Deploying AcuSensor for PHP

You can use AcuSensor to carry out interactive security testing (IAST) in your web application to confirm more vulnerabilities and further minimize false positives.

Before deploying AcuSensor, note the list of supported servers and frameworks.

Supported Servers and Frameworks

PHP Language

  • 5.6.x
  • 7.x
  • 8.x

Application Frameworks

  • Laravel
  • Symfony
  • CodeIgniter
  • Yii
  • Zend v3
  • Slim v2, v3, v4
  • Smarty v3, v4

Web Servers

  • Apache
  • Nginx

Database Engines

  • MySQL
  • PostgreSQL
  • Microsoft SQL Server
  • DB2
  • Ingres
  • Oracle
  • FireBird/InterBase
  • Sybase
  • Mongo DB v2.6 or later, using Mongodb PHP Extension 1.3 or later

Package Manager

  • Composer

For AcuSensor to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.

To deploy AcuSensor, you need to keep in mind that the mechanism you need to use is to invoke the PHP directive auto_prepend_file and point this directive to the AcuSensor PHP file.

This topic explains how to download and copy the AcuSensor files to your hard disk and configure your web server to use these files.

Deploying the AcuSensor agent is a 3 step process.

Downloading the AcuSensor agent

You can find the required instructions to download the AcuSensor agent in Deploying Acunetix AcuSensor.

Copying the AcuSensor agent

You need to create a dedicated folder inside the root folder of your operating system to hold the AcuSensor agent.

  • For Windows:
  • Create a file in C: and name it acusensor
  • Copy the acusensor.php file into "C:\acusensor"
  • For Linux: (Execute the following commands by using terminal)
  • Run the following command: mkdir /AcuSensor/
  • Use cd to locate the folder that contains the AcuSensor agent file
  • Then, run the following command: cp AcuSensor.php /AcuSensor

Configuring your web server

Invoking auto_prepend_file changes for different web servers. Instructions for each web server are provided below.

Information

In order to invoke auto_prepend_file, you need to identify the INI file and make changes as instructed below.

If your website has its own INI file (typically a ".user.ini" file in your website's root folder), you need to add the specified line below to that website's specific INI file.

Otherwise, you will need to add the specified line to the general php.ini file. Note that this operation affects all websites on the web server.

For further information, see Identifying php.ini in your web server.


Internet Information Services (IIS)

  • Identify the php.ini file that contains the PHP directives for your website
  • Add auto_prepend_file="c:\acusensor\acusensor.php" to the website's INI file

Apache

  • There are two options in Apache.
  • Option 1
  • Add php_value auto_prepend_file c:\acusensor\acusensor.php to the .htaccess file in the root folder of your website
  • Option 2
  • Add auto_prepend_file="c:\acusensor\acusensor.php" to the website's INI file

NGINX

  • There are two options in Nginx
  • Option 1
  • Identify Nginx config file
  • Add fastcgi_param PHP_VALUE "auto_prepend_file = /acusensor/acusensor.php";  in the section for "location ~ \.php$",
  • Option 2
  • Add auto_prepend_file="c:\Acusensor\Acusensor.php" to the website's INI file

Identifying php.ini in your web server

Temporarily create a simple PHP file with phpinfo(); - the "Loaded Configuration File" is the general php.ini file you will need to change.

Information

  • You should always remove any phpinfo() pages from your web application
  • The information disclosed by such a file is itself a vulnerability and provides attackers with essential information
  • This information may allow attackers to potentially craft an exploit targeting your web application

Docker

The simple Docker example below is applicable for Apache + PHP + AcuSensor.

  • Prepare an example website. For this single-page example, here are the contents of /home/myuser/www/index.php

<?php echo "Hello World!"; ?>

<?php phpinfo(); ?>

  • Configure loading of AcuSensor agent for the website; here are the contents of /home/myuser/www/.htaccess

php_value auto_prepend_file /var/www/mysite/Acusensor.php

  • Configure Apache configuration for the website: here are the contents of /home/myuser/mysite-apache.conf

<VirtualHost *:80>

  ServerAdmin me@mydomain.com

  DocumentRoot /var/www/mysite

  <Directory /var/www/mysite/>

      Options Indexes FollowSymLinks MultiViews

      AllowOverride All

      Order deny,allow

      Allow from all

  </Directory>

  ErrorLog ${APACHE_LOG_DIR}/error.log

  CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

  • Copy the acusensor.php file in /home/myuser/www
  • Configure the Docker file for building the container; here are the contents of /home/myuser/Dockerfile

FROM ubuntu: latest

MAINTAINER Acunetix <support@acunetix.com>

# Install apache, PHP

RUN apt-get update

RUN apt-get -y upgrade

RUN DEBIAN_FRONTEND=noninteractive apt-get -y install apache2 php libapache2-mod-php

# Expose apache

EXPOSE 80

# Copy website and AcuSensor agent into place

COPY www /var/www/mysite

# Update the default apache site with the website config

COPY mysite-apache.conf /etc/apache2/sites-enabled/000-default.conf

# Start up apache in the foreground

CMD /usr/sbin/apache2ctl -D FOREGROUND

  • Build the container, then run the following commands from the docker machine:

cd /home/myuser

docker build -t mysite

Uninstalling AcuSensor

You may choose to uninstall the AcuSensor agent from your server. You can take the following steps to uninstall.

  • Reverse changes in the configuration file to invoke the auto_prepend_file directive
  • Next, remove the AcuSensor sensor file as follows
  • For Windows:
  • Remove the C:\Acusensor\acusensor.php file
  • Then, Remove the C:\Acusensor folder
  • For Linux: (Write the following commands by using terminal)
  • rm -rf /acusensor/

Information

Although the AcuSensor agent is secured with a unique strong built-in password, it is recommended that the Acusensor files are uninstalled and removed from the web application if they are no longer in use.


 
« Back to the Acunetix Support Page