Application Security Platform
Invicti IAST for JAVA

Invicti IAST for Java – Windows/Linux (JBOSS 7.4 Standalone + WAR File)

This document is for:
Invicti Platform

This document explains how you can run a Java application in JBOSS and then use Invicti IAST to run an interactive application security testing (IAST) scan for that application.

Step 1: Prepare Invicti IAST for Java

In this example, the test application is deployed to the following URL: http://127.0.0.1:8080/axexample-java/ (in a production environment, you will need to change this to the hostname you will use for your deployment).

  1. Create a new Target for your URL.
  2. Download Invicti IAST for Java from the Invicti Platform UI and retain the iastsensor.jar file for the next step (iastsensor.jar is saved to C:\iastsensor\ in our example). Change the paths accordingly if you are using the Java IAST Sensor on Linux.

Step 2: Deploy Invicti IAST and the required components

  • Windows: Edit the contents of the %JBOSS_HOME%\bin\standalone.conf.bat file and add the following to the bottom of the file:

rem *** iastsensor settings
set
"JAVA_OPTS=%JAVA_OPTS% -Diastsensor.debug.log=ON"
set
"MODULE_OPTS=-javaagent:C:\iastsensor\iastsensor.jar

  • Linux: Edit the contents of the %JBOSS_HOME%/bin/standalone.conf file and add the following to the bottom of the file:

# *** iastsensor settings
JAVA_OPTS=
"$JAVA_OPTS -Diastsensor.debug.log=ON"
MODULE_OPTS=
"-javaagent:/iastsensor/iastsensor.jar"

Step 3: Deploy your application and start your JBOSS server

  1. Ensure that your web application is deployed.
  2. From the command line, navigate to your %JBOSS_HOME%\bin folder, and launch JBOSS.

Step 4: Test and scan your web application

  1. Point your browser to your web application to confirm it is running as intended.
  2. Run a scan on your Target. The Vulnerability detail will confirm that Invicti IAST was detected and used for the scan.

Share This Article