Invicti Shark enables you to carry out interactive security testing (IAST) in your web application in order to confirm more vulnerabilities and further minimize false positives. For Invicti Shark to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.
This topic explains how to download and deploy Invicti Shark to a Java web application.
Invicti Shark for Java requires Tomcat (7+) and Java (1.7+). Current testing is with Tomcat 9 and Java 1.8.
This topic assumes the following:
- The Tomcat 9 zip file was installed directly into /opt/apache-tomcat-9.0.31 with a symlink /opt/tomcat9 pointing to this installation folder.
- The official RPM file jre-8u241-linux-x64.rpm from Oracle was used to install the JRE using command line: dnf install jre-8u241-linux-x64.rpm
- You are using version 1.9.5 (latest at time of writing) of AspectJWeaver.
Deploying Invicti Shark in Java consists of 3 steps:
1. Deploying AspectJWeaver into your web application
- Open terminal
- Run the following commands to download and deploy AspectJWeaver:
wget -c https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.5/aspectjweaver-1.9.5.jar
sudo mv aspectjweaver-1.9.5.jar /opt/tomcat9/lib
sudo ln -s /opt/tomcat9/lib/aspectjweaver-1.9.5.jar /opt/tomcat9/lib/aspectjweaver.jar
2. Deploying Invicti Shark into your web application
- Download the Invicti Shark for JAVA
- Copy Invicti Shark (Shark.jar) to %TOMCAT-HOME%\lib - based on the assumptions above, you would copy the Shark.jar file to /opt/tomcat9/lib
3. Configure Tomcat to use AspectJWeaver and Invicti Shark
- Launch Tomcat with Load Time Weaving enabled. This can be done by adding a -javaagent parameter with the path to aspectjweaver.jar when launching Tomcat, and optionally a parameter to enable Shark debug logging
- For Centos 8.1 and RHEL 8.1, add two parameters into the Tomcat setenv.sh script (normally you will be creating a new file):
sudo nano /opt/tomcat9/bin/setenv.sh
- At the end of the file, add the line JAVA_OPTS="$JAVA_OPTS -javaagent:$CATALINA_HOME/lib/aspectjweaver.jar -Dacusensor.debug.log=ON"
- Save the file
sudo systemctl restart tomcat9
The parameter "-Dacusensor.debug.log=ON" is optional and should ONLY be used for troubleshooting purposes. If this parameter is retained, this will output Shark logging as additional lines in the Tomcat logs starting with "[Netsparker-debug]".
Disabling and Removing Invicti Shark for Java
To remove and disable the sensor from your website, you need to revert the changes done during the deployment of the Agent. Based on the assumptions above:
- Remove the Invicti Shark (Shark.jar) from the folder where it was deployed with:
- Remove aspectjweaver.jar with:
sudo rm /opt/tomcat9/lib/aspectjweaver.jar
sudo rm /opt/tomcat9/lib/aspectjweaver-1.9.5.jar
- Reconfigure Tomcat with Load Time Weaving disabled:
- remove the "JAVA_OPTS" line added earlier in the setenv.sh file
sudo systemctl restart tomcat9
Although the Invicti Shark agent is secured with a strong password, it is recommended that the Shark client files are uninstalled and removed from the web application if they are no longer in use.