As of December 31st, 2023 ThreadFix 2.X has reached End of Life and is no longer supported. For any further information please contact the Success and Implementation team.
Scan Agent
This page walks you through getting started with the ThreadFix Scan Agent.
Requirements
Running instance of ThreadFix
Application with URL set
API key generated
ThreadFix Scan Agent jar
Supported scanner
Config file for scanner
Supported Scanners
Downloading the Scan Agent
To download a copy of the Scan Agent, click Help ( ) → Download Tools, then click on the 'Jar File' link for the Scan Agent item in the list. This will download the scanagent.jar file.
We recommend using the Scan Agent that corresponds with your current version of ThreadFix. After you upgrade your ThreadFix deployment, you should download the current .jar file from the Download Tools page and replace any deployed version with the new one.
You may be able to use the existing configuration, but if it no longer works, you will need to step through the config once again.
Deploying the Scan Agent
You should deploy scanagent.jar wherever it can access the scanning tool's executable, which would typically be on the server running the scanning tool. Additionally, the Scan Agent needs to be able to access your ThreadFix server, so it can poll it for tasks and upload scan results to it.
Usage
Configure ThreadFix
java -jar scanagent.jar -s
ThreadFix base Url: enter the URL that the agent will use to connect to ThreadFix.
Be sure to include at least /rest so the agent can use ThreadFix's API. ThreadFix recommends including /latest at the end so the scan upload is queued (e.g., http://my.tf.server:8080/threadfix/rest/latest).ThreadFix API Key can be generated in ThreadFix.
"Input working directory" refers to the directory that the scans will be saved by the scan agent (e.g., an xml file); the results get sent to the ThreadFix server via REST API call.
This process will update the 'scanagent.properties' file in your working directory to include the entered configuration information. If the file does not exist, it will be generated. There are additional properties which can be set or altered. For further information, consult the comments in the 'scanagent.properties' file, or see the bottom of this page under 'Settings'.
Configure Scanners
Creating config file
This file is created in order for the scanner to have access to an appropriate login sequence, and other relevant data for scanning an application.
Base Setup for Each Scanner
Connect scanner to application URL (ZAP and Burp require proxy setup).
Configure login sequence for URL if necessary.
Crawl/Spider the site. Let this process finish. Make sure that the endpoints look correct.
If scanner automatically kicks off crawling/scanning, pause/stop the scanner once the scanning process has begun.
Save the state of the scanner and name the config file:
<scanner>.scanagtcfg (e.g., zap.scanagtcfg)
. The name must be all lower-case or ThreadFix will not recognize the file.
This is required for AppScan but is optional for ZAP.
Note: In ZAP save scanner state via File > Persist Session... option or ZAP startup menu. ZAP will output a series of files. The file with extension .session should be compressed into a zip file. Then you can rename tozap.scanagtcfg
.
For an Acunetix configuration file, choose the 'Save Scan Results' option and change the name of the resulting file toacunetix.scanagtcfg
.
Upload the config file under the 'Files' tab on the application page in your active ThreadFix instance.
Configuring Scanner
There are two ways to setup scanners:
java -jar scanagent.jar -cs
, then Scan Agent will display a menu from which to choose the scanner.
java -jar scanagent.jar -cs <Scanner Name>
will bypass the above menu and go straight to the setup for the specified scanner.
Below are details for each scanner.
OWASP Zed Attack Proxy
java -jar scanagent.jar -cs zap
When prompted "Input OWASP Zed Attack Proxy port" enter the port that is located at Tools->Options->Local Proxy.
Acunetix
java -jar scanagent.jar -cs acunetix
AppScan Standard
java -jar scanagent.jar -cs appscan
Burp Suite
java -jar scanagent.jar -cs burp
WebInspect
java -jar scanagent.jar -cs webinspect
Running Scan Agent on Mac
On a Mac environment users will also need to configure hosts, proxies, license keys and gather the necessary API keys from the .jar/.sh file the Scan Agent is being configured to use directly. Note: trying to gather these from the .app will end with a different set of API keys and possibly messages regarding invalid licenses, unauthorized access or refused connections when trying to run a job. Run the following, referring to the OWASP Zed Attack Proxy Scan Agent and/or Burp Suite Scan Agent as needed:
1. OWASP ZAP: sh /Path To/Applications/OWASP ZAP.app/Contents/Java/zap.sh
2. BURP: java -jar /Path To/Applications/Burp Suite Professional.app/Contents/Resources/app/burpsuite_pro.jar
Queue Scan
Navigate to the application in ThreadFix for which a scan should be queued up.
Click the Scan Agent Tasks tab and click the Add New Task button.
Choose the scanner type, enter the Target URL you wish to scan and choose or upload the scanner config file, if needed (not necessary if you uploaded a config file with name format scanner.scanagtcfg
, ...ThreadFix will automatically attach this config file), and click the Add Scan Queue Task button.
The task will be listed in the Scan Agent Task tab with "QUEUED" status.
Schedule Scan
Navigate to the application in ThreadFix that a scan should be scheduled up for. This will tell ThreadFix to create new Scan Queue Task everyday or every week.
Click the scheduled scan tab and click the Schedule New Scan button.
In the New Scheduled Scan modal, select the frequency, time and scanner type, enter the Target URL you wish to scan and choose or upload the scanner config file, if needed (not necessary if you uploaded a config file with name format scanner.scanagtcfg
, ...ThreadFix will automatically attach this config file), and click the Add Scheduled Scan button.
The task will be listed in the Scheduled Scans tab.
Run Scan Agent
java -jar scanagent.jar -r
Settings
In addition to the properties set during configuration, there are other fields in scanagent.properties
that can be modified by manually editing the file.
Additional Scan Agent Properties
scanagent.pollInterval
: time in seconds to wait between polling for new tasksscanagent.maxTasks
: max number of tasks that can be executed each time the scan agent is run
Additional ZAP properties
zap.maxSpiderWaitInSeconds
: time in seconds to wait for ZAP spider to completezap.maxScanWaitInSeconds
: time in seconds to wait for ZAP scans to completezap.spiderPollWaitInSeconds
: time in seconds between checks for the ZAP spider's progresszap.scanPollWaitInSeconds
: time in seconds between checks for the ZAP scan's progresszap.zapStartupWaitTime
: time in seconds to wait for ZAP to start
Table of Contents
- 1.1 Requirements
- 1.2 Supported Scanners
- 1.3 Downloading the Scan Agent
- 1.4 Deploying the Scan Agent
- 1.5 Usage
- 1.5.1 Configure ThreadFix
- 1.5.2 Configure Scanners
- 1.5.2.1 Creating config file
- 1.5.2.1.1 Base Setup for Each Scanner
- 1.5.2.2 Configuring Scanner
- 1.5.2.2.1 OWASP Zed Attack Proxy
- 1.5.2.2.2 Acunetix
- 1.5.2.2.3 AppScan Standard
- 1.5.2.2.4 Burp Suite
- 1.5.2.2.5 WebInspect
- 1.5.2.3 Running Scan Agent on Mac
- 1.5.2.1 Creating config file
- 1.6 Queue Scan
- 1.7 Schedule Scan
- 1.8 Run Scan Agent
- 1.9 Settings
- 2 Table of Contents
www.threadfix.it | www.coalfire.com
Copyright © 2024 Coalfire. All rights reserved.
This Information Security Policy is CoalFire - Public: Distribution of this material is not limited.