该的Acunetix API让您有机会来实现任务自动化,从而提高效率-尤其是当你可以用加速您的工作流程的其他组件的功能整合。在此示例中,我们将在上一篇文章的基础上,向您展示如何在Bash脚本中使用Acunetix API:使用Bash和Acunetix API管理扫描。我们将代码添加到该Bash脚本中,以实现以下自动化:

Acunetix中: 触发创建导出文件以随后导入到WAF中 监视导出状态,直到完成 下载导出文件 在BigIP ASM中 定义目标 定义安全策略 上载汇出 脚本添加的剖析 脚本添加遵循以下结构:

Acunetix API任务 导出文件的生成被触发 创建一个循环,该循环每10秒检查一次导出文件生成的状态,并等待状态完成 导出文件已下载 WAF API任务 为目标创建一个虚拟服务器 漏洞评估基准的ID是从WAF中检索的 创建Acunetix扫描的安全策略 从WAF检索安全策略的ID 安全策略的扫描程序类型设置为“通用扫描程序” 计算导出文件的大小 导出文件已上传到WAF 导出文件已导入到安全策略中 Bash脚本添加

... previous script above this line
Declare variables for Acunetix
MyTargetIP=getent hosts testphp.vulnweb.com | awk '{ print $1 } ExportTypeID="21111111-1111-1111-1111-111111111113" # F5 BigIP

Declare variables for F5 BigIp
MyTargetDomain=echo "$MyTargetURL" | sed -e 's|^[^/]*//||' -e 's|/.*$||' MyBigIpUser="admin" MyBigIpPass="adminpass123%" MyBigIpHost="192.168.72.128"

MyExportResult=curl -i -sS -k -X POST $MyAXURL/exports -H "Content-Type: application/json" -H "X-Auth: $MyAPIKEY" --data "{\"export_id\":\"$ExportTypeID\",\"source\":{\"list_type\":\"scan_result\",\"id_list\":[\"$MyScanResultID\"]}}"

MyExportElement=echo "$MyExportResult" | grep "Location: " | sed "s/Location: \/api\/v1\/exports\///" | sed "s/\r//g" | sed -z "s/\n//g" MyExportURL=echo "$MyAXURL/exports/$MyExportElement" MyExportID=echo "$MyExportResult" | grep -Po '"report_id": *\K"[^"]*"' | tr -d '"'

while true; do MyExportStatus=curl -sS -k -X GET "$MyAXURL/exports/{$MyExportID}" -H "Accept: application/json" -H "X-Auth: $MyAPIKEY"

if [[ "$MyExportStatus" == *""status": "processing""* ]]; then echo "Export status: Processing - waiting 10 seconds" elif [[ "$MyExportStatus" == *""status": "queued""* ]]; then echo "Export status: Queued - waiting 10 seconds" elif [[ "$MyExportStatus" == *""status": "completed""* ]]; then echo "Export status: Completed" # Break out of loop break else echo "Invalid export status - aborting" # Clean up and exit script cleanup exit 1 fi sleep 10 done

MyExportFile=echo $MyExportStatus | sed 's/.*\[ \"\/api\/v1\/reports\/download\/\([^]]*\)\" \].*/\1/g' echo "Export file: $MyExportFile"

Download export file from Acunetix
Dummy=curl -sS -k "$MyAXURL/reports/download/$MyExportFile" -o $MyExportFile

Create a virtual server for your target
Dummy=curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/ltm/virtual" -H "Content-type: application/json" --data '{"name":"MyWebApplication","destination":"'"$MyTargetIP"':80","ipProtocol":"tcp"}' echo "Created a virtual server"

Get the ID of the vulnerability assessment baseline policy
MyBigIpVulnBaselineID=curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X GET "https://$MyBigIpHost/mgmt/tm/asm/policy-templates" -H "Content-type: application/json" | jq -r '.items[] | select(.title == "Vulnerability Assessment Baseline") | .id'

Create a security policy for Acunetix scans
MyBigIpPolicyResponse=curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/asm/policies" -H "Content-type: application/json" --data '{"name":"AcunetixPolicy","description":"Import from Acunetix Scan Results","virtualServers":["/Common/MyWebApplication"],"type":"security","enforcementMode":"blocking","templateReference":{"link":"https://$MyBigIpHost/mgmt/tm/asm/policy-templates/'"$MyBigIpVulnBaselineID"'"}}' MyBigIpPolicyID=echo $MyBigIpPolicyResponse | jq -r '.id' echo "Security policy ID: $MyBigIpPolicyID"

Set scanner type to Generic scanner
Dummy=curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X PATCH "https://$MyBigIpHost/mgmt/tm/asm/policies/$MyBigIpPolicyID/vulnerability-assessment" -H "Content-type: application/json" --data '{"scannerType":"generic"}' echo "Scanner type set to Generic scanner"

Get file size
MyExportFileSize=stat --printf="%s" $MyExportFile

Upload the file to the WAF
Dummy=curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/asm/file-transfer/uploads/$MyExportFile" -H "Content-type: application/octet-stream" -H "Content-Range: 0-$((MyExportFileSize-1))/$MyExportFileSize" --data-binary @$MyExportFile echo "Acunetix export file uploaded to the WAF"

Import the file into the security policy
Dummy=curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/asm/tasks/import-vulnerabilities" -H "Content-type: application/json" --data '{"policyReference":{"link":"https://'"$MyBigIpHost"'/mgmt/tm/asm/policies/'"$MyBigIpPolicyID"'"},"filename":"'"$MyExportFile"'","importAllDomainNames":false,"domainNames":["'"$MyTargetDomain"'"]}' echo "Acunetix export file imported to the security policy"

Get the vulnerabilities collection object
MyVulnerabilities=curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X GET "https://$MyBigIpHost/mgmt/tm/asm/policies/$MyBigIpPolicyID/vulnerabilities" MyVulnerabilitiesItems=echo $MyVulnerabilities | jq '.totalItems' echo "Number of vulnerabilities imported: $MyVulnerabilitiesItems" if [[ $MyVulnerabilitiesItems -eq 0 ]]; then echo "No vulnerabilities imported; exiting" exit 1; fi

echo "$MyVulnerabilitiesItems vulnerabilities imported. You now need to configure resolution parameters for each vulnerability."
————————————————
版权声明:本文为CSDN博主「kevin20182019」的原创文章,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。
原文链接:https://blog.csdn.net/kevin20182019/article/details/117121273

最新文章

  1. 百度 flash html5自切换 多文件异步上传控件webuploader基本用法
  2. 4.3.5 使用Http:// (Https://)协议连接到ActiveMQ 2015年9月28日
  3. 《photon中配置lite的相关问题》
  4. AngularJS 简介
  5. jsp导出excel
  6. 0c-42-ARC模式下如何兼容非ARC的类
  7. POJ 3169 Layout (spfa+差分约束)
  8. O-C相关-09-id 类型与应用
  9. js页面加载事件
  10. Oracle序列简单应用
  11. Windows Phone开发(17):URI映射
  12. VMWare安装Win10虚拟机
  13. 结合JDK源码看设计模式——装饰者模式
  14. OO第一次博客
  15. mysql数据库的理解
  16. floyd求最小环
  17. ajax 请求被终止 chrome查询发现请求状态status为canceled
  18. ThinkPHP框架 自定义 Empty 方法保护本地信息不被暴露!!!
  19. Create and format Word documents using R software and Reporters package
  20. Linux系统下安装jdk1.8

热门文章

  1. 继承(extends), 多态 , 抽象(abstract)接口() 易混难点解析
  2. C# 尝试还原程序包是出错:找不到“XXXXX”版本的程序包“XXXXXX”
  3. Docker基本原理概述
  4. 【NX二次开发】获取当前鼠标选择的对象 UF_UI_ask_global_sel_object_list
  5. What is maven?
  6. echarts迁移图动态加载
  7. csp-s模拟测试55(9.29)联「线段树」·赛「??」题「神仙DP」
  8. [Linux]经典面试题 - 系统管理 - 备份策略
  9. 透彻理解液晶显示模组LCD1602指令集与驱动编程(1)
  10. 安装nodejs版本模块报错notsup Unsupported platform for n