Blog

Scanning an Application in Docker Using AcuSensor for Java
You are currently viewing Scanning an Application in Docker Using AcuSensor for Java

The following article shows you how you can run a Java application in a Docker container and then use AcuSensor to run an interactive application security testing (IAST) scan for that application.

Step 1: Prepare an Example Application Using Eclipse IDE

  • Go to the menu item File → New → Project
  • In the New Project wizard, search for and select the Dynamic Web Project option and click on the Next > button
     

     
  • Perform the following steps:
    • Set the Project name field to HelloWorld
    • Set the Target runtime field to Apache Tomcat v9.0
    • Set the Dynamic web module version field to 4.0
    • Set the Configuration field to Default Configuration for Apache Tomcat v9.0
    • Click on the Finish button

     
  • In the Open Associated Perspective? dialog, click on the No button
     

     
  • Perform the following steps:
    • Expand the HelloWorld project
    • Right-click on the src folder
    • Select the New → Other option
    • Highlight the Servlet option
    • Click on the Next > button

     
  • Perform the following steps:
    • Set the Java package field to com.mytest.helloworld
    • Set the Class name field to HelloWorldServlet
    • Click on the Finish button

     
  • Edit the contents to read as follows:package com.mytest.helloworld; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * Servlet implementation class HelloWorldServlet */ @WebServlet("/HelloWorldServlet") public class HelloWorldServlet extends HttpServlet { private static final long serialVersionUID = 1L; /** * @see HttpServlet#HttpServlet() */ public HelloWorldServlet() { super(); // TODO Auto-generated constructor stub } /** * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) */ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); out.print("<html><body><h1>Servlet Invoked Successfully!</h1></body></html>"); } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub doGet(request, response); } }
  • Expand the HelloWorld project, right-click on the WebContent folder, and select the New → File option
     

     
  • Set the filename to index.html, click on the Finish button, and edit the contents to read as follows:<html> <head> <title>Hello World!</title> </head> <body> <h1>Hello World!</h1><br/><br/> <a href="HelloWorldServlet">Click here to invoke servlet</a> </body> </html>
  • Make sure that the changes to both new files are saved
  • Right-click on the HelloWorld project, click on the Export… option, search for the WAR file option and select it
     

     
  • Click on the Next > button and select a Destination for your exported WAR file
     

     
  • Click on the Finish button

Step 2: Prepare a Location on Your Docker Host

You must prepare a location on your Docker host to contain all the resources to build your docker container. To do this, run the following commands on the Docker host:

mkdir ~/mynewapp

Step 3: Download and Prepare AspectJWeaver

Run the following commands on the Docker host:

cd ~/mynewapp
wget -c https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.5/aspectjweaver-1.9.5.jar
mv aspectjweaver-1.9.5.jar aspectjweaver.jar

Step 4: Prepare AcuSensor for Java

We will deploy the test application to the following URL: http://mydockerhostipaddress:8080/helloworld

  • Create a new target for the above URL, replacing mydockerhostipaddress with the IP address of your Docker host
  • Download AcuSensor for Java from the Acunetix UI
  • Copy the AcuSensor.jar file into your Docker host folder ~/mynewapp

Step 5: Prepare the Environment Variables for Tomcat to Use AcuSensor

  • Run the following commands on the Docker host:nano ~/mynewapp/setenv.sh – this will create a new setenv.sh file
  • Add the following line to the setenv.sh file:JAVA_OPTS="$JAVA_OPTS -javaagent:/usr/local/tomcat/lib/aspectjweaver.jar -Dacusensor.debug.log=ON"
  • Exit the Nano editor and save the changes to the setenv.sh file

Step 6: Prepare Your Web Application for Docker

Copy the HelloWorld.war file that you created into your docker host folder ~/mynewapp

Step 7: Prepare Your Dockerfile

  • Run the following commands on the Docker host:nano ~/mynewapp/Dockerfile
  • Enter the following content into your Dockerfile:FROM tomcat:9.0-alpine COPY AcuSensor.jar /usr/local/tomcat/lib/AcuSensor.jar COPY aspectjweaver.jar /usr/local/tomcat/lib/aspectjweaver.jar COPY HelloWorld.war /usr/local/tomcat/webapps/helloworld.war EXPOSE 8080 CMD ["catalina.sh", "run"]

Step 8: Build Your Image

Run the following commands on the Docker host:

cd ~/mynewapp
docker build -t mynewapp:test .

Step 9: Start a Container Based on Your New Image

Run the following commands on the Docker host:

docker run --publish 8080:8080 --detach --name myapp mynewapp:test

Step 10: Confirm That Your New Web Application Works

To confirm that your new web application works, point your browser to your Docker container: http://mydockerhostipaddress:8080/helloworld

Step 11: Launch an Acunetix Scan Against the Target

Run an Acunetix scan using the http://mydockerhostipaddress:8080/helloworld as the target.
 

Source:https://www.acunetix.com/blog/docs/docker-acusensor-java/