The Acunetix API gives you the opportunity to automate tasks to increase efficiency – especially when you can accelerate the integration of functionality with other components of your workflow. In this example, we will build on a previous article, where we’ve shown you how to use the Acunetix API in a Bash script: Managing Scans using Bash and the Acunetix API. We will add code to that Bash script to achieve the following automation:
- In Acunetix:
- Trigger the creation of an export file for subsequent import into a WAF
- Monitor the status of the export until it is completed
- Download the export file
- In BigIP ASM
- Define a target
- Define a security policy
- Upload the export
Anatomy of the script additions
The script additions follow this structure:
- Acunetix API tasks
- The generation of the export file is triggered
- A loop is created that checks the status of the export file generation every 10 seconds and waits for the status to become completed
- The export file is downloaded
- WAF API tasks
- A virtual server is created for the target
- The ID of the vulnerability assessment baseline is retrieved from the WAF
- A security policy for Acunetix scans is created
- The ID of the security policy is retrieved from the WAF
- The scanner type for the security policy is set to Generic Scanner
- The size of the export file is calculated
- The export file is uploaded to the WAF
- The export file is imported into the security policy
Bash script additions
# ... previous script above this line
# Declare variables for Acunetix
MyTargetIP=`getent hosts testphp.vulnweb.com | awk '{ print $1 }`
ExportTypeID="21111111-1111-1111-1111-111111111113" # F5 BigIP
# Declare variables for F5 BigIp
MyTargetDomain=`echo "$MyTargetURL" | sed -e 's|^[^/]*//||' -e 's|/.*$||'`
MyBigIpUser="admin"
MyBigIpPass="adminpass123%"
MyBigIpHost="192.168.72.128"
MyExportResult=`curl -i -sS -k -X POST $MyAXURL/exports -H "Content-Type: application/json" -H "X-Auth: $MyAPIKEY" --data "{\"export_id\":\"$ExportTypeID\",\"source\":{\"list_type\":\"scan_result\",\"id_list\":[\"$MyScanResultID\"]}}"`
MyExportElement=`echo "$MyExportResult" | grep "Location: " | sed "s/Location: \/api\/v1\/exports\///" | sed "s/\r//g" | sed -z "s/\n//g"`
MyExportURL=`echo "$MyAXURL/exports/$MyExportElement"`
MyExportID=`echo "$MyExportResult" | grep -Po '"report_id": *\K"[^"]*"' | tr -d '"'`
while true; do
MyExportStatus=`curl -sS -k -X GET "$MyAXURL/exports/{$MyExportID}" -H "Accept: application/json" -H "X-Auth: $MyAPIKEY"`
if [[ "$MyExportStatus" == *"\"status\": \"processing\""* ]]; then
echo "Export status: Processing - waiting 10 seconds"
elif [[ "$MyExportStatus" == *"\"status\": \"queued\""* ]]; then
echo "Export status: Queued - waiting 10 seconds"
elif [[ "$MyExportStatus" == *"\"status\": \"completed\""* ]]; then
echo "Export status: Completed"
# Break out of loop
break
else
echo "Invalid export status - aborting"
# Clean up and exit script
cleanup
exit 1
fi
sleep 10
done
MyExportFile=`echo $MyExportStatus | sed 's/.*\[ \"\/api\/v1\/reports\/download\/\([^]]*\)\" \].*/\1/g'`
echo "Export file: $MyExportFile"
# Download export file from Acunetix
Dummy=`curl -sS -k "$MyAXURL/reports/download/$MyExportFile" -o $MyExportFile`
# Create a virtual server for your target
Dummy=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/ltm/virtual" -H "Content-type: application/json" --data '{"name":"MyWebApplication","destination":"'"$MyTargetIP"':80","ipProtocol":"tcp"}'`
echo "Created a virtual server"
# Get the ID of the vulnerability assessment baseline policy
MyBigIpVulnBaselineID=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X GET "https://$MyBigIpHost/mgmt/tm/asm/policy-templates" -H "Content-type: application/json" | jq -r '.items[] | select(.title == "Vulnerability Assessment Baseline") | .id'`
# Create a security policy for Acunetix scans
MyBigIpPolicyResponse=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/asm/policies" -H "Content-type: application/json" --data '{"name":"AcunetixPolicy","description":"Import from Acunetix Scan Results","virtualServers":["/Common/MyWebApplication"],"type":"security","enforcementMode":"blocking","templateReference":{"link":"https://$MyBigIpHost/mgmt/tm/asm/policy-templates/'"$MyBigIpVulnBaselineID"'"}}'`
MyBigIpPolicyID=`echo $MyBigIpPolicyResponse | jq -r '.id'`
echo "Security policy ID: $MyBigIpPolicyID"
# Set scanner type to Generic scanner
Dummy=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X PATCH "https://$MyBigIpHost/mgmt/tm/asm/policies/$MyBigIpPolicyID/vulnerability-assessment" -H "Content-type: application/json" --data '{"scannerType":"generic"}'`
echo "Scanner type set to Generic scanner"
# Get file size
MyExportFileSize=`stat --printf="%s" $MyExportFile`
# Upload the file to the WAF
Dummy=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/asm/file-transfer/uploads/$MyExportFile" -H "Content-type: application/octet-stream" -H "Content-Range: 0-$((MyExportFileSize-1))/$MyExportFileSize" --data-binary @$MyExportFile`
echo "Acunetix export file uploaded to the WAF"
# Import the file into the security policy
Dummy=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X POST "https://$MyBigIpHost/mgmt/tm/asm/tasks/import-vulnerabilities" -H "Content-type: application/json" --data '{"policyReference":{"link":"https://'"$MyBigIpHost"'/mgmt/tm/asm/policies/'"$MyBigIpPolicyID"'"},"filename":"'"$MyExportFile"'","importAllDomainNames":false,"domainNames":["'"$MyTargetDomain"'"]}'`
echo "Acunetix export file imported to the security policy"
# Get the vulnerabilities collection object
MyVulnerabilities=`curl -sS -k -u $MyBigIpUser:$MyBigIpPass -X GET "https://$MyBigIpHost/mgmt/tm/asm/policies/$MyBigIpPolicyID/vulnerabilities"`
MyVulnerabilitiesItems=`echo $MyVulnerabilities | jq '.totalItems'`
echo "Number of vulnerabilities imported: $MyVulnerabilitiesItems"
if [[ $MyVulnerabilitiesItems -eq 0 ]]; then
echo "No vulnerabilities imported; exiting"
exit 1;
fi
echo "$MyVulnerabilitiesItems vulnerabilities imported. You now need to configure resolution parameters for each vulnerability."
Get the latest content on web security
in your inbox each week.
THE AUTHOR
Kevin Attard Compagno
Technical Writer
Technical Writer
