As we reach the end of September 2024, ThreadFix version 3.x on-premises has officially reached its End-of-Life. Therefore, there is no longer support or updates for this version of the product. We have fully transitioned our product and development teams to focus ThreadFix SaaS and migrating all customers over from the on-premises versions. Our Customer Success and Support teams are here to help you in migrating to ThreadFix SaaS and maximizing the value you see from this improved offering from Coalfire. This is the next phase of ThreadFix and our team is looking forward to continuing to support you on this journey.
Scan Agent 3.X
You will learn
How to get started with the ThreadFix Scan Agent.
Prerequisites
Audience: IT Professional, or End User
Difficulty: Intermediate
Time needed: Approximately 10 minutes
Tools required: Please see Requirements list
Requirements
Running instance of ThreadFix
Application with URL set
API key generated
ThreadFix Scan Agent jar
Supported scanner
Config file for scanner
Supported Scanners
Downloading the Scan Agent
To download a copy of the Scan Agent, click on the Help icon and select Download Tools, then click on the 'Jar File' link for the Scan Agent item in the list. This will download the scanagent.jar file.
Â
Â
ThreadFix Support recommends using the Scan Agent that corresponds with the user’s current version of ThreadFix. After upgrading a ThreadFix deployment, download the current .jar file from the Download Tools page and replace any deployed version with the new one.
The existing configuration can be used, but if it no longer works, it will be necessary to step through the config once again.
Deploying the Scan Agent
Deploy scanagent.jar wherever it can access the scanning tool's executable, which would typically be on the server running the scanning tool. Additionally, the Scan Agent needs to be able to access the ThreadFix server, so it can poll it for tasks and upload scan results to it.
Usage
Configure ThreadFix
java -jar scanagent.jar -s
ThreadFix base Url:Â enter the URL that the agent will use to connect to ThreadFix.
Be sure to include at least /rest so the agent can use ThreadFix's API. ThreadFix recommends including /latest at the end so the scan upload is queued (e.g., http://my.tf.server:8080/threadfix/rest/latest).
ThreadFix API Key can be generated in ThreadFix.
"Input working directory" refers to the directory that the scans will be saved by the scan agent (e.g., an xml file); the results get sent to the ThreadFix server via REST API call.Â
This process will update the scanagent.properties file in the working directory to include the entered configuration information. If the file does not exist, it will be generated. There are additional properties which can be set or altered. For further information, consult the comments in the scanagent.properties file, or see the Settings section of this guide.
Configure Scanners
Creating config file
This file is created in order for the scanner to have access to an appropriate login sequence, and other relevant data for scanning an application.
Base Setup for Each Scanner
Connect scanner to application URL (ZAP and Burp require proxy setup).
Configure login sequence for URL if necessary.
Crawl/Spider the site. Allow the process to finish and review the endpoints.
If the scanner automatically kicks off crawling/scanning, pause/stop the scanner once the scanning process has begun.
Save the state of the scanner and name the config file:
<scanner>.scanagtcfg (e.g., zap.scanagtcfg)
. The name must be all lower-case or ThreadFix will not recognize the file.
This is required for AppScan but is optional for ZAP.Note: In ZAP save scanner state via File > Persist Session... option or ZAP startup menu. ZAP will output a series of files. The file with extension .session should be compressed into a zip file. Then you can rename toÂ
zap.scanagtcfg
.
For an Acunetix configuration file, choose the 'Save Scan Results' option and change the name of the resulting file toÂacunetix.scanagtcfg
.
Upload the config file under the Files tab on the application page in the active ThreadFix instance.
Configuring Scanner
There are two ways to setup scanners:
`java -jar scanagent.jar -cs`, then Scan Agent will display a dialog to choose a scanner.
`java -jar scanagent.jar -cs <Scanner Name>`. Below are details for each scanner.
OWASP Zed Attack Proxy
java -jar scanagent.jar -cs zap
When prompted "Input OWASP Zed Attack Proxy port" enter the port that is located at Tools->Options->Local Proxy.
Acunetix
java -jar scanagent.jar -cs acunetix
AppScan Standard
java -jar scanagent.jar -cs appscan
Burp Suite
java -jar scanagent.jar -cs burp
WebInspect
java -jar scanagent.jar -cs webinspect
Running Scan Agent on Mac
On a Mac environment users will also need to configure hosts, proxies, license keys and gather the necessary API keys from the .jar/.sh file the Scan Agent is being configured to use directly. Note: trying to gather these from the .app will end with a different set of API keys and possibly messages regarding invalid licenses, unauthorized access or refused connections when trying to run a job. Run the following, referring to the OWASP Zed Attack Proxy Scan Agent and/or Burp Suite Scan Agent as needed:
1. OWASP ZAP: sh /Path To/Applications/OWASP ZAP.app/Contents/Java/zap.sh
2. BURP: java -jar /Path To/Applications/Burp Suite Professional.app/Contents/Resources/app/burpsuite_pro.jar
Â
Queue Scan
Navigate to the application in ThreadFix for which a scan should be queued up.
Â
Click the Scan Agent Tasks tab and click the Add New Task button. Choose the scanner type, enter the Target URL to scan and choose or upload the scanner config file, if needed*. Click the Add Scan Queue Task button.
* not necessary if a config file was uploaded with the name format of scanner.scanagtcfg as ThreadFix will automatically attach this config file.
The task will be listed in the Scan Agent Task tab with a "QUEUED" status.
Schedule Scan
Navigate to the application in ThreadFix that a scan should be scheduled up for. This will tell ThreadFix to create a new Scan Queue Task everyday or every week. Click the scheduled scan tab and click the Schedule New Scan button.
Â
In the New Scheduled Scan modal, select the frequency, time and scanner type, enter the Target URL to scan and choose or upload the scanner config file, if needed*. Click the Add Scheduled Scan button.
* not necessary if a config file was uploaded with the name format of scanner.scanagtcfg as ThreadFix will automatically attach this config file.Â
The task will be listed in the Scheduled Scans tab.
Â
Run Scan Agent
java -jar scanagent.jar -r
Settings
In addition to the properties set during configuration, there are other fields in scanagent.properties
 that can be modified by manually editing the file.
Additional Scan Agent Properties
scanagent.pollInterval
: time in seconds to wait between polling for new tasksscanagent.maxTasks
: max number of tasks that can be executed each time the scan agent is run
Additional ZAP properties
zap.maxSpiderWaitInSeconds
: time in seconds to wait for ZAP spider to completezap.maxScanWaitInSeconds
: time in seconds to wait for ZAP scans to completezap.spiderPollWaitInSeconds
: time in seconds between checks for the ZAP spider's progresszap.scanPollWaitInSeconds
: time in seconds between checks for the ZAP scan's progresszap.zapStartupWaitTime
: time in seconds to wait for ZAP to start
Â
Optional - Home Directory File Loading
As of 3.3, the ESAPI.properties and validation.properties files can load from the home directory. For this, within the home directory, create an additional directory named "esapi" and store the esapi.properties and validation.properties files provided below.
NOTE: This is an optional step and if not used in this way the scan agent tool will load the files using the default options.
Table of Contents
- 1 You will learn
- 1.1 Prerequisites
- 1.1.1 Requirements
- 1.1.2 Supported Scanners
- 1.2 Downloading the Scan Agent
- 1.3 Deploying the Scan Agent
- 1.4 Usage
- 1.4.1 Configure ThreadFix
- 1.4.2 Configure Scanners
- 1.4.2.1 Creating config file
- 1.4.2.2 Configuring Scanner
- 1.4.2.2.1 OWASP Zed Attack Proxy
- 1.4.2.2.2 Acunetix
- 1.4.2.2.3 AppScan Standard
- 1.4.2.2.4 Burp Suite
- 1.4.2.2.5 WebInspect
- 1.4.2.3 Running Scan Agent on Mac
- 1.5 Queue Scan
- 1.6 Schedule Scan
- 1.7 Run Scan Agent
- 1.8 Settings
- 1.1 Prerequisites
- 2 Table of Contents
Â
Â
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.