Deploying Invicti Shark (IAST) for JAVA – Windows (Wildfly 26.1.1.Final Standalone + WAR file)

The following article shows you how you can run a Java application in Wildfly and then use Invicti Shark (IAST) to run an interactive application security testing (IAST) scan for that application.

This document was tested on Windows 10 using Java SE Development Kit 8 Update 241 (64-bit) installed in the folder C:\Program Files\Java\jdk1.8.0_241.

You will also need to set your JAVA_HOME environment variable to the folder in question:

Prerequisites

• Install JAVA
• Install Eclipse IDE for Enterprise JAVA and Web Developers
• Install Eclipse Extensions from “Web, XML, Java EE, and OSGI Enterprise Development”:
  • Eclipse Java EE Developer Tools
  • Eclipse Java Web Developer Tools
  • Eclipse Web Developer Tools
  • JST Server Adapters Extensions (Apache Tomcat)

Step 1: Preparing an example application using Eclipse IDE

Creating your application

1. Launch Eclipse IDE.
2. From the menu, go to File > New > Project.

3. On the New Project wizard, search for and select Dynamic Web Project.
4. Select Next.
5. On the Dynamic Web Project, do the following:
   1. Set the Project name field to axexample-java
   2. Set the Target runtime field to Apache Tomcat v8.5 
   3. Set the Dynamic web module version field to 3.1 
   4. Set the Configuration field to Default Configuration for Apache Tomcat v8.5

6. Select Next.
7. On the Java window, leave the default settings as they are.
8. Select Next.
9. On the Web Module step, enable Generate web.xml deployment descriptor.

10. Select Finish.
11. On the Open Associated Perspective? dialog, select No.
12. Expand the axexample-java project 
13. Right-click on the src folder 
14. Select New > Other.
15. Highlight Servlet.

16. Select Next.
17. On the Create Servlet window, do the following:
    • Set the Java package field to com.mytest.axexample.
    • Set the Class name field to axExampleJavaServlet.

18. Select Finish.
19. Edit the contents of the axExampleJavaServlet.java file to read as follows:

package com.mytest.axexample;

import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * Servlet implementation class HelloWorldServlet
 */
@WebServlet("/axExampleJavaServlet")
public class axExampleJavaServlet extends HttpServlet {
	private static final long serialVersionUID = 1L;
       
    /**
     * @see HttpServlet#HttpServlet()
     */
    public axExampleJavaServlet() {
        super();
        // TODO Auto-generated constructor stub
    }

	/**
	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
	 */
	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		PrintWriter out = response.getWriter();
		out.print("<html><body><h1>Test JAVA Site Example for Wildfly</h1><br>Welcome to the main page.<br></body></html>");
	}

	/**
	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
	 */
	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
		// TODO Auto-generated method stub
		doGet(request, response);
	}
}

20. Expand the axexample-java project, right-click on the axexample-java/src/main/webapp folder, and select New > File.

21. Set the filename to index.html and select Finish. 
22. Edit the contents of the index.html file to read as follows:

<html>
  <head>
    <title>Test JAVA Site Example for Wildfly</title>
  </head>
  <body>
    <h1>Test JAVA Site Example for Wildfly</h1><br/><br/>
    <a href="axExampleJavaServlet">Click here to invoke servlet</a> 
  </body>
</html>

23. Make sure that the changes to both new files are saved.
24. Right-click on the axexample-java project, select Export…, search for the WAR file option and select it.

25. Select Next, then choose a destination for your exported WAR file.

26. Ensure that the filename for your export file is axexample-java.war 
27. Select Finish.

Step 2: Preparing Invicti Shark for Java

We deploy the test application to the following URL: http://wildfly-backend-proto.invicti.site:8080/axexample-java/ (In a production environment, you need to change this to the hostname you will use for your deployment.) 

1. Create a new target for your URL.
2. Download Invicti Shark for Java. 
3. Retain the Shark(IASTandSCA).jar file for the next step.

Step 3: Preparing a folder for the AspectJWeaver component

1. Create a root folder /aspectjweaver
2. Download AspectJWeaver from https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.7/aspectjweaver-1.9.7.jar
3. Copy the downloaded file into /aspectjweaver/aspectjweaver-1.9.7.jar

Step 4: Deploying Invicti Shark and required components

1. Create a folder %JBOSS_HOME%\modules\system\layers\base\com\invicti
2. Create a folder %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor
3. Create a folder %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main
4. Copy your AcuSensor.jar file into %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main
5. Using a text editor, create a file %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main\module.xml
6. Edit the contents of the %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main\module.xml file to read as follows:

<?xml version="1.0" encoding="UTF-8"?>
<module name="com.invicti.sensor" xmlns="urn:jboss:module:1.9">
  <resources>
    <resource-root path="Shark(IASTandSCA).jar"/>
    <resource-root path="aspectjrt-1.9.7.jar"/>
  </resources>
  <dependencies>
    <module name="javax.api"/>
    <module name="javax.servlet.api"/>
    <module name="java.logging"/>
    <module name="org.jboss.modules"/>
  </dependencies>
</module>

7. Download AspectJRT from https://repo1.maven.org/maven2/org/aspectj/aspectjrt/1.9.7/aspectjrt-1.9.7.jar
8. Copy the aspectjrt-1.9.7.jar file into %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main
9. Prepare a custom configuration for the Shark (IAST) integration:

C:\Users\default.user> cd C:\jboss\standalone\configuration
C:\jboss\standalone\configuration> copy standalone.xml standalone-invicti.xml
        1 file(s) copied.
C:\jboss\standalone\configuration>

10. Using a text editor, edit the contents of the %JBOSS_HOME%\standalone\configuration\standalone-invicti.xml file by adding the highlighted lines below immediately below the line <subsystem xmlns=”urn:jboss:domain:ee:6.0″>:

...
...
        </subsystem>
        <subsystem xmlns="urn:jboss:domain:ee:6.0">
            <global-modules>
                <module name="com.invicti.sensor" slot="main"/>
            </global-modules>
            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>
            <concurrent>
...
...

11. Edit the contents of the %JBOSS_HOME%\bin\standalone.conf.bat file and add the following to the bottom of the file:

rem *** Shark settings
set "JAVA_OPTS=%JAVA_OPTS% -Dacusensor.debug.log=ON"
set "MODULE_OPTS=-javaagent:C:\aspectjweaver\aspectjweaver-1.9.7.jar"

Step 5: Deploying your application

Copy your axexample-java.war file into the %JBOSS_HOME%\standalone\deployments folder.

Step 6: Starting your Wildfly server

From the command line, navigate to your %JBOSS_HOME%\bin folder, and launch Wildfly specifying the custom config file created earlier:

C:\Users\default.user> cd C:\wildfly\bin
C:\wildfly\bin> standalone --server-config=standalone-invicti.xml
Config file not found "C:\wildfly\bin\common.conf.bat"
Calling "C:\wildfly\bin\standalone.conf.bat"
Setting JAVA property to "C:\Program Files\Java\jdk1.8.0_241\\bin\java"
===============================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: "C:\wildfly"

  JAVA: "C:\Program Files\Java\jdk1.8.0_241\\bin\java"

  JAVA_OPTS: "-javaagent:"C:\wildfly\jboss-modules.jar" -server -Dprogram.name=standalone.bat -Xms64M -Xmx512M -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Dacusensor.debug.log=ON  "

===============================================================================

...

Step 7. Testing and scanning your web application

Point your browser to your web application to confirm it is running as intended; you will get the following:

Finally, run a scan on your target.