Application Security Platform
Invicti IAST for JAVA

Invicti IAST for Java – Windows/Linux (Jetty 10.0.10 + WAR File)

This document is for:
Invicti Platform

This guide explains how you can run a Java application in Jetty and then use Invicti IAST to run an interactive application security testing (IAST) scan for that application.

This document assumes that you have Jetty installed in C:\jetty. Change the paths accordingly.

Step 1: Prepare Invicti IAST for Java

In this example, the test application is deployed to the following URL: http://127.0.0.1:8080/axexample-java/ (in a production environment, you will need to change this to the hostname you will use for your deployment).

  1. Create a new target for your URL.
  2. Download Invicti IAST for Java from the Invicti Platform UI and retain the iastsensor.jar file for the next step (iastsensor.jar is saved to C:\iastsensor\ in our example). Change the paths accordingly if you are using the JAVA IAST Sensor on Linux.

Step 2: Prepare your Jetty deployment by installing prerequisites

  1. Launch Jetty from the C:\jetty folder with the parameters required.

--add-modules=annotations,deploy,ext,http,jsp,logging-jul-capture,resources,server --approve-all-licenses

The list of modules might be different for your web application. However, you will need to explicitly add logging-jul-capture if you need logging from the IAST sensor.

C:\jetty>java -jar start.jar --add-modules=annotations,deploy,ext,http,jsp,logging-jul-capture,resources,server --approve-all-licenses
INFO  : All Licenses Approved via Command Line Option
WARN  : creating start.d
in ${jetty.home} is not recommended!

Proceed (y/N)? y
INFO  : mkdir ${jetty.base}\start.d
INFO  : webapp          transitively enabled, ini template available with --add-module=webapp
INFO  : ext             initialized
in ${jetty.base}\start.d\ext.ini
INFO  : server          initialized
in ${jetty.base}\start.d\server.ini
INFO  : logging-jul-capture initialized
in ${jetty.base}\start.d\logging-jul-capture.ini
INFO  : servlet         transitively enabled
INFO  : jsp             initialized
in ${jetty.base}\start.d\jsp.ini
INFO  : annotations     initialized
in ${jetty.base}\start.d\annotations.ini
INFO  : resources       initialized
in ${jetty.base}\start.d\resources.ini
INFO  : threadpool      transitively enabled, ini template available with --add-module=threadpool
INFO  : plus            transitively enabled
INFO  : deploy          initialized
in ${jetty.base}\start.d\deploy.ini
INFO  : logging-jetty   transitively enabled
INFO  : security        transitively enabled
INFO  : apache-jsp      transitively enabled
INFO  : jndi            transitively enabled
INFO  : http            initialized
in ${jetty.base}\start.d\http.ini
INFO  : logging/slf4j   transitive provider of logging/slf4j
for logging-jetty
INFO  : logging/slf4j   transitive provider of logging/slf4j
for logging-jul-capture
INFO  : logging/slf4j   dynamic dependency of logging-jetty
INFO  : bytebufferpool  transitively enabled, ini template available with --add-module=bytebufferpool
INFO  : mkdir ${jetty.base}\lib\ext
INFO  : download https://repo1.maven.org/maven2/org/slf4j/jul-to-slf4j/
2.0.0-alpha6/jul-to-slf4j-2.0.0-alpha6.jar to ${jetty.base}\lib\logging\jul-to-slf4j-2.0.0-alpha6.jar
INFO  : mkdir ${jetty.base}\resources
INFO  : copy ${jetty.base}\modules\logging\jul\resources\java-util-logging-bridge.properties to ${jetty.base}\resources\java-util-logging.properties
INFO  : mkdir ${jetty.base}\webapps
INFO  : copy ${jetty.base}\modules\logging\jetty\resources\jetty-logging.properties to ${jetty.base}\resources\jetty-logging.properties
INFO  : Base directory was modified

C:\jetty>

Step 3: Deploy Invicti IAST and the required components

  1. Using a text editor, edit the contents of the C:\jetty\resources\jetty-logging.properties file to read as follows:

## Set logging levels from: ALL, TRACE, DEBUG, INFO, WARN, ERROR, OFF
org.eclipse.jetty.LEVEL=INFO
com.invicti.LEVEL=TRACE
context.LEVEL=TRACE

  1. Using a text editor, edit the contents of the C:\jetty\resources\java-util-logging.properties file to read as follows:

.level=INFO
handlers=org.slf4j.bridge.SLF4JBridgeHandler

com.invicti.useParentHandlers=false
com.invicti.handlers = org.slf4j.bridge.SLF4JBridgeHandler
com.invicti.level = FINEST

java.util.logging.SimpleFormatter.format=%
4$s: %5$s [%1$tc]%n

  1. Using a text editor, create a file C:\jetty\start.d\start.ini
  2. Edit the contents of the C:\jetty\start.d\start.ini file to read as follows:

--exec
-javaagent:C:\iastsensor\iastsensor.jar
-Diastsensor.debug.log=ON

Step 4: Deploy your application and start the Jetty server

  1. Once you are ready, from the command line, navigate to your C:\jetty folder, and launch Jetty:

C:\jetty> java -jar start.jar

Step 5: Test and scan your web application

  1. Point your browser to your web application to confirm it is running as intended.
  2. Run a scan on your target. The Vulnerability detail will confirm that Invicti IAST was detected and used for the scan.

Share This Article