Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Support
Invicti Shark (IAST and SCA)

Deploying Invicti Shark (IAST) for JAVA – Windows (Jetty 10.0.10 + WAR file)

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

The following article shows you how you can run a Java application in Jetty and then use Invicti Shark (IAST) to run an interactive application security testing (IAST) scan for that application.

This document assumes you have Jetty installed in C:\jetty
This document was tested on Windows 10 using Amazon Corretto OpenJDK 11 installed in the folder C:\Program Files\Amazon Corretto\jdk11.0.15_9.
You will also need to set your JAVA_HOME environment variable to the folder in question:

Prerequisites

  • Install JAVA
  • Install Eclipse IDE for Enterprise JAVA and Web Developers
  • Install Eclipse Extensions from “Web, XML, Java EE, and OSGI Enterprise Development”:
    • Eclipse Java EE Developer Tools
    • Eclipse Java Web Developer Tools
    • Eclipse Web Developer Tools
    • JST Server Adapters Extensions (Apache Tomcat)

Step 1: Preparing an example application using Eclipse IDE

Creating your application

  1. Launch Eclipse IDE.
  2. From the menu, go to File > New > Project.
  1. On the New Project wizard, search for and select Dynamic Web Project.
  2. Select Next.
  3. On the Dynamic Web Project, do the following:
    1. Set the Project name field to axexample-java
    2. Set the Target runtime field to Apache Tomcat v8.5 
    3. Set the Dynamic web module version field to 3.1 
    4. Set the Configuration field to Default Configuration for Apache Tomcat v8.5
  1. Select Next.
  2. On the Java window, leave the default settings as they are.
  3. Select Next.
  4. On the Web Module step, enable Generate web.xml deployment descriptor.
  1. Select Finish.
  2. On the Open Associated Perspective? dialog, select No.
  3. Expand the axexample-java project 
  4. Right-click on the src folder 
  5. Select New > Other.
  6. Highlight Servlet.
  1. Select Next.
  2. On the Create Servlet window, do the following:
    • Set the Java package field to com.mytest.axexample.
    • Set the Class name field to axExampleJavaServlet.
  1. Select Finish.
  2. Edit the contents of the axExampleJavaServlet.java file to read as follows:
package com.mytest.axexample;

import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * Servlet implementation class HelloWorldServlet
 */
@WebServlet("/axExampleJavaServlet")
public class axExampleJavaServlet extends HttpServlet {
	private static final long serialVersionUID = 1L;
       
    /**
     * @see HttpServlet#HttpServlet()
     */
    public axExampleJavaServlet() {
        super();
        // TODO Auto-generated constructor stub
    }

	/**
	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
	 */
	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		PrintWriter out = response.getWriter();
		out.print("<html><body><h1>Test JAVA Site Example for AWS Elastic Beanstalk</h1><br>Welcome to the main page.<br></body></html>");
	}

	/**
	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
	 */
	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		// TODO Auto-generated method stub
		doGet(request, response);
	}
}
  1. Expand the axexample-java project, right-click on the axexample-java/src/main/webapp folder, and select New > File.
  1. Set the filename to index.html and select Finish
  2. Edit the contents of the index.html file to read as follows:
<head>
<title>Test JAVA Site Example for AWS Elastic Beanstalk</title>
</head>
<body>
<h1>Test JAVA Site Example for AWS Elastic Beanstalk</h1><br/><br/>
<a href="axExampleJavaServlet">Click here to invoke servlet</a> 
</body>
</html>
  1. Make sure that the changes to both new files are saved.
  2. Right-click on the axexample-java project, select Export…, search for the WAR file option and select it.
  1. Select Next, then choose a destination for your exported WAR file.
  1. Ensure that the filename for your export file is axexample-java.war 
  2. Select Finish.

Step 2: Preparing Invicti Shark for Java

We deploy the test application to the following URL: http://127.0.0.1:8080/axexample-java/ (In a production environment, you need to change this to the hostname you will use for your deployment.)

  1. Create a new target for your URL.
  2. Download Invicti Shark for Java
  3. Retain the Shark(IASTandSCA).jar file for the next step.

Step 3: Preparing a folder for the AspectJWeaver component

  1. Create a folder C:/aspectjweaver
  2. Download AspectJWeaver.
  3. Copy the downloaded file into /aspectjweaver/aspectjweaver-1.9.7.jar

Step 4: Preparing your Jetty deployment by installing prerequisites

  1. Using a text editor, edit the contents of the C:\jetty\resources\jetty-logging.properties file to read as follows:
## Set logging levels from: ALL, TRACE, DEBUG, INFO, WARN, ERROR, OFF
org.eclipse.jetty.LEVEL=INFO
com.invicti.LEVEL=TRACE
context.LEVEL=TRACE
  1. Using a text editor, edit the contents of the C:\jetty\resources\java-util-logging.properties file to read as follows:
.level=INFO
handlers=org.slf4j.bridge.SLF4JBridgeHandler

com.invicti.useParentHandlers=false
com.invicti.handlers = org.slf4j.bridge.SLF4JBridgeHandler
com.invicti.level = FINEST

context.useParentHandlers=false
context.handlers = org.slf4j.bridge.SLF4JBridgeHandler
context.level = FINEST

java.util.logging.SimpleFormatter.format=%4$s: %5$s [%1$tc]%n
  1. Launch Jetty from the C:\jetty folder with the parameters:
--add-modules=annotations,deploy,ext,http,jsp,logging-jul-capture,resources,server --approve-all-licenses

The output is as the following:

C:\jetty>java -jar start.jar --add-modules=annotations,deploy,ext,http,jsp,logging-jul-capture,resources,server --approve-all-licenses
INFO  : All Licenses Approved via Command Line Option
WARN  : creating start.d in ${jetty.home} is not recommended!

Proceed (y/N)? y
INFO  : mkdir ${jetty.base}\start.d
INFO  : webapp          transitively enabled, ini template available with --add-module=webapp
INFO  : ext             initialized in ${jetty.base}\start.d\ext.ini
INFO  : server          initialized in ${jetty.base}\start.d\server.ini
INFO  : logging-jul-capture initialized in ${jetty.base}\start.d\logging-jul-capture.ini
INFO  : servlet         transitively enabled
INFO  : jsp             initialized in ${jetty.base}\start.d\jsp.ini
INFO  : annotations     initialized in ${jetty.base}\start.d\annotations.ini
INFO  : resources       initialized in ${jetty.base}\start.d\resources.ini
INFO  : threadpool      transitively enabled, ini template available with --add-module=threadpool
INFO  : plus            transitively enabled
INFO  : deploy          initialized in ${jetty.base}\start.d\deploy.ini
INFO  : logging-jetty   transitively enabled
INFO  : security        transitively enabled
INFO  : apache-jsp      transitively enabled
INFO  : jndi            transitively enabled
INFO  : http            initialized in ${jetty.base}\start.d\http.ini
INFO  : logging/slf4j   transitive provider of logging/slf4j for logging-jetty
INFO  : logging/slf4j   transitive provider of logging/slf4j for logging-jul-capture
INFO  : logging/slf4j   dynamic dependency of logging-jetty
INFO  : bytebufferpool  transitively enabled, ini template available with --add-module=bytebufferpool
INFO  : mkdir ${jetty.base}\lib\ext
INFO  : download https://repo1.maven.org/maven2/org/slf4j/jul-to-slf4j/2.0.0-alpha6/jul-to-slf4j-2.0.0-alpha6.jar to ${jetty.base}\lib\logging\jul-to-slf4j-2.0.0-alpha6.jar
INFO  : mkdir ${jetty.base}\resources
INFO  : copy ${jetty.base}\modules\logging\jul\resources\java-util-logging-bridge.properties to ${jetty.base}\resources\java-util-logging.properties
INFO  : mkdir ${jetty.base}\webapps
INFO  : copy ${jetty.base}\modules\logging\jetty\resources\jetty-logging.properties to ${jetty.base}\resources\jetty-logging.properties
INFO  : Base directory was modified

C:\jetty>

Step 5: Deploying Shark (IAST) and required components

  1. Copy your Shark(IASTandSCA).jar file into C:\jetty\lib\ext\Shark(IASTandSCA).jar
  2. Using a text editor, create a file C:\jetty\start.d\start.ini 
  3. Edit the contents of the C:\jetty\start.d\start.ini file to read as follows:
--exec
-javaagent:C:\jetty\lib\aspectjweaver-1.9.7.jar
-Dacusensor.debug.log=ON

Step 6: Deploying your application

Copy your axexample-java.war file into the C:\jetty\webapps

Step 7: Starting your Jetty server

From the command line, navigate to your C:\jetty folder and launch Jetty:

C:\jetty> java -jar start.jar

Step 8: Testing and scanning your web application

Point your browser to your web application to confirm it is running as intended; you will get the following:

Finally, run a scan on your target.

Top Articles

What is Invicti?

Overview of Scan Policies

Scheduling Scans

Managing Integrations

Built-In Reports

Invicti Help Center

Our Support team is ready to provide you with technical help.

Go to Help Center This will redirect you to the ticketing system.