dashboard.

7. Take note of your environment’s new URL created by AWS Elastic Beanstalk:
   1. You need this to create a CNAME to point to this URL.
   2. In this example, we would create a CNAME for eb.acunetixexample.com to point to axexampledotnet-env.eba-phzhexiv.us-east-1.elasticbeanstalk.com; here is an example using the Namecheap cPanel interface:
8. Once the CNAME record has been added (giving time for DNS records to propagate), you can see the web application you have created by browsing to your URL (in this example http://eb.acunetixexample.com):

Step 5. Testing and scanning your web application

Point your browser to your web application – in this example http://eb.acunetixexample.com – to confirm it is running as intended; you will get the following:

You can run a scan on your target.