Deploying AcuSensor agent for Java - Windows in Acunetix 360
You can use AcuSensor to carry out interactive security testing (IAST) in your web application to confirm more vulnerabilities and further minimize false positives.
For AcuSensor to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.
This topic explains how to download and install AcuSensor to a Java web application.
AcuSensor for Java requires Tomcat (7+) and Java (1.7+). Current testing is with Tomcat 9 and Java 1.8.
This document assumes that you will be using version 1.9.5 (latest at the time of writing) of AspectJWeaver. And, you need to configure your web server to use Load Time Weaving (AspectJWeaver).
Deploying AcuSensor in Java consists of 3 steps:
Deploying AspectJWeaver into your web application
- Download AspectJWeaver: https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.5/aspectjweaver-1.9.5.jar
- From the download folder, select aspectjweaver-1.9.5.jar and rename it aspectjweaver.jar
- Copy aspectjweaver.jar and paste it into C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0/lib
Deploying AcuSensor into your web server
- Download the AcuSensor Java from Acunetix 360
- Copy the AcuSensor Java (acusensor.jar) to %TOMCAT-HOME%\lib
- If installing on Windows where Tomcat 9 was installed using the official "32-bit/64-bit Windows Service Installer", copy the acusensor.jar file to C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0\lib
Configuring Tomcat to use AspectJWeaver and AcuSensor
- Open Tomcat with Load Time Weaving enabled. This can be done by adding a -javaagent parameter with the path to aspectjweaver.jar when opening Tomcat, and optionally a parameter to enable the AcuSensor debug logging.
- Add two parameters into the Apache Tomcat Configuration > Java options tab
- -javaagent: C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0\lib\aspectjweaver.jar (mandatory; adjust path depending on where you deployed the aspectjweaver.jar file)
- -Dacusensor.debug.log=ON (optional; enables debug logging and should only be used for troubleshooting)
- Restart the Tomcat service
The parameter "-Dacusensor.debug.log=ON" is optional and can be omitted. If this parameter is retained, this will output the AcuSensor logging as additional lines in the Tomcat logs starting with "[Acunetix-debug]".
Disabling and Removing AcuSensor for Java
To remove and disable the sensor from your website, you need to revert the changes done during the deployment of the Agent.
- Remove the AcuSensor (AcuSensor.jar) from the folder where it was deployed
- Remove aspectjweaver.jar from the folder where it was copied to
- Reconfigure Tomcat with Load Time Weaving disabled, as follows:
- Remove the -javaagent and -Dacusensor.debug.log parameters in the Apache Tomcat Configuration > Java options tab
- Restart the Tomcat service
Although the AcuSensor agent is secured with a strong password, it is recommended that the AcuSensor client files are uninstalled and removed from the web application if they are no longer in use.