Installation

Installation requirements

The first step is to check the supported server versions, technologies and installation requirements.

Working modes

Hdiv .NET agent supports two working modes:

  • Dev Agent/Standalone: The agent works offline presenting all the vulnerabilities using Hdiv Toolbar
  • EE Agent/Connected: The agent sends the vulnerabilities to the web console.

Installation

In order to install .NET Agent use the msi file HdivAgentSetup.msi provided by the Hdiv support team. This setup will install the required files in the server system for the Hdiv .NET Agent to work.

Usage

It´s advisable to run the installer with administrator account

Usage

Accept terms and conditions

Usage

Typical option will be selected as default behaviour

Usage

The installation will be completed

Usage

After Installation

After Hdiv .NET Agent installation following updates will be made at server machine

  • All Hdiv files and HdivAgentService.exe will be placed at %Program Files%\Hdiv Security\Agent (commonly C:\Program Files\Hdiv Security\Agent)
  • This folder will also contain default agent configuration file system.properties
  • Log folder will be created at %Program Files%\Hdiv Security\Agent for storing logs and traces according to configuration log severity defined at configuration file

Configuration

Hdiv agent tool can be used in two ways:

  1. Per app Use : Attaching Agent to each website individually.
  2. Global Use : Attaching Agent over all .NET sites configured at IIS.

For more info about Agent usage consult use Hdiv .Net Agent

Before using the Hdiv .NET Agent, some tweaking should be performed in system.properties file.

You may need to define some config parameters:

Parameter Description
hdiv.console.url Defines de URL of the Web Console, by default http://localhost:8089/hdiv-console-service
hdiv.console.token Authentication token for the environment in the Web Console
hdiv.server.name The name that will identify this server in the Web Console
hdiv.net.ast.assemblies Default behaviour of Hdiv .NET Agent involves automatic rescue of target assemblies whenever application deployment was done by including pdb files. However it´s also possible to explicitly define custom client .NET libraries that belong to individual web application scope in a semicolon separated list
hdiv.net.ast.excluded.assemblies List of potential blacklisted assemblies to explicitly exclude from scanning process
hdiv.net.ast.global.excluded.apps List of potential web applications to explicitly exclude from scanning process
hdiv.toolbar.enabled Whether or not show the Developer Toolbar even if console is configured
  • hdiv.net.ast.assemblies attribute is can be useful in those scenarios in which we want elude standard assemblies rescue process because it helps to define specific assemblies we want to attach Agent inspection to . This definition allows wildcards for simplicity

  • hdiv.net.ast.global.excluded.apps attribute only applies under global Agent actions

Here we can see a sample configuration :

{
  "hdiv.config.dir": "C:\\hdiv\\",
  "hdiv.console.url": "http://localhost:8089/hdiv-console-services",
  "hdiv.console.token": "[console-token]",
  "hdiv.server.name": "[server-name]",
  "hdiv.net.ast.global.excluded.apps": "MusicStore*",
  "hdiv.toolbar.enabled": "true"
}

Assemblies with Digital Signatures

If digitally signed assemblies are part of your application's deployment it's advisable to place corresponding .snk files at hdiv.config.dir folder (C:\Hdiv directory by default).

License

Hdiv provides a license file whose name is license.hdiv. The folder containing this file should be included in the application server as system property:

-hdiv.config.dir={path-to-hdiv-folder}/license/

As we commented earlier, this param defaults to C:\Hdiv directory. When running .NET Agent, you will see this banner in the server console if you have successfully referenced hdiv.config.dir to the folder where your license.hdiv is installed:

#############################################################
Hdiv Enterprise X.X.X
(c) Copyright hdivsecurity.com

This product is licensed to Your Company

Valid until: 2019-01-15 07:28:44
Offline mode valid until: 2017-01-15 07:28:44
#############################################################

Hdiv requires write permissions in license folder

Connect to the Hdiv Console

Applications and servers using Hdiv can communicate with the Hdiv Console to send detected vulnerabilities and attacks to it and retrieve configuration options.

It is necessary to add some properties to enable communication between the applications and the console.

Add the following entries at system.properties file in the same place the Hdiv .NET Agent is configured.

  "hdiv.config.dir": "C:\\hdiv\\",
  "hdiv.console.url": "https://${console-host}:8098/hdiv-console-services",
  "hdiv.console.token": "[console-token]",
  "hdiv.server.name": "[server-name]",
  • hdiv.console.url: The location of the Hdiv Console REST API. Replace ${console-host} variable with the hostname or IP address where the Hdiv Console is installed
  • hdiv.server.name: Unique name that identifies the server where the agent is installed.

    Only alphanumeric, '-' and '_' characters are allowed in the server name property

  • hdiv.console.token: Authentication token used to invoke the REST API in the console. The actual value of the token for your console installation is in the Settings section of the console. Access the console and copy the value of the token to this property.

Usage

Once the .NET Agent is attached to every application, you can try the vulnerability detection feature of Hdiv Enterprise. You only need to browse the application and all detected vulnerabilities will be submitted to the Console Application and/or shown in the Developer toolbar.