Application Security Platform
Invicti IAST

Invicti IAST for PHP – Docker

This document is for:
Invicti Platform

The most principled way of deploying Invicti IAST in a Docker scenario is to simply layer the Invicti IAST modifications onto your already existing container definition. This simple example will demonstrate how you can deploy Invicti IAST together with your web application.

Create your Target in Invicti Platform

For this example, we will assume that the URL for your target is http://invictiexample.com:60000.

  1. Create a Target with your URL
  2. Enable Invicti IAST. 
  3. Download the Invicti IAST agent file iastsensor.php and save this file for use later on.

Define the Web Application image

This simple web application will be defined through the following file structure:

  • /testphp-docker/
  • /testphp-docker/Dockerfile
  • /testphp-docker/websrc/
  • /testphp-docker/websrc/index.php
  • /testphp-docker/websrc/test.php

  1. Create your /testphp-docker/Dockerfile file to read as follows:

FROM php:7.3.28-apache

#setup the web pages
COPY --chown=www-data:www-data websrc/ /var/www/html

  1. Create your /testphp-docker/websrc/index.php file to read as follows:

<?php
   echo
"<h1>Test PHP Site Example for Docker Deployment</h1>";
   echo
"<br>";
   echo
"Welcome to the main page.";
   echo
"<br>";
   echo
"<a href='test.php'>Go to the test page.</a>";
?>

  1. Create your /testphp-docker/websrc/test.php file to read as follows:

<?php
   echo
"<h1>Test PHP Site Example for Docker Deployment</h1>";
   echo
"<br>";
   echo
"Welcome to the test page.";
   echo
"<br>";
?>

  1. Finally, build the image with:

cd /testphp-docker
docker build -t testphp-docker .

Define the Invicti IAST layer image

The Invicti IAST layer will be defined through the following file structure:

  • /testphp-docker-iastsensor/
  • /testphp-docker-iastsensor/Dockerfile
  • /testphp-docker-iastsensor/iastsensor.php

  1. Copy the iastsensor.php file you previously downloaded and paste it to your docker host into the /testphp-docker-iastsensor directory.

  1. Create your /testphp-docker-iastsensor/Dockerfile file to read as follows:

FROM testphp-docker

# assumes the web application is in /var/www/html

# setup Invicti IAST
RUN mkdir /iastsensor
WORKDIR /iastsensor
COPY iastsensor.php .

# add .htaccess file for Invicti IAST
RUN printf
"\nphp_value auto_prepend_file /iastsensor/iastsensor.php\n" > /var/www/html/.htaccess \
 && chown www-data:www-data /var/www/html/.htaccess

  1. Build and run your image with:

cd /testphp-docker-iastsensor
docker build -t testphp-docker-iastsensor .
docker run -d -p
60000:80 --name mytestphp testphp-docker-iastsensor

Test and scan your web application

  1. Point your browser to your web application - in this example, http://invictiexample.com:6000 to confirm it is running as intended; you will get the following:

  1. Run a scan on your Target. The Vulnerability detail will confirm that Invicti IAST was detected and used for the scan.

Share This Article