WAF integration: Acunetix and F5 BigIP ASM

The Acunetix API gives you the opportunity to automate tasks to increase efficiency – especially when you can accelerate the integration of functionality with other components of your workflow. In this example, we will build on a previous article, where we’ve shown you how to use the Acunetix API in a Bash script: Managing Scans using Bash and the Acunetix API. We will add code to that Bash script to achieve the following automation:

In Acunetix:
- Trigger the creation of an export file for subsequent import into a WAF
- Monitor the status of the export until it is completed
- Download the export file
In BigIP ASM
- Define a target
- Define a security policy
- Upload the export

Anatomy of the script additions

The script additions follow this structure:

Acunetix API tasks
- The generation of the export file is triggered
- A loop is created that checks the status of the export file generation every 10 seconds and waits for the status to become completed
- The export file is downloaded
WAF API tasks
- A virtual server is created for the target
- The ID of the vulnerability assessment baseline is retrieved from the WAF
- A security policy for Acunetix scans is created
- The ID of the security policy is retrieved from the WAF
- The scanner type for the security policy is set to Generic Scanner
- The size of the export file is calculated
- The export file is uploaded to the WAF
- The export file is imported into the security policy

Bash script additions


# ... previous script above this line
 
# Declare variables for Acunetix
MyTargetIP=`getent hosts testphp.vulnweb.com | awk '{ print $1 }`
ExportTypeID="21111111-1111-1111-1111-111111111113" # F5 BigIP
 
# Declare variables for F5 BigIp
MyTargetDomain=`echo "$MyTargetURL" | sed -e 's|^[^/]*//||' -e 's|/.*$||'`
MyBigIpUser="admin"
MyBigIpPass="adminpass123%"
MyBigIpHost="192.168.72.128"
 
MyExportResult=`curl -i -sS -k -X POST $MyAXURL/exports -H "Content-Type: application/json" -H "X-Auth: $MyAPIKEY" --data "{\"export_id\":\"$ExportTypeID\",\"source\":{\"list_type\":\"scan_result\",\"id_list\":[\"$MyScanResultID\"]}}"`
 
MyExportElement=`echo "$MyExportResult" | grep "Location: " | sed "s/Location: \/api\/v1\/exports\///" | sed "s/\r//g" | sed -z "s/\n//g"`
MyExportURL=`echo "$MyAXURL/exports/$MyExportElement"`
MyExportID=`echo "$MyExportResult" | grep -Po '"report_id": *\K"[^"]*"' | tr -d '"'`
 
while true; do
  MyExportStatus=`curl -sS -k -X GET "$MyAXURL/exports/{$MyExportID}" -H "Accept: application/json" -H "X-Auth: $MyAPIKEY"`
 
  if [[ "$MyExportStatus" == *"\"status\": \"processing\""* ]]; then
    echo "Export status: Processing - waiting 10 seconds"
  elif [[ "$MyExportStatus" == *"\"status\": \"queued\""* ]]; then
    echo "Export status: Queued - waiting 10 seconds"
  elif [[ "$MyExportStatus" == *"\"status\": \"completed\""* ]]; then
    echo "Export status: Completed"
    # Break out of loop
    break
  else
    echo "Invalid export status - aborting"
    # Clean up and exit script
    cleanup
    exit 1
  fi
  sleep 10
done
 
MyExportFile=`echo $MyExportStatus | sed 's/.*\[ \"\/api\/v1\/reports\/download\/\([^]]*\)\" \].*/\1/g'`
echo "Export file: $MyExportFile"
 
# Download export file from Acunetix
Dummy=`curl -sS -k "$MyAXURL/reports/download/$MyExportFile" -o $MyExportFile`
 
# Create a virtual server for your target
Dummy=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/ltm/virtual" -H "Content-type: application/json" --data '{"name":"MyWebApplication","destination":"'"$MyTargetIP"':80","ipProtocol":"tcp"}'`
echo "Created a virtual server"
 
# Get the ID of the vulnerability assessment baseline policy
MyBigIpVulnBaselineID=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X GET "https://$MyBigIpHost/mgmt/tm/asm/policy-templates" -H "Content-type: application/json" | jq -r '.items[] | select(.title == "Vulnerability Assessment Baseline") | .id'`
 
# Create a security policy for Acunetix scans
MyBigIpPolicyResponse=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/asm/policies" -H "Content-type: application/json" --data '{"name":"AcunetixPolicy","description":"Import from Acunetix Scan Results","virtualServers":["/Common/MyWebApplication"],"type":"security","enforcementMode":"blocking","templateReference":{"link":"https://$MyBigIpHost/mgmt/tm/asm/policy-templates/'"$MyBigIpVulnBaselineID"'"}}'`
MyBigIpPolicyID=`echo $MyBigIpPolicyResponse | jq -r '.id'`
echo "Security policy ID: $MyBigIpPolicyID"
 
# Set scanner type to Generic scanner
Dummy=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X PATCH "https://$MyBigIpHost/mgmt/tm/asm/policies/$MyBigIpPolicyID/vulnerability-assessment" -H "Content-type: application/json" --data '{"scannerType":"generic"}'`
echo "Scanner type set to Generic scanner"
 
# Get file size
MyExportFileSize=`stat --printf="%s" $MyExportFile`
 
# Upload the file to the WAF
Dummy=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/asm/file-transfer/uploads/$MyExportFile" -H "Content-type: application/octet-stream" -H "Content-Range: 0-$((MyExportFileSize-1))/$MyExportFileSize" --data-binary @$MyExportFile`
echo "Acunetix export file uploaded to the WAF"
 
# Import the file into the security policy
Dummy=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/asm/tasks/import-vulnerabilities" -H "Content-type: application/json" --data '{"policyReference":{"link":"https://'"$MyBigIpHost"'/mgmt/tm/asm/policies/'"$MyBigIpPolicyID"'"},"filename":"'"$MyExportFile"'","importAllDomainNames":false,"domainNames":["'"$MyTargetDomain"'"]}'`
echo "Acunetix export file imported to the security policy"
 
# Get the vulnerabilities collection object
MyVulnerabilities=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X GET "https://$MyBigIpHost/mgmt/tm/asm/policies/$MyBigIpPolicyID/vulnerabilities"`
MyVulnerabilitiesItems=`echo $MyVulnerabilities | jq '.totalItems'`
echo "Number of vulnerabilities imported: $MyVulnerabilitiesItems"
if [[ $MyVulnerabilitiesItems -eq 0 ]]; then
  echo "No vulnerabilities imported; exiting"
  exit 1;
fi
 
echo "$MyVulnerabilitiesItems vulnerabilities imported. You now need to configure resolution parameters for each vulnerability."

Get the latest content on web security
in your inbox each week.

THE AUTHOR

Kevin Attard Compagno
Technical Writer

Kevin Attard Compagno is a Technical Writer working for Acunetix. A technical writer, translator, and general IT buff for over 30 years, Kevin used to run Technical Support teams and create training documents and other material for in-house technical staff.