Usage

Introduction

Hdiv .NET Agent is an Interactive Application Security Testing (IAST) tool which monitors activities from .NET Web applications deployed under IIS Server.

Client Deployment

In order to allow Hdiv .NET Agent to rescue specific lines of code in which vulnerabilities are raised, web applications must be deployed with their synchronized .pdb files. By default, Debug builds include these files, but this is not the case for Release ones. However, it is possible to include .pdb files for Release compilations by defining a specific Project property feature. Follow these steps in order to include .pdb files for a Release build

  • Under Visual Studio IDE, select the applications project and click on the Properties option
  • Go to Package/Publish Web
  • In the Configuration dropdownlist select Release
  • Uncheck the Exclude generated debug symbols option and save the settings
  • Rebuild the web application project

Release with pdbs

All .pdb files should match their corresponding assemblies

Starting

Once configuration settings has been defined, users can run the HdivAgentConfig.exe in a command line or powershell window with elevated permissions. By using this tool users can monitor Hdiv .NET Agent configuration and status.

Remark

Hdiv .NET Agent will be active just after installation process ends, with no need of aditional user action to do so.

  • Run cmd or powershell in administration mode
  • IIS resets should be allowed on the server machine

Navigate to root of HdivAgentConfig.exe application %Program Files%\Hdiv Security\Agent, and open a command window. Issuing the command

    HdivAgentConfig.exe /d

will show a diagnostics report like this:

Status Report

HdivAgentConfig.exe options

From here you can inspect all Hdiv agent tool options by typing HdivAgentConfig.exe /? or inspecting Readme.txt file

Agent Configuration

Disable agent

In order to disable the agent in the following scenarios run the following commands:

Scenario Command
Complete uninstallation HdivAgentConfig.exe /u
IIS server HdivAgentConfig.exe /up
IIS Express server HdivAgentConfig.exe /upe

Enable agent

To enable the agent in the following scenarios run the following commands:

Scenario Command
IIS server HdivAgentConfig.exe /ip
IIS Express server HdivAgentConfig.exe /ipe

Remark

For IIS Express agent to work it might be necessary to reboot the machine

.NET Profiler chaining

Hdiv agent makes use of CLR Profiling. This technology limits to only one active profiler at a time. In order to overcome this this limitation Hdiv has implemented a chaining feature. Hdiv agent will detect the presence of another profiler and will configure itself automatically to chain it.

Remark

This behavior can be overriden by specifying this setting in the env.properties file:

hdiv.net.ast.profiling.chaining.disabled=true

.NET Agent at DEV Environment

Hdiv agent will work on any application runing in an IIS server and IIS Express server, allowing debugging of the code. The only limitation in this scenario is the inhability to edit and continue .net code.

Remark

If you are using an old version of the agent using legacy approach (not CLR Profiling agent) you can find usage instructions here for up to V2.1 or here for older versions