Skip to main content

Invicti IAST for ASP.NET

Invicti IAST Network Prerequisites

IAST makes use of the IAST Bridge. The IAST sensor must be able to communicate with iast.invicti.com to transmit data to the DAST scanning engine.

This document explains how to deploy the Invicti IAST sensor for ASP.NET, how to remove it, and how to deploy it manually.

How to deploy Invicti IAST for ASP.NET websites

This section describes how to deploy Invicti IAST to an ASP.NET (including .NET core) web application.

  1. Download Invicti IAST sensor for your Target.
  2. Install Prerequisites on the server hosting the website. (The Invicti IAST Injector.exe application requires Microsoft .NET Framework 3.5 or higher).
  3. Copy the Invicti IAST installation file dotnet-iastsensor.zip to the server hosting the .NET website.
  4. Extract the dotnet-iastsensor.zip file, navigate to the .NET Framework subfolder, and launch the Injector.exe file.
Launching the Injector.exe file.

  1. On start-up, the Injector retrieves a list of .NET applications installed on your server. Select which applications you would like to enhance with the Invicti IAST Technology and click Install .NET IAST Sensor to install the Invicti IAST sensor in the selected .NET applications.

  2. Once the sensor has been installed, close the confirmation window and also the Invicti IAST manager.

How to turn off and remove Invicti IAST for ASP.NET websites

To turn off and remove Invicti IAST from your website:

  1. Launch Injector.exe.
  2. Select the website where the Invicti IAST is deployed and click Remove .NET IAST Sensor.
  3. Close the Injector.exe application.

How to deploy and remove Invicti IAST using the command line

After copying and extracting the dotnet-iastsensor.zip file to the server hosting the .NET website, you can deploy and remove Invicti IAST to your web application, and also list available web applications, as follows:

C:\Users\Administrator\Desktop\dotnet-iastsensor>injector -m inject -t http://localhost:80/

C:\Users\Administrator\Desktop\dotnet-iastsensor>injector -m uninject -t http://localhost:80/

C:\Users\Administrator\Desktop\dotnet-iastsensor>injector -m list
http://localhost:80/
  • The -m switch can be:
    • inject - to inject Invicti IAST into a web application
    • uninject - to remove Invicti IAST from a web application
    • list - to list the web application on the web server
  • The -t switch should specify the URL for which you wish to inject or remove the Invicti IAST sensor.
warning
  • If the web application is at the root of a URL path, you MUST include a forward slash at the end of the URL (in this example, http://localhost:80/).
  • If the web application is in a subfolder, you MUST NOT include a forward slash at the end of the URL (in this example, http://localhost:80/yaf_forums).
  • Although the Invicti IAST sensor is secured with a strong password, you should uninstall and remove its files from the web application when it's no longer needed.

How to deploy Invicti .NET IAST Sensor manually

  1. Download Invicti IAST sensor for your Target.
  2. Extract the downloaded ZIP file to any directory. For this illustration, we used the following folder: C:\ProgramData\InvictiPlatform\iastsensor
  3. Open Powershell or CMD with administrator privileges.
  4. Navigate to the .NET Framework folder.
  5. Run the following command: .\Injector.exe -m extract
Extracting Invicti IAST .NET sensor.
  1. Copy the newly created DLLs and settings.ini to the target application’s bin folder similar to the following:
Copying DLL and settings.ini files.
  1. Open settings.ini and edit the entry log.path to reflect log.path=C:\inetpub\temp\IIS Temporary Compressed Files\logs
  2. To install the IIS HTTP Module, add the following to the web application’s web.config:
<configuration>
  <system.webServer>
    <modules>
      <add name="InvictiSensorModule" type="SensorModule.RequestsHandlerModule, SensorModule, version=5.0.0.0, culture=neutral, publicKeyToken=068f0ac6f5c4405b" />
    </modules>
  </system.webServer>
</configuration>
Installing IIS HTTP Module.

  1. To load the SensorModule.dll .NET profiler, you need to add the following environment variable; do this by changing the IIS application-host config file: “%windir%\System32\inetsrv\config\applicationHost.config”

    SENSOR_SETTINGS_PATH=<SensorRoot>/settings.ini

Adding SENSOR_SETTINGS_PATH.

  1. Restart the test application in IIS. You might need to restart W3SVC service for the changes to take effect.

  2. Run a scan on your Target. The Vulnerability detail confirms that Invicti IAST was detected and used for the scan.

tip

Invicti IAST should generate logs inside the directory you entered in the settings.ini file.


Invicti IAST Sensor Module logs.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?