Deploying Invicti Shark for PHP

This document is for:

Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

You can use Invicti Shark to carry out interactive security testing (IAST) in your web application to confirm more vulnerabilities and further minimize false positives.

Before deploying Shark, note the list of supported servers and frameworks.

Supported Servers and Frameworks
PHP Language	5.6.x 7.x 8.x
Application Frameworks	Laravel Symfony CodeIgniter Yii Zend v3 Slim v2, v3, v4 Smarty v3, v4
Web Servers	Apache Nginx
Database Engines	MySQL PostgreSQL Microsoft SQL Server DB2 Ingres Oracle FireBird/InterBase Sybase Mongo DB v2.6 or later, using Mongodb PHP Extension 1.3 or later
Package Manager	Composer

For Shark to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.

To deploy Shark, you need to keep in mind that the mechanism you need to use is to invoke the PHP directive auto_prepend_file and point this directive to the Shark PHP file.

This topic explains how to download and copy the Shark files to your hard disk and configure your web server to use these files.

Deploying the Shark agent is a 3 step process.

Downloading the Shark agent

You can find the required instructions to download the Shark agent in Deploying Invicti Shark.

Copying the Shark agent

You need to create a dedicated folder inside the root folder of your operating system to hold the Shark agent.

For Windows:

Create a file in C: and name it shark
Copy the shark.php file into "C:\shark"

For Linux: (Execute the following commands by using terminal)

Run the following command: mkdir /shark/
Use cd to locate the folder that contains the Shark agent file
Then, run the following command: cp shark.php /shark

Configuring your web server

Invoking auto_prepend_file changes for different web servers. Instructions for each web server are provided below.

Information

In order to invoke auto_prepend_file, you need to identify the INI file and make changes as instructed below.

If your website has its own INI file (typically a ".user.ini" file in your website's root folder), you need to add the specified line below to that website's specific INI file.
Otherwise, you will need to add the specified line to the general php.ini file. Note that this operation affects all websites on the web server.

For further information, see Identifying php.ini in your web server.

Internet Information Services (IIS)

Identify the php.ini file that contains the PHP directives for your website
Add auto_prepend_file="c:\shark\shark.php" to the website's INI file

Apache

There are two options in Apache.

Option 1

Add php_value auto_prepend_file c:\shark\shark.php to the .htaccess file in the root folder of your website

Option 2

Add auto_prepend_file="c:\shark\shark.php" to the website's INI file

NGINX

There are two options in Nginx

Option 1

Identify Nginx config file
Add fastcgi_param PHP_VALUE "auto_prepend_file = /shark/shark.php"; in the section for "location ~ \.php$",

Option 2

Add auto_prepend_file="c:\shark\shark.php" to the website's INI file

Identifying php.ini in your web server

Temporarily create a simple PHP file with phpinfo(); - the "Loaded Configuration File" is the general php.ini file you will need to change.

Information

You should always remove any phpinfo() pages from your web application
The information disclosed by such a file is itself a vulnerability and provides attackers with essential information
This information may allow attackers to potentially craft an exploit targeting your web application

Docker

The simple Docker example below is applicable for Apache + PHP + Shark.

Prepare an example website. For this single-page example, here are the contents of /home/myuser/www/index.php

<?php echo "Hello World!"; ?>

<?php phpinfo(); ?>

Configure loading of Shark agent for the website; here are the contents of /home/myuser/www/.htaccess

php_value auto_prepend_file /var/www/mysite/shark.php

Configure Apache configuration for the website: here are the contents of /home/myuser/mysite-apache.conf

ServerAdmin me@mydomain.com

DocumentRoot /var/www/mysite

Options Indexes FollowSymLinks MultiViews

AllowOverride All

Order deny,allow

Allow from all

</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Copy the shark.php file in /home/myuser/www
Configure the Docker file for building the container; here are the contents of /home/myuser/Dockerfile

FROM ubuntu: latest

MAINTAINER Acunetix

# Install apache, PHP

RUN apt-get update

RUN apt-get -y upgrade

RUN DEBIAN_FRONTEND=noninteractive apt-get -y install apache2 php libapache2-mod-php

# Expose apache

EXPOSE 80

# Copy website and Shark agent into place

COPY www /var/www/mysite

# Update the default apache site with the website config

COPY mysite-apache.conf /etc/apache2/sites-enabled/000-default.conf

# Start up apache in the foreground

CMD /usr/sbin/apache2ctl -D FOREGROUND

Build the container, then run the following commands from the docker machine:

cd /home/myuser

docker build -t mysite

Uninstalling Shark

You may choose to uninstall the Shark agent from your server. You can take the following steps to uninstall.

Reverse changes in the configuration file to invoke the auto_prepend_file directive
Next, remove the Shark agent file as follows

For Windows:

Remove the C:\shark\shark.php file
Then, Remove the C:\shark folder

For Linux: (Write the following commands by using terminal)

rm -rf /shark/

Information

Although the Invicti Shark agent is secured with a unique strong built-in password, it is recommended that the Shark agent files are uninstalled and removed from the web application if they are no longer in use.

Deploying Invicti Shark for PHP

Downloading the Shark agent

Copying the Shark agent

Configuring your web server

Internet Information Services (IIS)

Apache

NGINX

Identifying php.ini in your web server

Docker

Uninstalling Shark

Invicti Help Center