Invicti IAST for Java - AWS Elastic Beanstalk (Tomcat + WAR File)

This document explainsu how to run a Java application in AWS Elastic Beanstalk and then use Invicti IAST to run an interactive application security testing (IAST) scan for that application.

warning

The following installation instructions are for the newer version of the Invicti Java IAST sensor. If you are running the older, aspectjweaver-based Java sensor, you must remove the old sensor and any reference to aspectjweaver.jar from the JVM Options before proceeding with installing the newer version of the Invicti Java IAST sensor.

Prerequisites

• Install Java.
• Install Eclipse IDE for Enterprise Java and Web Developers.
• Install Eclipse Extensions from "Web, XML, Java EE and OSGI Enterprise Development":
  • Eclipse Java EE Developer Tools
  • Eclipse Java Web Developer Tools
  • Eclipse Web Developer Tools
  • JST Server Adapters Extensions (Apache Tomcat)

Step 1: Prepare an example application using Eclipse IDE

1. Go to File > New > Project.
2. In the New Project wizard, search for and select Dynamic Web Project, then click Next.
3. Set the Project name field to axexample-java.
4. Set the Target runtime field to Apache Tomcat v8.5.
5. Set the Dynamic web module version field to 3.1.
6. Set the Configuration field to Default Configuration for Apache Tomcat v8.5.
7. Click Next.
8. In the Java window, leave the default settings and click Next.
9. In the Web Module window, enable the Generate web.xml option and click Finish.
10. In the Open Associated Perspective? dialog, click No.
11. Expand the axexample-java project.
12. Right-click src folder.
13. Select New > Other.
14. Highlight the Servlet option.
15. Click Next.
16. Set the Java package field to com.mytest.axexample.
17. Set the Class name field to axExampleJavaServlet.
18. Click Finish.
    
19. Edit the contents of the axExampleJavaServlet.java file to read as follows:

    package com.mytest.axexamplejava;
    import java.io.IOException;
    import java.io.PrintWriter;
    import javax.servlet.ServletException;
    import javax.servlet.annotation.WebServlet;
    import javax.servlet.http.HttpServlet;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    /*** Servlet implementation class HelloWorldServlet*/
    @WebServlet("/axExampleJavaServlet")
    public class axExampleJavaServlet extends HttpServlet {
        private static final long serialVersionUID = 1L;
        /**
         * @see HttpServlet#HttpServlet()
         */
        public axExampleJavaServlet() {
            super();
            // TODO Auto-generated constructor stub
        }
        /**
         * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
         */
        protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
            PrintWriter out = response.getWriter();
            out.print("<html><body><h1>Test JAVA Site Example for AWS Elastic Beanstalk</h1><br>Welcome to the main page.<br></body></html>");
        }
        /**
         * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
         */
        protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
            // TODO Auto-generated method stub
            doGet(request, response);
        }
    }

20. Expand the axexample-java project, right click the axexample-java/src/main/webapp folder, and select New > File.
21. Set the filename to index.html and click Finish.
22. Edit the contents of the index.html file to read as follows:

    <head>
        <title>Test JAVA Site Example for AWS Elastic Beanstalk</title>
    </head>
    <body>
        <h1>Test JAVA Site Example for AWS Elastic Beanstalk</h1>
        <br/><br/>
        <a href="axExampleJavaServlet">Click here to invoke servlet</a>
    </body>
    </html>

23. Make sure that the changes to both new files are saved.
24. Right-click the axexample-java project, click the Export option, search for the WAR file option, and select it.
25. Click Next and select a Destination for your exported WAR file.
26. Ensure that the filename for your export file is ROOT.war.
27. Click Finish.
    

Step 2: Prepare Invicti IAST for Java

We deploy the test application to the following URL: http://eb.invictiexample.com - you need to change this to the hostname you use for your test deployment.

1. Create a new Target, replacing http://eb.invictiexample.com with the URL for your chosen hostname.
2. Download Invicti IAST for Java from Invicti Platform and retain the iastsensor.jar file for the next step.

Step 3: Prepare a folder for your source code bundle

1. Create a folder C:\axexample-java
2. Create a folder C:\axexample-java\.ebextensions
3. Copy your exported ROOT.war file into C:\axexample-java
4. Copy your iastsensor.jar file into C:\axexample-java\.ebextensions
5. Using a text editor, create a file C:\axexample-java\.ebextensions\iastsensor.config
6. Edit the contents of the C:\axexample-java\.ebextensions\iastsensor.config file to read as follows:

   commands:
     01_create_iastsensor_directory:
       command: "mkdir -p /home/iastsensor"
   option_settings:
     aws:elasticbeanstalk:container:tomcat:jvmoptions:
       JVM Options: '-javaagent:/home/iastsensor/iastsensor.jar -Diastsensor.debug.log=ON'
   container_commands:
     01_copy_iastsensor:
       command: "cp .ebextensions/iastsensor.jar /home/iastsensor/iastsensor.jar"
     02_change_iastsensor_dir_permissions:
       command: "sudo chown -R root:root /home/iastsensor"

   info

   The parameter "-Diastsensor.debug.log=ON" is optional, and should ONLY be used for troubleshooting purposes. If this parameter is retained, this will output Invicti IAST logging as additional lines in the Tomcat logs starting with "[Invicti-debug]".

7. Use Windows Explorer to navigate to C:\axexample-java; press CTRL+A to select both .ebextensions and ROOT.war.
8. Right-click the selected items and click Send to > Compressed (zipped) folder.
9. Rename your zip file to axexample-java.zip and retain your zip file for the deployment.

Step 4: Deploy your web application to AWS Elastic Beanstalk

1. From your AWS Dashboard, navigate to Elastic Beanstalk > Environments.
2. Click Create a new environment.
   
3. Set your environment tier to Web server environment, then click Select.
   
4. Set the Application name field to the name of your web application. (In this example we used the name axexample-java).
   
5. Set the Platform drop-down to Tomcat.
   
6. Enable the Upload your code option and click Choose file.
   
7. Select your axexample.zip source code bundle for upload and click Create environment. AWS Elastic Beanstalk now creates your environment. This can take a few minutes.
8. When the process is complete, you are sent to your environment's dashboard.
   
9. Take note of your environment's new URL which was created automatically by AWS Elastic Beanstalk:
   • You need this to create a CNAME to point to this URL.
   • In this example, we would create a CNAME for eb.invictiexample.com to point to axexamplejava-env.eba-y3m5stqv.us-east-1.elasticbeanstalk.com.
10. Once the CNAME record has been added (giving time for DNS records to propagate), you can see the web application you have created by browsing to your URL (in this example http://eb.invictiexample.com).

Step 5: Test and scan your web application

1. Point your browser to your web application - in this example, http://eb.invictiexample.com - to confirm it's running as intended.
2. Finally, run a scan on your Target. The Vulnerability detail confirms that Invicti IAST was detected and used for the scan.

---

Need help?

Contact the support team for help. Go to Help Center