Get a demo
AppSec with Zero Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Support
Shark for Java

Deploying Invicti Shark for Java – Windows/Linux (Jetty 10.0.10 + WAR file)

This document is for:
Invicti Enterprise On-Demand, Invicti Enterprise On-Premises

This guide explains how you can run a Java application in Jetty and then use Invicti Shark to run an interactive application security testing (IAST) scan for that application.

NOTE: This document assumes that you have Jetty installed in C:\jetty. Change the paths accordingly.

Step 1: Prepare Invicti Shark for Java

In this example, the test application is deployed to the following URL: http://127.0.0.1:8080/axexample-java/ (in a production environment, you will need to change this to the hostname you will use for your deployment).

  1. Create a new target for your URL.
  2. Download Invicti Shark for Java from the Invicti UI and retain the Shark (IAST and SCA).jar file for the next step. (In our example, Shark (IAST and SCA).jar is saved to C:\shark\). Change the paths accordingly if you are using the Java IAST Sensor on Linux.

Step 2: Prepare your Jetty deployment by installing prerequisites

  1. Launch Jetty from the C:\jetty folder with the parameters required.

 --add-modules=annotations,deploy,ext,http,jsp,logging-jul-capture,resources,server --approve-all-licenses

NOTE: The list of modules might be different for your web application. However, you will need to explicitly add logging-jul-capture if you need logging from the IAST sensor.

C:\jetty>java -jar start.jar --add-modules=annotations,deploy,ext,http,jsp,logging-jul-capture,resources,server --approve-all-licenses

INFO  : All Licenses Approved via Command Line Option

WARN  : creating start.d in ${jetty.home} is not recommended!

Proceed (y/N)? y

INFO  : mkdir ${jetty.base}\start.d

INFO  : webapp          transitively enabled, ini template available with --add-module=webapp

INFO  : ext             initialized in ${jetty.base}\start.d\ext.ini

INFO  : server          initialized in ${jetty.base}\start.d\server.ini

INFO  : logging-jul-capture initialized in ${jetty.base}\start.d\logging-jul-capture.ini

INFO  : servlet         transitively enabled

INFO  : jsp             initialized in ${jetty.base}\start.d\jsp.ini

INFO  : annotations     initialized in ${jetty.base}\start.d\annotations.ini

INFO  : resources       initialized in ${jetty.base}\start.d\resources.ini

INFO  : threadpool      transitively enabled, ini template available with --add-module=threadpool

INFO  : plus            transitively enabled

INFO  : deploy          initialized in ${jetty.base}\start.d\deploy.ini

INFO  : logging-jetty   transitively enabled

INFO  : security        transitively enabled

INFO  : apache-jsp      transitively enabled

INFO  : jndi            transitively enabled

INFO  : http            initialized in ${jetty.base}\start.d\http.ini

INFO  : logging/slf4j   transitive provider of logging/slf4j for logging-jetty

INFO  : logging/slf4j   transitive provider of logging/slf4j for logging-jul-capture

INFO  : logging/slf4j   dynamic dependency of logging-jetty

INFO  : bytebufferpool  transitively enabled, ini template available with --add-module=bytebufferpool

INFO  : mkdir ${jetty.base}\lib\ext

INFO  : download https://repo1.maven.org/maven2/org/slf4j/jul-to-slf4j/2.0.0-alpha6/jul-to-slf4j-2.0.0-alpha6.jar to ${jetty.base}\lib\logging\jul-to-slf4j-2.0.0-alpha6.jar

INFO  : mkdir ${jetty.base}\resources

INFO  : copy ${jetty.base}\modules\logging\jul\resources\java-util-logging-bridge.properties to ${jetty.base}\resources\java-util-logging.properties

INFO  : mkdir ${jetty.base}\webapps

INFO  : copy ${jetty.base}\modules\logging\jetty\resources\jetty-logging.properties to ${jetty.base}\resources\jetty-logging.properties

INFO  : Base directory was modified

C:\jetty>

Step 3: Deploy Invicti Shark and the required components

  1. Using a text editor, edit the contents of the C:\jetty\resources\jetty-logging.properties file to read as follows:

## Set logging levels from: ALL, TRACE, DEBUG, INFO, WARN, ERROR, OFF

org.eclipse.jetty.LEVEL=INFO

com.invicti.LEVEL=TRACE

context.LEVEL=TRACE

  1. Using a text editor, edit the contents of the C:\jetty\resources\java-util-logging.properties file to read as follows:

.level=INFO

handlers=org.slf4j.bridge.SLF4JBridgeHandler

com.invicti.useParentHandlers=false

com.invicti.handlers = org.slf4j.bridge.SLF4JBridgeHandler

com.invicti.level = FINEST

java.util.logging.SimpleFormatter.format=%4$s: %5$s [%1$tc]%n

  1. Using a text editor, create a file C:\jetty\start.d\start.ini
  2. Edit the contents of the C:\jetty\start.d\start.ini file to read as follows:

--exec

-javaagent:C:\shark\Shark (IAST and SCA).jar

-Dacusensor.debug.log=ON

Step 4: Deploy your application and start the Jetty server

  1. Once you are ready, from the command line, navigate to your C:\jetty folder, and launch Jetty:

C:\jetty> java -jar start.jar

Step 5: Test and scan your web application

  1. Point your browser to your web application to confirm it is running as intended.
  2. Run a scan on your target website URL. The scan summary will confirm that Invicti Shark was detected and used for the scan.

Top Articles

What is Invicti?

Overview of Scan Policies

Scheduling Scans

Managing Integrations

Built-In Reports