Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Application Security Platform
Invicti IAST for JAVA

Invicti IAST for Java – Windows/Linux (Jetty 10.0.10 + WAR File)

This document is for:
Invicti Platform

This guide explains how you can run a Java application in Jetty and then use Invicti IAST to run an interactive application security testing (IAST) scan for that application.

This document assumes that you have Jetty installed in C:\jetty. Change the paths accordingly.

Step 1: Prepare Invicti IAST for Java

In this example, the test application is deployed to the following URL: http://127.0.0.1:8080/axexample-java/ (in a production environment, you will need to change this to the hostname you will use for your deployment).

  1. Create a new target for your URL.
  2. Download Invicti IAST for Java from the Invicti Platform UI and retain the iastsensor.jar file for the next step (iastsensor.jar is saved to C:\iastsensor\ in our example). Change the paths accordingly if you are using the JAVA IAST Sensor on Linux.

Step 2: Prepare your Jetty deployment by installing prerequisites

  1. Launch Jetty from the C:\jetty folder with the parameters required.

--add-modules=annotations,deploy,ext,http,jsp,logging-jul-capture,resources,server --approve-all-licenses

The list of modules might be different for your web application. However, you will need to explicitly add logging-jul-capture if you need logging from the IAST sensor.

C:\jetty>java -jar start.jar --add-modules=annotations,deploy,ext,http,jsp,logging-jul-capture,resources,server --approve-all-licenses
INFO  : All Licenses Approved via Command Line Option
WARN  : creating start.d in ${jetty.home} is not recommended!

Proceed (y/N)? y
INFO  : mkdir ${jetty.base}\start.d
INFO  : webapp          transitively enabled, ini template available with --add-module=webapp
INFO  : ext             initialized in ${jetty.base}\start.d\ext.ini
INFO  : server          initialized in ${jetty.base}\start.d\server.ini
INFO  : logging-jul-capture initialized in ${jetty.base}\start.d\logging-jul-capture.ini
INFO  : servlet         transitively enabled
INFO  : jsp             initialized in ${jetty.base}\start.d\jsp.ini
INFO  : annotations     initialized in ${jetty.base}\start.d\annotations.ini
INFO  : resources       initialized in ${jetty.base}\start.d\resources.ini
INFO  : threadpool      transitively enabled, ini template available with --add-module=threadpool
INFO  : plus            transitively enabled
INFO  : deploy          initialized in ${jetty.base}\start.d\deploy.ini
INFO  : logging-jetty   transitively enabled
INFO  : security        transitively enabled
INFO  : apache-jsp      transitively enabled
INFO  : jndi            transitively enabled
INFO  : http            initialized in ${jetty.base}\start.d\http.ini
INFO  : logging/slf4j   transitive provider of logging/slf4j for logging-jetty
INFO  : logging/slf4j   transitive provider of logging/slf4j for logging-jul-capture
INFO  : logging/slf4j   dynamic dependency of logging-jetty
INFO  : bytebufferpool  transitively enabled, ini template available with --add-module=bytebufferpool
INFO  : mkdir ${jetty.base}\lib\ext
INFO  : download https://repo1.maven.org/maven2/org/slf4j/jul-to-slf4j/2.0.0-alpha6/jul-to-slf4j-2.0.0-alpha6.jar to ${jetty.base}\lib\logging\jul-to-slf4j-2.0.0-alpha6.jar
INFO  : mkdir ${jetty.base}\resources
INFO  : copy ${jetty.base}\modules\logging\jul\resources\java-util-logging-bridge.properties to ${jetty.base}\resources\java-util-logging.properties
INFO  : mkdir ${jetty.base}\webapps
INFO  : copy ${jetty.base}\modules\logging\jetty\resources\jetty-logging.properties to ${jetty.base}\resources\jetty-logging.properties
INFO  : Base directory was modified

C:\jetty>

Step 3: Deploy Invicti IAST and the required components

  1. Using a text editor, edit the contents of the C:\jetty\resources\jetty-logging.properties file to read as follows:

## Set logging levels from: ALL, TRACE, DEBUG, INFO, WARN, ERROR, OFF
org.eclipse.jetty.LEVEL=INFO
com.invicti.LEVEL=TRACE
context.LEVEL=TRACE

  1. Using a text editor, edit the contents of the C:\jetty\resources\java-util-logging.properties file to read as follows:

.level=INFO
handlers=org.slf4j.bridge.SLF4JBridgeHandler

com.invicti.useParentHandlers=false
com.invicti.handlers = org.slf4j.bridge.SLF4JBridgeHandler
com.invicti.level = FINEST

java.util.logging.SimpleFormatter.format=%4$s: %5$s [%1$tc]%n

  1. Using a text editor, create a file C:\jetty\start.d\start.ini
  2. Edit the contents of the C:\jetty\start.d\start.ini file to read as follows:

--exec
-javaagent:C:\iastsensor\iastsensor.jar
-Diastsensor.debug.log=ON

Step 4: Deploy your application and start the Jetty server

  1. Once you are ready, from the command line, navigate to your C:\jetty folder, and launch Jetty:

C:\jetty> java -jar start.jar

Step 5: Test and scan your web application

  1. Point your browser to your web application to confirm it is running as intended.
  2. Run a scan on your target. The Vulnerability detail will confirm that Invicti IAST was detected and used for the scan.

Top Articles

What is Invicti?

Overview of Scan Policies

Scheduling Scans

Managing Integrations

Built-In Reports

Share This Article