The Acunetix API gives you the opportunity to automate tasks to increase efficiency — especially when you can accelerate integration functionality with other components of your workflow. In this example, we will build on a previous article, where we’ve shown you how to use the Acunetix API in a Bash script: Managing Scans using Bash and the Acunetix API. We will add code to that Bash script to achieve the following automation:
In this article, we will be adding to that Bash script to achieve the following automation procedure:
- In Acunetix:
- Trigger the creation of an export file for subsequent import into a WAF
- Monitor the status of the export until it is completed
- Download the export file
- In FortiWeb
- Upload the export while creating a rule
We’ve previously shown the same procedure for another WAF: F5 BigIP ASM.
Anatomy of the script additions
The script additions follow this structure:
- Acunetix API tasks
- The generation of the export file is triggered
- A loop is created that checks the status of the export file generation every 10 seconds, and waits for the status to become “completed”
- The export file is downloaded
- WAF API tasks
- The export file is uploaded and imported while FortiWeb simultaneously creates a rule
Bash script additions
# ... previous script above this line
# Declare Variables for Acunetix
ExportTypeID="21111111-1111-1111-1111-111111111118" # FortiWeb via ScanResultID
# Declare Variables for FortiWeb
MyWAFUser="admin"
MyWAFPass="adminpass123%"
MyWAFADOM="root"
MyWAFURL="https://192.168.72.128:90/api/v1.0"
MyHdrWAFAuth=`echo "Authorization:"\`echo $MyWAFUser:$MyWAFPass:$MyWAFADOM | base64\``
MyHdrForm="Content-Type: multipart/form-data"
MyExportResult=`curl -i -sS -k -X POST $MyAXURL/exports -H "Content-Type: application/json" -H "X-Auth: $MyAPIKEY" --data "{\"export_id\":\"$ExportTypeID\",\"source\":{\"list_type\":\"scan_result\",\"id_list\":[\"$MyScanResultID\"]}}"`
MyExportID=`echo "$MyExportResult" | grep -Po '"report_id": *\K"[^"]*"' | tr -d '"'`
while true; do
MyExportStatus=`curl -sS -k -X GET "$MyAXURL/exports/{$MyExportID}" -H "Accept: application/json" -H "X-Auth: $MyAPIKEY"`
if [[ "$MyExportStatus" == *"\"status\": \"processing\""* ]]; then
echo "Export Status: Processing - waiting 10 seconds"
elif [[ "$MyExportStatus" == *"\"status\": \"queued\""* ]]; then
echo "Export Status: Queued - waiting 10 seconds"
elif [[ "$MyExportStatus" == *"\"status\": \"completed\""* ]]; then
echo "Export Status: Completed"
# Break out of loop
break
else
echo "Invalid Export Status: Aborting"
# Clean Up and Exit script
cleanup
exit 1
fi
sleep 10
done
MyExportFile=`echo $MyExportStatus | sed 's/.*\[ \"\/api\/v1\/reports\/download\/\([^]]*\)\" \].*/\1/g'`
echo "Export File: $MyExportFile"
# Download Export File from Acunetix
Dummy=`curl -sS -k "$MyAXURL/reports/download/$MyExportFile" -o $MyExportFile`
MyExportFilePath=`readlink -f $MyExportFile`
# Import Scan File to WAF
MyWAFResult=`curl -sS -k -X POST "$MyWAFURL/WebVulnerabilityScan/ScannerIntegration/ScannerIntegration?action=import" -H "$MyHdrWAFAuth" -H "$MyHdrForm" -F "fileName=@$MyExportFilePath" -F "autoGenerate=true" -F "profileType=inline" -F "mergetoRule=false" -F "inlineRuleName=AcunetixScanResults" -F "high=deny" -F "medium=alert" -F "low=alert" -F "scannerType=acunetix" -F "importMethod=xml" -F "adomName=$MyWAFADOM"`
echo "WAF Import Result"
echo "================="
echo $MyWAFResult | jq
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Kevin Attard Compagno
Technical Writer
Technical Writer
