Invicti IAST for Java - Windows/Linux (Jetty 10.0.10 + WAR File)

This guide explains how you can run a Java application in Jetty and then use Invicti IAST to run an interactive application security testing (IAST) scan for that application.

info

This document assumes that you have Jetty installed in C:\jetty. Change the paths accordingly.

Step 1: Prepare Invicti IAST for Java

In this example, the test application is deployed to the following URL: http://127.0.0.1:8080/axexample-java/. In a production environment, you need to change this to the hostname you use for your deployment.

Create a new Target for your URL.
Download Invicti IAST for Java from Invicti Platform and retain the iastsensor.jar file for the next step (iastsensor.jar is saved to C:\iastsensor\ in this example). Change the paths accordingly if you are using the Java IAST Sensor on Linux.

Step 2: Prepare your Jetty deployment by installing prerequisites

Launch Jetty from the C:\jetty folder with the parameters required: --add-modules=annotations,deploy,ext,http,jsp,logging-jul-capture,resources,server --approve-all-licenses

info

The list of modules might be different for your web application. However, you need to explicitly add logging-jul-capture if you need logging from the IAST sensor.

C:\jetty>java -jar start.jar --add-modules=annotations,deploy,ext,http,jsp,logging-jul-capture,resources,server --approve-all-licenses
INFO : All Licenses Approved via Command Line Option
WARN : creating start.d in ${jetty.home} is not recommended!
Proceed (y/N)? y
INFO : mkdir ${jetty.base}\start.d
INFO : webapp transitively enabled, ini template available with --add-module=webapp
INFO : ext initialized in ${jetty.base}\start.d\ext.ini
INFO : server initialized in ${jetty.base}\start.d\server.ini
INFO : logging-jul-capture initialized in ${jetty.base}\start.d\logging-jul-capture.ini
INFO : servlet transitively enabled
INFO : jsp initialized in ${jetty.base}\start.d\jsp.ini
INFO : annotations initialized in ${jetty.base}\start.d\annotations.ini
INFO : resources initialized in ${jetty.base}\start.d\resources.ini
INFO : threadpool transitively enabled, ini template available with --add-module=threadpool
INFO : plus transitively enabled
INFO : deploy initialized in ${jetty.base}\start.d\deploy.ini
INFO : logging-jetty transitively enabled
INFO : security transitively enabled
INFO : apache-jsp transitively enabled
INFO : jndi transitively enabled
INFO : http initialized in ${jetty.base}\start.d\http.ini
INFO : logging/slf4j transitive provider of logging/slf4j for logging-jetty
INFO : logging/slf4j transitive provider of logging/slf4j for logging-jul-capture
INFO : logging/slf4j dynamic dependency of logging-jetty
INFO : bytebufferpool transitively enabled, ini template available with --add-module=bytebufferpool
INFO : mkdir ${jetty.base}\lib\ext
INFO : download https://repo1.maven.org/maven2/org/slf4j/jul-to-slf4j/2.0.0-alpha6/jul-to-slf4j-2.0.0-alpha6.jar to ${jetty.base}\lib\logging\jul-to-slf4j-2.0.0-alpha6.jar
INFO : mkdir ${jetty.base}\resources
INFO : copy ${jetty.base}\modules\logging\jul\resources\java-util-logging-bridge.properties to ${jetty.base}\resources\java-util-logging.properties
INFO : mkdir ${jetty.base}\webapps
INFO : copy ${jetty.base}\modules\logging\jetty\resources\jetty-logging.properties to ${jetty.base}\resources\jetty-logging.properties
INFO : Base directory was modified
C:\jetty>

Step 3: Deploy Invicti IAST and the required components

Using a text editor, edit the contents of the C:\jetty\resources\jetty-logging.properties file to read as follows:

# Set logging levels from: ALL, TRACE, DEBUG, INFO, WARN, ERROR, OFF
org.eclipse.jetty.LEVEL=INFO
com.invicti.LEVEL=TRACE
context.LEVEL=TRACE

Using a text editor, edit the contents of the C:\jetty\resources\java-util-logging.properties file to read as follows:

.level=INFO
handlers=org.slf4j.bridge.SLF4JBridgeHandler
com.invicti.useParentHandlers=false
com.invicti.handlers = org.slf4j.bridge.SLF4JBridgeHandler
com.invicti.level = FINEST
java.util.logging.SimpleFormatter.format=%4$s: %5$s [%1$tc]%n

Using a text editor, create a file C:\jetty\start.d\start.ini
Edit the contents of the C:\jetty\start.d\start.ini file to read as follows:

--exec
-javaagent:C:\iastsensor\iastsensor.jar
-Diastsensor.debug.log=ON

Step 4: Deploy your application and start the Jetty server

. Once you are ready, from the command line, navigate to your C:\jetty folder, and launch Jetty: C:\jetty> java -jar start.jar

Step 5: Test and scan your web application

Point your browser to your web application to confirm it's running as intended.
Run a scan on your target. The Vulnerability detail confirms that Invicti IAST was detected and used for the scan.

Need help?

Contact the support team for help. Go to Help Center

Was this page useful?

Step 1: Prepare Invicti IAST for Java​

Step 2: Prepare your Jetty deployment by installing prerequisites​

Step 3: Deploy Invicti IAST and the required components​

Step 4: Deploy your application and start the Jetty server​

Step 5: Test and scan your web application​

Need help?​