Invicti IAST for Java – Windows/Linux (JBOSS 7.4 Standalone + WAR File)

This document is for:

Invicti Platform

This document explains how you can run a Java application in JBOSS and then use Invicti IAST to run an interactive application security testing (IAST) scan for that application.

Step 1: Prepare Invicti IAST for Java

In this example, the test application is deployed to the following URL: http://127.0.0.1:8080/axexample-java/ (in a production environment, you will need to change this to the hostname you will use for your deployment).

Create a new Target for your URL.
Download Invicti IAST for Java from the Invicti Platform UI and retain the iastsensor.jar file for the next step (iastsensor.jar is saved to C:\iastsensor\ in our example). Change the paths accordingly if you are using the Java IAST Sensor on Linux.

Step 2: Deploy Invicti IAST and the required components

Windows: Edit the contents of the %JBOSS_HOME%\bin\standalone.conf.bat file and add the following to the bottom of the file:

rem *** iastsensor settings
set "JAVA_OPTS=%JAVA_OPTS% -Diastsensor.debug.log=ON"
set "MODULE_OPTS=-javaagent:C:\iastsensor\iastsensor.jar

Linux: Edit the contents of the %JBOSS_HOME%/bin/standalone.conf file and add the following to the bottom of the file:

# *** iastsensor settings
JAVA_OPTS="$JAVA_OPTS -Diastsensor.debug.log=ON"
MODULE_OPTS="-javaagent:/iastsensor/iastsensor.jar"

Step 3: Deploy your application and start your JBOSS server

Ensure that your web application is deployed.
From the command line, navigate to your %JBOSS_HOME%\bin folder, and launch JBOSS.

Step 4: Test and scan your web application

Point your browser to your web application to confirm it is running as intended.
Run a scan on your Target. The Vulnerability detail will confirm that Invicti IAST was detected and used for the scan.