Invicti IAST for Java – Windows/Linux (Jetty 10.0.10 + WAR File)
This guide explains how you can run a Java application in Jetty and then use Invicti IAST to run an interactive application security testing (IAST) scan for that application.
This document assumes that you have Jetty installed in C:\jetty. Change the paths accordingly. |
Step 1: Prepare Invicti IAST for Java
In this example, the test application is deployed to the following URL: http://127.0.0.1:8080/axexample-java/ (in a production environment, you will need to change this to the hostname you will use for your deployment).
- Create a new target for your URL.
- Download Invicti IAST for Java from the Invicti Platform UI and retain the iastsensor.jar file for the next step (iastsensor.jar is saved to C:\iastsensor\ in our example). Change the paths accordingly if you are using the JAVA IAST Sensor on Linux.
Step 2: Prepare your Jetty deployment by installing prerequisites
- Launch Jetty from the C:\jetty folder with the parameters required.
--add-modules=annotations,deploy,ext,http,jsp,logging-jul-capture,resources,server --approve-all-licenses |
The list of modules might be different for your web application. However, you will need to explicitly add logging-jul-capture if you need logging from the IAST sensor. |
C:\jetty>java -jar start.jar --add-modules=annotations,deploy,ext,http,jsp,logging-jul-capture,resources,server --approve-all-licenses |
Step 3: Deploy Invicti IAST and the required components
- Using a text editor, edit the contents of the C:\jetty\resources\jetty-logging.properties file to read as follows:
## Set logging levels from: ALL, TRACE, DEBUG, INFO, WARN, ERROR, OFF |
- Using a text editor, edit the contents of the C:\jetty\resources\java-util-logging.properties file to read as follows:
.level=INFO |
- Using a text editor, create a file C:\jetty\start.d\start.ini
- Edit the contents of the C:\jetty\start.d\start.ini file to read as follows:
--exec |
Step 4: Deploy your application and start the Jetty server
- Once you are ready, from the command line, navigate to your C:\jetty folder, and launch Jetty:
C:\jetty> java -jar start.jar |
Step 5: Test and scan your web application
- Point your browser to your web application to confirm it is running as intended.
- Run a scan on your target. The Vulnerability detail will confirm that Invicti IAST was detected and used for the scan.