Installation
Installation requirements¶
The first step is to check the supported server versions, technologies and installation requirements.
Working modes¶
Hdiv .NET agent supports two working modes:
- Dev Agent/Standalone: The agent works offline presenting all the vulnerabilities using Hdiv Toolbar
- EE Agent/Connected: The agent sends the vulnerabilities to the web console.
Installation¶
In order to install .NET Agent, use the msi file HdivAgentSetup.msi provided by the Hdiv support team. This setup will install the required files in the server system for the Hdiv .NET Agent to work.
It is advisable to run the installer with an administrator account
Accept terms and conditions
The typical option will be selected as default behaviour
The installation will be completed
After Installation
After Hdiv .NET Agent installation, following updates will be made on the server machine
- All Hdiv files and HdivAgentService.exe will be placed in %Program Files%\Hdiv Security\Agent (commonly C:\Program Files\Hdiv Security\Agent)
- This folder will also contain the default agent configuration file system.properties
- The log folder will be created in %Program Files%\Hdiv Security\Agent for storing logs and traces according to the configuration of log severity defined in the configuration file
Configuration¶
The Hdiv agent tool can be used in two ways:
- Per app Use : Attaching the Agent to each website individually.
- Global Use : Attaching the Agent over all .NET sites configured in IIS.
For more info about Agent usage, consult use Hdiv .Net Agent
Before using the Hdiv .NET Agent, some tweaking should be performed in the system.properties file.
You may need to define some config parameters:
| Parameter | Description |
|---|---|
| hdiv.console.url | Defines the URL of the Web Console, by default http://localhost:8089/hdiv-console-service |
| hdiv.console.token | Authentication token for the environment in the Web Console |
| hdiv.server.name | The name that will identify this server in the Web Console |
| hdiv.net.ast.assemblies | Default behaviour of Hdiv .NET Agent involves automatic rescue of target assemblies whenever application deployment was done by including pdb files. However, it is also possible to explicitly define custom client .NET libraries belonging to individual web application scope in a semicolon separated list |
| hdiv.net.ast.excluded.assemblies | List of potential blacklisted assemblies to explicitly exclude from scanning process |
| hdiv.net.ast.global.excluded.apps | List of potential web applications to explicitly exclude from scanning process |
| hdiv.toolbar.enabled | Whether or not to show the Developer Toolbar, even if the console is configured |
-
hdiv.net.ast.assemblies this attribute can be useful in scenarios where we want to avoid the standard assemblies rescue process because it helps to define specific assemblies which we want to attach Agent inspection to. This definition allows wildcards for simplicity
-
hdiv.net.ast.global.excluded.apps attribute only applies under global Agent actions
Here we can see a sample configuration :
{ "hdiv.config.dir": "C:\\hdiv\\", "hdiv.console.url": "http://localhost:8089/hdiv-console-services", "hdiv.console.token": "[console-token]", "hdiv.server.name": "[server-name]", "hdiv.net.ast.global.excluded.apps": "MusicStore*", "hdiv.toolbar.enabled": "true" }
Assemblies with Digital Signatures¶
If digitally signed assemblies are part of your application's deployment, it is advisable to place the corresponding .snk files in the hdiv.config.dir folder (C:\Hdiv directory by default).
License¶
Hdiv provides a license file whose name is license.hdiv. The folder containing this file should be included in the application server as system property:
hdiv.config.dir={path-to-hdiv-configuration-files-folder}
As we commented earlier, this param defaults to C:\Hdiv directory.
When running .NET Agent, you will see this banner in the server console if you have successfully referenced hdiv.config.dir to the folder where your license.hdiv is installed:
############################################################# Hdiv Enterprise X.X.X (c) Copyright hdivsecurity.com This product is licensed to Your Company Valid until: 2019-01-15 07:28:44 Offline mode valid until: 2017-01-15 07:28:44 #############################################################
Hdiv requires write permissions in configuration folder
Connect to the Hdiv Console¶
Applications and servers using Hdiv can communicate with the Hdiv Console to send detected vulnerabilities and attacks to it and retrieve configuration options.
It is necessary to add some properties to enable communication between the applications and the console.
Add the following system properties (or environment variables) to the server in the same place the Hdiv Agent is configured.
hdiv.console.url=http://${console-host}:8089/hdiv-console-services hdiv.server.name={server-name} hdiv.console.token={console-token}
hdiv.console.url: The location of the Hdiv Console REST API. Replace${console-host}variable with the hostname or IP address where the Hdiv Console is installed-
hdiv.server.name: Unique name that identifies the server where the agent is installed.Only alphanumeric, '-' and '_' characters are allowed in the server name property
-
hdiv.console.token: Authentication token used to invoke the REST API in the console. The actual value of the token for your console installation is in the System Settings / Environments section of the Hdiv console. Access the console and copy the value of the token to this property.
No Data Loss. Connectivity Fault Recovery
Hdiv agent is designed to allow connectivity errors without losing any data when console connection is not available. Hdiv stores pending information in the fileystem (with a maximun size limit) and it sends that information when the console is available again.
Usage¶
Once the .NET Agent is attached to every application, you can try out the Hdiv Enterprise vulnerability detection feature. You only need to browse the application and all detected vulnerabilities will be submitted to the Console Application and/or shown in the Developer toolbar.