YOU ARE HERE: HOMEInstalling AcuSensor in your web application

Installing AcuSensor in your web application

This document have update for version 12 ready.

If you need to scan a .NET / PHP or Java (new in v12) web application, you should install Acunetix AcuSensor on your web application in order to improve the detection of vulnerabilities, get the line in the source code where vulnerabilities are located and to decrease false positives (ie to turn Acunetix from Dynamic Application Security Testing DAST/ back box testing tool into grey box testing tool. This is one of the unique feature for blackbox testing tool also can use for grey box testing way).

Installing AcuSensor

Acunetix AcuSensor increases the efficiency of an Acunetix scan by improving the crawling, detection and reporting of vulnerabilities, while decreasing false positives. Acunetix AcuSensor can be used on .NET , PHP and Java web applications.

Installing the AcuSensor Agent

NOTE: Installing the AcuSensor Agent is optional. Acunetix is still best in class as a black-box scanner, but the AcuSensor Agent improves accuracy and vulnerability results when scanning .NET, JAVA and PHP web applications.

The unique Acunetix AcuSensor Technology identifies more vulnerabilities than a black-box Web Application Scanner while generating less false positives. In addition, it indicates exactly where vulnerabilities are detected in your code and reports debug information.

Acunetix AcuSensor requires an agent to be installed on your website. This agent is generated uniquely for each website for security reasons. From the configuration of each Target, change to the General tab, and toggle the AcuSensor option. From here, you can download the AcuSensor generated for the Target. Choose between the .NET, JAVA or PHP AcuSensor agent, depending on the web technology used on your site, and proceed with the installation steps below.

 

Installing the AcuSensor agent for PHP websites

First, you need to download the AcuSensor agent for your Target.

This section describes how to install AcuSensor in a PHP web application.

  1. Locate the PHP AcuSensor file of the website you want to install AcuSensor on. Copy the acu_phpaspect.php file to the remote web server hosting the web application. The AcuSensor agent file should be in a location where it can be accessed by the web server software. Acunetix AcuSensor Technology works on websites using PHP version 5 and up.
  2. There are 2 methods to install the AcuSensor agent, one method can be used for Apache web server, and the other method can be used for IIS, nginx and Apache web servers.

Method 1: Apache web Server – .htaccess file

Create a .htaccess file in the website directory and add the following directive:

php_value auto_prepend_file ‘[path to acu_phpaspect.php file]’.

Note: For Windows use ‘C:\sensor\acu_phpaspect.php’ and for Linux use ‘/Sensor/acu_phpaspect.php’ path declaration formats. If Apache web server does not execute .htaccess files, it must be configured to do so. Refer to the following configuration guide: http://httpd.apache.org/docs/2.0/howto/htaccess.html. The above directive can also be configured in the httpd.conf file.

Method 2: IIS, Apache and nginx  – php.ini

  1. Locate the file ‘php.ini’ on the server by using phpinfo() function.
  2. Search for the directive auto_prepend_file, and specify the path to the acu_phpaspect.php file.  If the directive does not exist, add it in the php.ini file:
    auto_prepend_file=”
    /path/to/acu_phpaspect.php
  3. Save all changes and restart the web server for the above changes to take effect.

Disabling and uninstalling AcuSensor for PHP

To uninstall and disable the sensor from your web site:

  1. If method 1 (.htaccess file) was used to install the PHP AcuSensor, delete the directive: php_value auto_prepend_file=”/path/to/acu_phpaspect.php” from .htaccess
  2. If method 2 was used to install the PHP AcuSensor, delete the directive: auto_prepend_file=”/path/to/acu_phpaspect.php” from php.ini.
  3. Finally, delete the Acunetix AcuSensor PHP file: acu_phpaspect.php.

Note: Although the Acunetix AcuSensor agent are secured with a strong password, it is recommended that the AcuSensor client files are uninstalled and removed from the web application if they are no longer in use.

Installing the AcuSensor agent for ASP .NET Websites

First, you need to download the AcuSensor agent for your Target.

The AcuSensor agent will need to be installed in your web application. This section describes how to install AcuSensor in an ASP.NET web application.

  1. Install Prerequisites on the server hosting the website: The AcuSensor installer application requires Microsoft .NET Framework 3.5 or higher.
  2. Copy the AcuSensor installation files to the server hosting the .NET website.

Installing the AcuSensor agent for ASP .NET Websites

The AcuSensor agent will need to be installed in your web application. This section describes how to install AcuSensor in an ASP.NET web application.

1. Install Prerequisites on the server hosting the website: The AcuSensor installer application requires Microsoft .NET Framework 3.5 or higher.

  1. Screenshot – Acunetix .NET AcuSensor installation
  2. Double click AcuSensorInstaller.exe to install the Acunetix .NET AcuSensor agent and proceed through the installation wizard.
  3. You will be asked to insert the AcuSensor password. This should match the one that you used in the Acunetix settings.
  4. After the installation is complete, you will be prompted to launch the Acunetix .NET AcuSensor Manager.

  1. Screenshot – Acunetix .NET AcuSensor Manager
  2. On start-up, the Acunetix .NET AcuSensor Manager will retrieve a list of .NET applications installed on your server. Select which applications you would like to enhance with the AcuSensor Technology and click Install Sensor to install the AcuSensor Technology sensor in the selected .NET applications. Once the sensor has been installed, close the confirmation window and also the AcuSensor manager.

Disabling and uninstalling AcuSensor for ASP .NET websites

To uninstall and disable the sensor from your web site:

  1. Screenshot – Select website and click Remove Sensor
  2. Select the website where the AcuSensor agent is installed and click Remove Sensor to remove the AcuSensor Agent from the site.
  3. Close the Acunetix .NET AcuSensor Manager.
  4. If needed, you can also uninstall the Acunetix .NET AcuSensor Manager from the Add/Remove Programs Control Panel.

Note: Although the Acunetix AcuSensor agent are secured with a strong password, it is recommended that the AcuSensor client files are uninstalled and removed from the web application if they are no longer in use.

Installing the AcuSensor agent for JAVA websites

First, you need to download the AcuSensor agent for your Target.

The AcuSensor agent will need to be installed in your web application. This section describes how to install AcuSensor in a JAVA web application.

The Java AcuSensor requires the installation of 2 files:

  1. The Acunetix Java AcuSensor – This is unique for each Target, and can be downloaded by using the Download JAVA AcuSensor button.
  2. aspectweaver.jar – provides the integration required for AcuSensor to work with your application. This can be downloaded from https://www.acunetix.com/download/aspectjweaver.zip.

Acunetix JAVA Acusensor requires Tomcat (7+) and Java (1.7+)

  1. Download the Acunetix JAVA AcuSensor from the Acunetix UI.
  1. Copy the Acunetix JAVA AcuSensor (AcuSensor.jar) to %TOMCAT-HOME%\lib
  1. Copy aspectjweaver.jar to any folder on disk, e.g.: C:\aspectj1.8\lib
  1. Launch Tomcat with Load Time Weaving enabled. This can be done by adding a -javaagent parameter with the path to aspectjweaver.jar when launching Tomcat as shown below:

java -javaagent:C:\aspectj1.8\lib\aspectjweaver.jar -Djava.util.logging.config.file=C:\apache-tomcat-8.5.15\conf\logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager “-Djdk.tls.ephemeralDHKeySize=2048” “-Djava.protocol.handler.pkgs=org.apache.catalina.webresources” -classpath “C:\apache-tomcat-8.5.15\bin\bootstrap.jar;C:\apache-tomcat-8.5.15\bin\tomcat-juli.jar” -Dcatalina.base=C:\apache-tomcat-8.5.15 -Dcatalina.home=C:\apache-tomcat-8.5.15 -Djava.io.tmpdir=C:\apachetomcat-8.5.15\temp org.apache.catalina.startup.Bootstrap start

  1. If Tomcat is started as a Windows service, you will need to specify the javaagent from Apache Tomcat Configuration > JAVA options tab.

  1. If Tomcat is used on Linux, the -javaagent command needs to be added to the Tomcat start shell script, which is usually located in /opt/tomcat/bin/startup.sh
  2. To enable extra debug logging add the following parameter when running tomcat -Dacusensor.debug.log=ON
    This will output AcuSensor logging in the Tomcat logs starting with: [Acunetix-debug]

Disabling and uninstalling AcuSensor for JAVA

To uninstall and disable the sensor from your website you need to revert the changes done during the installation of the Agent.:

  1. Remove the Acunetix JAVA AcuSensor (AcuSensor.jar) to %TOMCAT-HOME%\lib
  2. Remove aspectjweaver.jar from the folder where it was copied to
  3. Stop launching Tomcat with Load Time Weaving enabled. This can be done by removing the -javaagent parameter with the path to aspectjweaver.jar
  4. If Tomcat is started as a Windows service, you will need to remove the javaagent parameter from Apache Tomcat Configuration > JAVA options tab

Note: Although the Acunetix AcuSensor agent are secured with a strong password, it is recommended that the AcuSensor client files are uninstalled and removed from the web application if they are no longer in use.