Installation

Installation requirements

The first step is to check the supported server versions, technologies and installation requirements.

Working modes

Hdiv .NET agent supports two working modes:

  • Dev Agent/Standalone: The agent works offline presenting all the vulnerabilities using Hdiv Toolbar
  • EE Agent/Connected: The agent sends the vulnerabilities to the web console.

Installation

In order to install .NET Agent, use the msi file HdivAgentSetup.msi provided by the Hdiv support team. This setup will install the required files in the server system for the Hdiv .NET Agent to work.

Usage

It is advisable to run the installer with an administrator account

Usage

Accept terms and conditions

Usage

The typical option will be selected as default behaviour

Usage

The installation will be completed

Usage

After Installation

After Hdiv .NET Agent installation, following updates will be made on the server machine

  • All Hdiv files and HdivAgentService.exe will be placed in %Program Files%\Hdiv Security\Agent (commonly C:\Program Files\Hdiv Security\Agent)
  • This folder will also contain the default agent configuration file system.properties
  • The log folder will be created in %Program Files%\Hdiv Security\Agent for storing logs and traces according to the configuration of log severity defined in the configuration file

Configuration

The Hdiv agent tool can be used in two ways:

  1. Per app Use : Attaching the Agent to each website individually.
  2. Global Use : Attaching the Agent over all .NET sites configured in IIS.

For more info about Agent usage, consult use Hdiv .Net Agent

Before using the Hdiv .NET Agent, some tweaking should be performed in the system.properties file.

You may need to define some config parameters:

Parameter Description
hdiv.console.url Defines the URL of the Web Console, by default http://localhost:8089/hdiv-console-service
hdiv.console.token Authentication token for the environment in the Web Console
hdiv.server.name The name that will identify this server in the Web Console
hdiv.net.ast.assemblies Default behaviour of Hdiv .NET Agent involves automatic rescue of target assemblies whenever application deployment was done by including pdb files. However, it is also possible to explicitly define custom client .NET libraries belonging to individual web application scope in a semicolon separated list
hdiv.net.ast.excluded.assemblies List of potential blacklisted assemblies to explicitly exclude from scanning process
hdiv.net.ast.global.excluded.apps List of potential web applications to explicitly exclude from scanning process
hdiv.toolbar.enabled Whether or not to show the Developer Toolbar, even if the console is configured
  • hdiv.net.ast.assemblies this attribute can be useful in scenarios where we want to avoid the standard assemblies rescue process because it helps to define specific assemblies which we want to attach Agent inspection to. This definition allows wildcards for simplicity

  • hdiv.net.ast.global.excluded.apps attribute only applies under global Agent actions

Here we can see a sample configuration :

{
  "hdiv.config.dir": "C:\\hdiv\\",
  "hdiv.console.url": "http://localhost:8089/hdiv-console-services",
  "hdiv.console.token": "[console-token]",
  "hdiv.server.name": "[server-name]",
  "hdiv.net.ast.global.excluded.apps": "MusicStore*",
  "hdiv.toolbar.enabled": "true"
}

Assemblies with Digital Signatures

If digitally signed assemblies are part of your application's deployment, it is advisable to place the corresponding .snk files in the hdiv.config.dir folder (C:\Hdiv directory by default).

License

Hdiv provides a license file whose name is license.hdiv. The folder containing this file should be included in the application server as system property:

hdiv.config.dir={path-to-hdiv-configuration-files-folder}

As we commented earlier, this param defaults to C:\Hdiv directory. When running .NET Agent, you will see this banner in the server console if you have successfully referenced hdiv.config.dir to the folder where your license.hdiv is installed:

#############################################################
Hdiv Enterprise X.X.X
(c) Copyright hdivsecurity.com

This product is licensed to Your Company

Valid until: 2019-01-15 07:28:44
Offline mode valid until: 2017-01-15 07:28:44
#############################################################

Hdiv requires write permissions in configuration folder

Connect to the Hdiv Console

Applications and servers using Hdiv can communicate with the Hdiv Console to send detected vulnerabilities and attacks to it and retrieve configuration options.

It is necessary to add some properties to enable communication between the applications and the console.

Add the following system properties (or environment variables) to the server in the same place the Hdiv Agent is configured.

hdiv.console.url=http://${console-host}:8089/hdiv-console-services
hdiv.server.name={server-name}
hdiv.console.token={console-token}
  • hdiv.console.url: The location of the Hdiv Console REST API. Replace ${console-host} variable with the hostname or IP address where the Hdiv Console is installed
  • hdiv.server.name: Unique name that identifies the server where the agent is installed.

    Only alphanumeric, '-' and '_' characters are allowed in the server name property

  • hdiv.console.token: Authentication token used to invoke the REST API in the console. The actual value of the token for your console installation is in the System Settings / Environments section of the Hdiv console. Access the console and copy the value of the token to this property.

No Data Loss. Connectivity Fault Recovery

Hdiv agent is designed to allow connectivity errors without losing any data when console connection is not available. Hdiv stores pending information in the fileystem (with a maximun size limit) and it sends that information when the console is available again.

Usage

Once the .NET Agent is attached to every application, you can try out the Hdiv Enterprise vulnerability detection feature. You only need to browse the application and all detected vulnerabilities will be submitted to the Console Application and/or shown in the Developer toolbar.