Scanning an Application in Docker Using AcuSensor for Java - Security Boulevard

SBN Scanning an Application in Docker Using AcuSensor for Java

The following article shows you how you can run a Java application in a Docker container and then use AcuSensor to run an interactive application security testing (IAST) scan for that application.

DevOps Experience

Step 1: Prepare an Example Application Using Eclipse IDE

  • Go to the menu item File → New → Project
  • In the New Project wizard, search for and select the Dynamic Web Project option and click on the Next > button
     

     
  • Perform the following steps:
    • Set the Project name field to HelloWorld
    • Set the Target runtime field to Apache Tomcat v9.0
    • Set the Dynamic web module version field to 4.0
    • Set the Configuration field to Default Configuration for Apache Tomcat v9.0
    • Click on the Finish button


     

  • In the Open Associated Perspective? dialog, click on the No button
     

     
  • Perform the following steps:
    • Expand the HelloWorld project
    • Right-click on the src folder
    • Select the New → Other option
    • Highlight the Servlet option
    • Click on the Next > button


     

  • Perform the following steps:
    • Set the Java package field to com.mytest.helloworld
    • Set the Class name field to HelloWorldServlet
    • Click on the Finish button


     

  • Edit the contents to read as follows:
    package com.mytest.helloworld;
    
    import java.io.IOException;
    import java.io.PrintWriter;
    import javax.servlet.ServletException;
    import javax.servlet.annotation.WebServlet;
    import javax.servlet.http.HttpServlet;
    import javax.servlet.http.HttpServletRequest;
    import javax.servlet.http.HttpServletResponse;
    
    /**
     * Servlet implementation class HelloWorldServlet
     */
    @WebServlet("/HelloWorldServlet")
    public class HelloWorldServlet extends HttpServlet {
    	private static final long serialVersionUID = 1L;
           
        /**
         * @see HttpServlet#HttpServlet()
         */
        public HelloWorldServlet() {
            super();
            // TODO Auto-generated constructor stub
        }
    
    	/**
    	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
    	 */
    	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    		PrintWriter out = response.getWriter();
    		out.print("<html><body><h1>Servlet Invoked Successfully!</h1></body></html>");
    	}
    
    	/**
    	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
    	 */
    	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    		// TODO Auto-generated method stub
    		doGet(request, response);
    	}
    
    }
    
  • Expand the HelloWorld project, right-click on the WebContent folder, and select the New → File option
     

     
  • Set the filename to index.html, click on the Finish button, and edit the contents to read as follows:
    <html>
    <head>
    <title>Hello World!</title>
    </head>
    <body>
    <h1>Hello World!</h1><br/><br/>
    <a href="HelloWorldServlet">Click here to invoke servlet</a> 
    </body>
    </html>
    
  • Make sure that the changes to both new files are saved
  • Right-click on the HelloWorld project, click on the Export… option, search for the WAR file option and select it
     

     
  • Click on the Next > button and select a Destination for your exported WAR file
     

     
  • Click on the Finish button

Step 2: Prepare a Location on Your Docker Host

You must prepare a location on your Docker host to contain all the resources to build your docker container. To do this, run the following commands on the Docker host:

mkdir ~/mynewapp

Step 3: Download and Prepare AspectJWeaver

Run the following commands on the Docker host:

cd ~/mynewapp
wget -c https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.5/aspectjweaver-1.9.5.jar
mv aspectjweaver-1.9.5.jar aspectjweaver.jar

Step 4: Prepare AcuSensor for Java

We will deploy the test application to the following URL: http://mydockerhostipaddress:8080/helloworld

  • Create a new target for the above URL, replacing mydockerhostipaddress with the IP address of your Docker host
  • Download AcuSensor for Java from the Acunetix UI
  • Copy the AcuSensor.jar file into your Docker host folder ~/mynewapp

Step 5: Prepare the Environment Variables for Tomcat to Use AcuSensor

  • Run the following commands on the Docker host:
    nano ~/mynewapp/setenv.sh
    

    – this will create a new setenv.sh file

  • Add the following line to the setenv.sh file:
    JAVA_OPTS="$JAVA_OPTS -javaagent:/usr/local/tomcat/lib/aspectjweaver.jar -Dacusensor.debug.log=ON"
    
  • Exit the Nano editor and save the changes to the setenv.sh file

Step 6: Prepare Your Web Application for Docker

Copy the HelloWorld.war file that you created into your docker host folder ~/mynewapp

Step 7: Prepare Your Dockerfile

  • Run the following commands on the Docker host:
    nano ~/mynewapp/Dockerfile
    
  • Enter the following content into your Dockerfile:
    FROM tomcat:9.0-alpine
    COPY AcuSensor.jar /usr/local/tomcat/lib/AcuSensor.jar
    COPY aspectjweaver.jar /usr/local/tomcat/lib/aspectjweaver.jar
    COPY HelloWorld.war /usr/local/tomcat/webapps/helloworld.war
    EXPOSE 8080
    CMD ["catalina.sh", "run"]
    

Step 8: Build Your Image

Run the following commands on the Docker host:

cd ~/mynewapp
docker build -t mynewapp:test .

Step 9: Start a Container Based on Your New Image

Run the following commands on the Docker host:

docker run --publish 8080:8080 --detach --name myapp mynewapp:test

Step 10: Confirm That Your New Web Application Works

To confirm that your new web application works, point your browser to your Docker container: http://mydockerhostipaddress:8080/helloworld

Step 11: Launch an Acunetix Scan Against the Target

Run an Acunetix scan using the http://mydockerhostipaddress:8080/helloworld as the target.
 

THE AUTHOR
Kevin Attard Compagno
Technical Writer

Kevin Attard Compagno is a Technical Writer working for Acunetix. A technical writer, translator, and general IT buff for over 30 years, Kevin used to run Technical Support teams and create training documents and other material for in-house technical staff.


*** This is a Security Bloggers Network syndicated blog from Web Security Blog – Acunetix authored by Kevin Attard Compagno. Read the original post at: http://feedproxy.google.com/~r/acunetixwebapplicationsecurityblog/~3/dI6HCZbMWXc/