WAF integration: Acunetix and FortiWeb

The Acunetix API gives you the opportunity to automate tasks to increase efficiency — especially when you can accelerate integration functionality with other components of your workflow. In this example, we will build on a previous article, where we’ve shown you how to use the Acunetix API in a Bash script: Managing Scans using Bash and the Acunetix API. We will add code to that Bash script to achieve the following automation:

In this article, we will be adding to that Bash script to achieve the following automation procedure:

• In Acunetix:
  • Trigger the creation of an export file for subsequent import into a WAF
  • Monitor the status of the export until it is completed
  • Download the export file
• In FortiWeb
  • Upload the export while creating a rule

We’ve previously shown the same procedure for another WAF: F5 BigIP ASM.

Anatomy of the script additions

The script additions follow this structure:

• Acunetix API tasks
  • The generation of the export file is triggered
  • A loop is created that checks the status of the export file generation every 10 seconds, and waits for the status to become “completed”
  • The export file is downloaded
• WAF API tasks
  • The export file is uploaded and imported while FortiWeb simultaneously creates a rule

Bash script additions

# ... previous script above this line
 
# Declare Variables for Acunetix
ExportTypeID="21111111-1111-1111-1111-111111111118" # FortiWeb via ScanResultID
 
# Declare Variables for FortiWeb
MyWAFUser="admin"
MyWAFPass="adminpass123%"
MyWAFADOM="root"
MyWAFURL="https://192.168.72.128:90/api/v1.0"
MyHdrWAFAuth=`echo "Authorization:"\`echo $MyWAFUser:$MyWAFPass:$MyWAFADOM | base64\``
MyHdrForm="Content-Type: multipart/form-data"
 
MyExportResult=`curl -i -sS -k -X POST $MyAXURL/exports -H "Content-Type: application/json" -H "X-Auth: $MyAPIKEY" --data "{\"export_id\":\"$ExportTypeID\",\"source\":{\"list_type\":\"scan_result\",\"id_list\":[\"$MyScanResultID\"]}}"`
 
MyExportID=`echo "$MyExportResult" | grep -Po '"report_id": *\K"[^"]*"' | tr -d '"'`
 
while true; do
  MyExportStatus=`curl -sS -k -X GET "$MyAXURL/exports/{$MyExportID}" -H "Accept: application/json" -H "X-Auth: $MyAPIKEY"`
 
  if [[ "$MyExportStatus" == *"\"status\": \"processing\""* ]]; then
    echo "Export Status: Processing - waiting 10 seconds"
  elif [[ "$MyExportStatus" == *"\"status\": \"queued\""* ]]; then
    echo "Export Status: Queued - waiting 10 seconds"
  elif [[ "$MyExportStatus" == *"\"status\": \"completed\""* ]]; then
    echo "Export Status: Completed"
    # Break out of loop
    break
  else
    echo "Invalid Export Status: Aborting"
    # Clean Up and Exit script
    cleanup
    exit 1
  fi
  sleep 10
done
 
MyExportFile=`echo $MyExportStatus | sed 's/.*\[ \"\/api\/v1\/reports\/download\/\([^]]*\)\" \].*/\1/g'`
echo "Export File: $MyExportFile"
 
# Download Export File from Acunetix
Dummy=`curl -sS -k "$MyAXURL/reports/download/$MyExportFile" -o $MyExportFile`
 
MyExportFilePath=`readlink -f $MyExportFile`
 
# Import Scan File to WAF
MyWAFResult=`curl -sS -k -X POST "$MyWAFURL/WebVulnerabilityScan/ScannerIntegration/ScannerIntegration?action=import" -H "$MyHdrWAFAuth" -H "$MyHdrForm" -F "fileName=@$MyExportFilePath" -F "autoGenerate=true" -F "profileType=inline" -F "mergetoRule=false" -F "inlineRuleName=AcunetixScanResults" -F "high=deny" -F "medium=alert" -F "low=alert" -F "scannerType=acunetix" -F "importMethod=xml" -F "adomName=$MyWAFADOM"`
 
echo "WAF Import Result"
echo "================="
echo $MyWAFResult | jq