Deploying AcuSensor for JAVA - Windows (JBOSS 7.4 Standalone + WAR File) in Acunetix 360

AcuSensor enables you to carry out interactive security testing (IAST) in your web application in order to confirm more vulnerabilities and further minimize false positives.  

For AcuSensor to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.

The following article shows you how you can run a Java application in WebSphere and then use AcuSensor to run an interactive application security testing (IAST) scan for that application.

Information

  • This document was tested on Windows 10 using Java SE Development Kit 8 Update 241 (64-bit) installed in the folder C:\Program Files\Java\jdk1.8.0_241.
  • You will also need to set your JAVA_HOME environment variable to the folder in question:

Prerequisites

  • Install JAVA
  • Install Eclipse IDE for Enterprise JAVA and Web Developers
  • Install Eclipse Extensions from "Web, XML, Java EE, and OSGI Enterprise Development":
  • Eclipse Java EE Developer Tools
  • Eclipse Java Web Developer Tools
  • Eclipse Web Developer Tools
  • JST Server Adapters Extensions (Apache Tomcat)

Step 1: Preparing an example application using Eclipse IDE

Create your application

  1. Launch Eclipse IDE.
  2. From the menu, go to File > New > Project.

  1. On the New Project wizard, search for and select Dynamic Web Project.
  2. Select Next.
  3. On the Dynamic Web Project, do the following:
  1. Set the Project name field to axexample-java
  2. Set the Target runtime field to Apache Tomcat v8.5
  3. Set the Dynamic web module version field to 3.1
  4. Set the Configuration field to Default Configuration for Apache Tomcat v8.5

  1. Select Next.
  2. On the Java window, leave the default settings as they are.
  3. Select Next.
  4. On the Web Module step, enable Generate web.xml deployment descriptor.

  1. Select Finish.
  2. On the Open Associated Perspective? dialog, select No.
  3. Expand the axexample-java project
  4. Right-click on the src folder
  5. Select New > Other.
  6. Highlight Servlet.

  1. Select Next.
  2. On the Create Servlet window, do the following:
  1. Set the Java package field to com.mytest.axexample.
  2. Set the Class name field to axExampleJavaServlet.

  1. Select Finish.
  2. Edit the contents of the axExampleJavaServlet.java file to read as follows:

package com.mytest.axexample;

import java.io.IOException;

import java.io.PrintWriter;

import javax.servlet.ServletException;

import javax.servlet.annotation.WebServlet;

import javax.servlet.http.HttpServlet;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

/**

 * Servlet implementation class HelloWorldServlet

 */

@WebServlet("/axExampleJavaServlet")

public class axExampleJavaServlet extends HttpServlet {

        private static final long serialVersionUID = 1L;

       

    /**

     * @see HttpServlet#HttpServlet()

     */

    public axExampleJavaServlet() {

        super();

        // TODO Auto-generated constructor stub

    }

        /**

         * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)

         */

        protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

                PrintWriter out = response.getWriter();

                out.print("<html><body><h1>Test JAVA Site Example for AWS Elastic Beanstalk</h1><br>Welcome to the main page.<br></body></html>");

        }

        /**

         * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)

         */

        protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {

                // TODO Auto-generated method stub

                doGet(request, response);

        }

}

  1. Expand the axexample-java project, right-click on the axexample-java/src/main/webapp folder, and select New > File.

  1. Set the filename to index.html and select Finish.
  2. Edit the contents of the index.html file to read as follows:

<head>

<title>Test JAVA Site Example for AWS Elastic Beanstalk</title>

</head>

<body>

<h1>Test JAVA Site Example for AWS Elastic Beanstalk</h1><br/><br/>

<a href="axExampleJavaServlet">Click here to invoke servlet</a>

</body>

</html>

  1. Make sure that the changes to both new files are saved.
  2. Right-click on the axexample-java project, select Export…, search for the WAR file option and select it.

  1. Select Next, then choose a destination for your exported WAR file.

  1. Ensure that the filename for your export file is axexample-java.war
  2. Select Finish.

Step 2: Preparing AcuSensor for Java

We will deploy the test application to the following URL: http://127.0.0.1:8080/axexample-java/ (In a production environment, you will need to change this to the hostname you will use for your deployment).

  1. Create a new target for your URL.
  2. Download AcuSensor for Java.
  3. Retain the AcuSensor (IAST and SCA) file for the next step.

Step 3: Preparing a folder for the AspectJWeaver component

On the WebSphere machine:

  1. Create a root folder /aspectjweaver
  2. Download AspectJWeaver from https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.7/aspectjweaver-1.9.7.jar
  3. Copy the downloaded file into /aspectjweaver/aspectjweaver-1.9.7.jar

Step 4: Deploying AcuSensor and required components

  1. Create a folder %JBOSS_HOME%\modules\system\layers\base\com\invicti
  2. Create a folder %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor
  3. Create a folder %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main
  4. Copy your AcuSensor (IAST and SCA).jar file into %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main
  5. Using a text editor, create a file %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main\module.xml
  6. Edit the contents of the %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main\module.xml file to read as follows:

<?xml version="1.0" encoding="UTF-8"?>

<module name="com.invicti.sensor" xmlns="urn:jboss:module:1.9">

  <resources>

    <resource-root path="AcuSensor (IAST and SCA).jar"/>

    <resource-root path="aspectjrt-1.9.7.jar"/>

  </resources>

  <dependencies>

    <module name="javax.api"/>

    <module name="javax.servlet.api"/>

    <module name="java.logging"/>

    <module name="org.jboss.modules"/>

  </dependencies>

</module>

  1. Download AspectJRT from https://repo1.maven.org/maven2/org/aspectj/aspectjrt/1.9.7/aspectjrt-1.9.7.jar
  2. Copy the aspectjrt-1.9.7.jar file into %JBOSS_HOME%\modules\system\layers\base\com\invicti\sensor\main
  3. Prepare a custom configuration for AcuSensor integration:

C:\Users\default.user> cd C:\jboss\standalone\configuration

C:\jboss\standalone\configuration> copy standalone.xml standalone-invicti.xml

        1 file(s) copied.

C:\jboss\standalone\configuration>

  1. Using a text editor, edit the contents of the %JBOSS_HOME%\standalone\configuration\standalone-invicti.xml file by adding the highlighted lines below immediately below the line <subsystem xmlns="urn:jboss:domain:ee:6.0">:

...

...

        </subsystem>

        <subsystem xmlns="urn:jboss:domain:ee:6.0">

            <global-modules>

                <module name="com.invicti.sensor" slot="main"/>

            </global-modules>

            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>

            <concurrent>

...

...

  1. Edit the contents of the %JBOSS_HOME%\bin\standalone.conf.bat file and add the following to the bottom of the file:

rem *** AcuSensor settings

set "JAVA_OPTS=%JAVA_OPTS% -Dacusensor.debug.log=ON"

set "MODULE_OPTS=-javaagent:C:\aspectjweaver\aspectjweaver-1.9.7.jar"

Step 5: Deploying your application

Copy your axexample-java.war file into the %JBOSS_HOME%\standalone\deployments folder.

Step 6: Starting your WebSphere server

From the command line, navigate to your %JBOSS_HOME%\bin folder, and launch JBOSS specifying the custom config file created earlier:

C:\Users\default.user> cd C:\jboss\bin

C:\jboss\bin>standalone --server-config=standalone-invicti.xml

Calling "C:\jboss\bin\standalone.conf.bat"

Setting JAVA property to "C:\Program Files\Java\jdk1.8.0_241\\bin\java"

===============================================================================

  JBoss Bootstrap Environment

  JBOSS_HOME: "C:\jboss"

  JAVA: "C:\Program Files\Java\jdk1.8.0_241\\bin\java"

  JAVA_OPTS: "-javaagent:"C:\jboss\jboss-modules.jar" -Dprogram.name=standalone.bat -Xms1G -Xmx1G -XX:MetaspaceSize=96M -XX:MaxMetaspaceSize=256m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Dacusensor.debug.log=ON -verbose:gc -Xloggc:"C:\jboss\standalone\log\gc.log" -XX:+PrintGCDetails -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=3M -XX:-TraceClassUnloading "

===============================================================================

...

Test and scan your web application

Point your browser to your web application to confirm it is running as intended; you will get the following:

Finally, run a scan on your target.

 

« Back to the Acunetix Support Page