Usage

Introduction

Hdiv .NET Agent is an Interactive Application Security Testing (IAST) tool which monitors activities from .NET Web applications deployed under IIS Server.

Client Deployment

In order to allow Hdiv .NET Agent to detect the specific lines of code in which vulnerabilities are detected, web applications must be deployed with their synchronized .pdb files.

By default, Debug builds include these files, but this is not the case for Release.

However, it is possible to include .pdb files in Release builds by following these steps :

  • Under Visual Studio IDE, select the applications project and click on the Properties option
  • Go to Package/Publish Web
  • In the Configuration dropdownlist select Release
  • Uncheck the Exclude generated debug symbols option and save the settings
  • Rebuild the web application project

Release with pdbs

All .pdb files should match their corresponding assemblies

Agent Configuration

Windows

Remark

Windows users can make use of the Configuration Wizzard to monitor and configure the Hdiv Agent

Enable agent

To enable the agent in the following scenarios, run these commands:

Scenario
command
Requires Admin Privileges
IIS server HdivAgentConfig.exe /ip Yes
IIS Express and Kestrel exe servers (for current user) HdivAgentConfig.exe /ipu No
IIS Express and Kestrel exe servers (for specified user) HdivAgentConfig.exe /ipu:user Yes

Remark

For IIS Express and Kestrel exe agent to work, it might be necessary to logout and login or reboot the machine

Disable agent

In order to disable the agent in the following scenarios, run these commands:

Scenario
command
Requires Admin Privileges
Complete uninstallation HdivAgentConfig.exe /u Yes
IIS server HdivAgentConfig.exe /up Yes
IIS Express and Kestrel exe servers (for current user) HdivAgentConfig.exe /upu No
IIS Express and Kestrel exe servers (for specified user) HdivAgentConfig.exe /upu:user Yes
IIS Express and Kestrel exe servers (for all users) HdivAgentConfig.exe /upu:* Yes

Linux

Linux only supports Kestrel standalone .Net Core Applications. In order for the Hdiv Agent to work certain environment variables must be set in the process that is going to execute the application.

Here can be found the info on how to enable the agent for the current process.

.NET Profiler chaining

Hdiv agent makes use of CLR Profiling. This technology limits to only one active profiler at a time. In order to overcome this limitation, Hdiv has implemented a chaining feature.

In Windows Hdiv agent will detect the presence of another profiler and will configure itself automatically to chain it.

In Linux set the chained profiler values in this env variables :

export HDIV_AGENT_CORECLR_PROFILER_CHAINED={fc6e913a-c39f-4393-8aaa-bcf5d097786c}
export HDIV_AGENT_CORECLR_PROFILER_CHAINED_PATH_64=/opt/APM/Other.APM.so

Important

This behavior can be overridden by specifying this setting in the env.properties file:

hdiv.net.ast.profiler.chaining.disabled=true

.NET Agent in DEV Environment

Hdiv agent will work on any application running in an IIS server, IIS Express server or stand alone Kestrel, allowing debugging of the code. The only limitation in this scenario is the inability to edit and continue .net code.

Remark

User must take into account that some break points might experience a displacement in code while debugging monitored apps