SUPPORT

Contact Support

OPEN A TICKET

Scanning an application in AWS Elastic Beanstalk using Invicti Shark for Java

Invicti Shark enables you to carry out interactive security testing (IAST) in your web application in order to confirm more vulnerabilities and further minimize false positives.

For Invicti Shark to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.

The following article shows you how you can run a Java application in AWS Elastic Beanstalk and then use AcuSensor to run an interactive application security testing (IAST) scan for that application.

This topic explains how to scan an application in AWS Elastic Beanstalk using Invicti Shark for Java.

Prerequisites

  • Install JAVA
  • Install Eclipse IDE for Enterprise JAVA and Web Developers
  • Install Eclipse Extensions from "Web, XML, Java EE and OSGI Enterprise Development":
    • Eclipse Java EE Developer Tools
    • Eclipse Java Web Developer Tools
    • Eclipse Web Developer Tools
    • JST Server Adapters Extensions (Apache Tomcat)

Step 1: Preparing an example application using Eclipse IDE

  • Go to File > New > Project.

  • In the New Project wizard, search for and select the Dynamic Web Project, then select Next. 

  • Set the Project name field to axexample-java
  • Set the Target runtime field to Apache Tomcat v8.5
  • Set the Dynamic web module version field to 3.1
  • Set the Configuration field to Default Configuration for Apache Tomcat v8.5
  • Select Next 

  • In the Java window, leave default settings and select Next 

  • In the Web Module window, enable the Generate web.xml option and select Finish 

  • In the Open Associated Perspective? dialog, select No 
  • Expand the axexample-java project
  • Right-click on the src folder
  • Select New > Other 

  • Highlight the Servlet option
  • Select Next

  • Set the Java package field to com.mytest.axexample
  • Set the Class name field to axExampleJavaServlet
  • Select Finish 
  • Edit the contents of the axExampleJavaServlet.java file to read as follows:
package com.mytest.axexamplejava;

import java.io.IOException;
import java.io.PrintWriter;
import javax.servlet.ServletException;
import javax.servlet.annotation.WebServlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/**
 * Servlet implementation class HelloWorldServlet
 */
@WebServlet("/axExampleJavaServlet")
public class axExampleJavaServlet extends HttpServlet {
        private static final long serialVersionUID = 1L;

    /**
     * @see HttpServlet#HttpServlet()
     */
    public axExampleJavaServlet() {
        super();
        // TODO Auto-generated constructor stub
    }
        /**
         * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
         */
        protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
                PrintWriter out = response.getWriter();
                out.print("<html><body><h1>Test JAVA Site Example for AWS Elastic Beanstalk</h1><br>Welcome to the main page.<br></body></html>");
        }
        /**
         * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
         */
        protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
                // TODO Auto-generated method stub
                doGet(request, response);
        }
}
  • Expand the axexample-java project, right-click on the axexample-java/src/main/webapp folder, and select the New > File option

  • Set the filename to index.html and select Finish 
  • Edit the contents of the index.html file to read as follows:
<head>
<title>Test JAVA Site Example for AWS Elastic Beanstalk</title>
</head>
<body>
<h1>Test JAVA Site Example for AWS Elastic Beanstalk</h1><br/><br/>
<a href="axExampleJavaServlet">Click here to invoke servlet</a>
</body>
</html>
  • Make sure that the changes to both new files are saved
  • Right-click on the axexample-java project, select Export… option, search for the WAR file option, and select it

  • Select Next and then a Destination for your exported WAR file

  • Ensure that the filename for your export file is ROOT.war
  • Select Finish 

Step 2. Preparing Invicti Shark for Java

For this example, we will assume that the URL for your target is  http://eb.acunetixexample.com

Step 3. Preparing a folder for your source code bundle

  • Create a folder C:\axexample-java
  • Create a folder C:\axexample-java\.ebextensions
  • Copy your exported ROOT.war file into C:\axexample-java
  • Copy your Shark (IAST and SCA).jar file into C:\axexample-java\.ebextensions
  • Using a text editor, create a file C:\axexample-java\.ebextensions\invictishark.config
  • Edit the contents of the C:\axexample-java\.ebextensions\invictishark.config file to read as follows:
commands:
  01_create_shark_directory:
    command: "mkdir -p /home/shark"
  02_get_aspectjweaver:
    command: "wget https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.7/aspectjweaver-1.9.7.jar -O /home/shark/aspectjweaver.jar"

option_settings:
  aws:elasticbeanstalk:container:tomcat:jvmoptions:
    JVM Options: '-javaagent:/usr/share/tomcat/lib/aspectjweaver.jar -Dacusensor.debug.log=ON'

container_commands:
  01_copy_shark:
    command: "cp .ebextensions/Shark (IAST and SCA).jar /home/acusensor/Shark (IAST and SCA).jar"
  02_change_shark_dir_permissions:
    command: "sudo chown -R root:root /home/shark"
  03_link_aspectjweaver_library:
    command: "ln -s /home/shark/aspectjweaver.jar /usr/share/tomcat/lib/aspectjweaver.jar"
  04_link_acusensor_library:
    command: "ln -s /home/shark/Shark (IAST and SCA).jar /usr/share/tomcat/lib/Shark (IAST and SCA).jar"
The parameter "-Dacusensor.debug.log=ON" is optional, and should ONLY be used for troubleshooting purposes. If this parameter is retained, this will output Shark logging as additional lines in the Tomcat logs starting with "[Acunetix-debug]".
  • Use Windows Explorer to navigate to C:\axexample-java; press CTRL+A to select both .ebextensions and ROOT.war
  • Right-click on the selected items and click the Send to > Compressed (zipped) folder menu option:

  • Rename your zip file to axexample-java.zip and retain your zip file for deployment steps below

Step 4. Deploying your web application to AWS Elastic Beanstalk

  • From your AWS Dashboard, navigate to Elastic Beanstalk > Environments
  • Select Create a new environment 

  • Set your environment tier to Web server environment

  • Click Select
  • On the Elastic Beanstalk > Create environment page:
    • Set the Application name field to the name for your web application; in this example, you will use the name axexample-java

    • Set the Platform drop-down to Tomcat

    • Choose Upload your code, and then select Choose file 

    • Select your axexample.zip source code bundle for upload and select Create environment
  • AWS Elastic Beanstalk will now create your environment; this can take a few minutes
  • When the process is complete, you will be sent to your environment's dashboard

  • Take note of your environment's new URL which was created automatically by AWS Elastic Beanstalk:
    • You need this to create a CNAME to point to this URL
    • In this example, we create a CNAME for eb.acunetixexample.com to point to axexamplejava-env.eba-y3m5stqv.us-east-1.elasticbeanstalk.com; here is an example using the Namecheap cPanel interface:

  • Once the CNAME record has been added (giving time for DNS records to propagate), you can see the web application you have created by browsing to your URL (in this example http://eb.acunetixexample.com):

Step 5. Testing and scanning your web application

  1. Point your browser to your web application - in this example http://eb.acunetixexample.com to confirm it is running as intended.
  2. Run a scan on your URL. The scan summary displays whether Invicti Shark is used for the scan.

Invicti

Highly accurate, fast & easy-to-use Web Application Security Scanner

Get a demo