Downloading and deploying Java IAST agent on the Web server

You must download and deploy an IAST agent on the tested application's web server to monitor traffic sent during runtime and report vulnerabilities it finds.

Before you begin

  • The tested application should be installed on the web server.
  • You must create an application in the Portfolio tab of the Monitor view in AppScan Enterprise. For more information on creating an application in AppScan Enterprise, see Creating an application.

About this task

This section helps you to download and deploy the Java IAST agent on the tested application's web server.

Procedure

  1. Log in to AppScan Enterprise Server.
  2. Go to the Monitor page > Portfolio tab to view the list of applications available.
  3. Click the application to which you want to download an IAST agent.
    The application page is displayed. For more information on creating an application, see Creating an application
  4. On the left pane, click the IAST Agents.
    The IAST agents page is displayed on the right pane.
  5. Click Create a new Agent.
    The Getting started with IAST page is displayed.
  6. Click Create a new Agent.
    The IAST agent creation page is displayed.
  7. From the Agent Type drop-down list, select the language using which the testing application is developed.
    Note: IAST feature supports Java, .NET, and Node.js based applications.
  8. In the Agent Name box, enter a unique name for the agent you are creating for the application. The agent name can contain alphanumeric and special characters with a length of a maximum of 30 characters.
  9. Click Download Agent. The Check your downloads folder message is displayed and the AppScanIASTAgent file is downloaded to the system’s default download folder.
  10. Extract the AppScanIASTAgent file to a folder.
  11. You can deploy the Java IAST agent using either of the following types of files:
    1. Using a WAR file
    2. Using a JAR file
    Note: For a Java IAST agent both the JAR and WAR files have the same communication token, so both agents will communicate to the same IAST session. This helps in scenarios where some of the applications use WAR and others use JAR.
  12. If both the compile-time and the runtime Java versions are 9 or later, add the following Java property to the Java run command: –Djava.lang.invoke.stringConcat=BC_SB

Results

The IAST agent is deployed on the web server of the tested application. You can now view all the issues detected by IAST agents on the application's monitor page.

Deploying the Java IAST Agent using a WAR file

Procedure

  1. Deploy the Secagent.war file on the tested application's web server.
  2. Interact (run functional tests, run a Dynamic scan, or explore the application manually) with the tested application for the IAST agent to monitor the requests and report the security issues.
    Note: An IAST scan does not send its requests. It can discover issues only if the requests are sent to the application you are testing through system tests, manual explores, or a DAST scan, and so on.
  3. Go to the application's tab view and click All Issues on the left-pane to view the list of issues related to security vulnerabilities discovered.
    Note: You can use the filter Discovery Method=IAST to view only IAST issues in the application.

Deploying the Java IAST Agent using a JAR file

Procedure

  1. In the jar_deployment folder, locate the Secagent.jar file
  2. Copy the Secagent.jar file to the root directory of the application.
  3. Add the following flag to your app command line: -Djavaagent:<path to secagent.jar>
    Example:

    For a shopping website:

    java -javaagent:secagent.jar -jar ./shopping/target/shopping-0.9.0-SNAPSHOT.jar

Results

As you use or test your application (run functional tests, run a Dynamic Scan, or explore the app manually), the IAST Agent, monitors the requests, and reports the security issues.

Running a Java agent with security manager

About this task

You can run the Java agent with security manager:

  • As a war file on Tomcat or
  • As a jar file on servers other than Tomcat. Contact the AppScan support team for guidance.

To run the Java agent with security manager as war on Tomcat:

Procedure

  1. Locate the catalina.policy file.
    The catalina.policy file is usually located in the Tomcat installation configuration directory. The exact path might vary depending on your operating system and Tomcat version.
  2. Open the catalina.policy file in a text editor.
  3. Locate the "grant" block.
    Look for a block starting with the keyword "grant" followed by one or more "permission" statements.
  4. Add the required permissions as follows:
    1. Inside the "grant" block, add the following permission: 
      permission java.lang.RuntimePermission "net.bytebuddy.*";
    2. At the end of the file, add the following permission: 
      grant codeBase "file:${catalina.base}/webapps/Secagent/-" {
   permission java.security.AllPermission;
};
  5. Save the catalina.policy file.
  6. Restart the Tomcat server to apply the changes.