Invicti IAST for JAVA – Linux (WebSphere Liberty 19.0.0.9+ with WAR file)

This guide explains how you can run a Java application in WebSphere Liberty and then use Invicti IAST to run an interactive application security testing (IAST) scan for that application.

Step 1: Prepare Invicti IAST for Java

In this example, the test application is deployed to the following URL: http://websphere-backend-proto.invicti.site:9080/axexample-java/ (in a production environment, you will need to change this to the hostname you will use for your deployment).

1. Create a new target for your URL.
2. Download Invicti IAST for Java from the Invicti Platform UI and retain the iastsensor.jar file for the next step.
3. On the WebSphere machine:

• Create a root folder /iastsensor
• Copy the iastsensor.jar file to /iastsensor/iastsensor.jar

Step 2: Deploy Invicti IAST and required components

1. On the WebSphere machine:

• Create a file /opt/wlp/usr/servers/defaultServer/jvm.options, and set the contents as follows:

Step 3: Deploy your application

1. Copy your axexample-java.war file into the /opt/wlp/usr/servers/defaultServer/dropins folder.
2. From the terminal, restart WebSphere with:

Step 4: Test and scan your web application

1. Point your browser to your web application to confirm it is running as intended.
2. Run a scan on your target. The Vulnerability detail will confirm that Invicti IAST was detected and used for the scan.