The following article shows you how you can run a Java application in a Docker container and then use AcuSensor to run an interactive application security testing (IAST) scan for that application.

Step 1: Prepare an Example Application Using Eclipse IDE

  • Go to the menu item File → New → Project
  • In the New Project wizard, search for and select the Dynamic Web Project option and click on the Next > button
     

     
  • Perform the following steps:
    • Set the Project name field to HelloWorld
    • Set the Target runtime field to Apache Tomcat v9.0
    • Set the Dynamic web module version field to 4.0
    • Set the Configuration field to Default Configuration for Apache Tomcat v9.0
    • Click on the Finish button

     
  • In the Open Associated Perspective? dialog, click on the No button
     

     
  • Perform the following steps:
    • Expand the HelloWorld project
    • Right-click on the src folder
    • Select the New → Other option
    • Highlight the Servlet option
    • Click on the Next > button

     
  • Perform the following steps:
    • Set the Java package field to com.mytest.helloworld
    • Set the Class name field to HelloWorldServlet
    • Click on the Finish button

     
  • Edit the contents to read as follows:package com.mytest.helloworld; import java.io.IOException; import java.io.PrintWriter; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; /** * Servlet implementation class HelloWorldServlet */ @WebServlet("/HelloWorldServlet") public class HelloWorldServlet extends HttpServlet { private static final long serialVersionUID = 1L; /** * @see HttpServlet#HttpServlet() */ public HelloWorldServlet() { super(); // TODO Auto-generated constructor stub } /** * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) */ protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { PrintWriter out = response.getWriter(); out.print("<html><body><h1>Servlet Invoked Successfully!</h1></body></html>"); } /** * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response) */ protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException { // TODO Auto-generated method stub doGet(request, response); } }
  • Expand the HelloWorld project, right-click on the WebContent folder, and select the New → File option
     

     
  • Set the filename to index.html, click on the Finish button, and edit the contents to read as follows:<html> <head> <title>Hello World!</title> </head> <body> <h1>Hello World!</h1><br/><br/> <a href="HelloWorldServlet">Click here to invoke servlet</a> </body> </html>
  • Make sure that the changes to both new files are saved
  • Right-click on the HelloWorld project, click on the Export… option, search for the WAR file option and select it
     

     
  • Click on the Next > button and select a Destination for your exported WAR file
     

     
  • Click on the Finish button

Step 2: Prepare a Location on Your Docker Host

You must prepare a location on your Docker host to contain all the resources to build your docker container. To do this, run the following commands on the Docker host:

mkdir ~/mynewapp

Step 3: Download and Prepare AspectJWeaver

Run the following commands on the Docker host:

cd ~/mynewapp
wget -c https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.5/aspectjweaver-1.9.5.jar
mv aspectjweaver-1.9.5.jar aspectjweaver.jar

Step 4: Prepare AcuSensor for Java

We will deploy the test application to the following URL: http://mydockerhostipaddress:8080/helloworld

  • Create a new target for the above URL, replacing mydockerhostipaddress with the IP address of your Docker host
  • Download AcuSensor for Java from the Acunetix UI
  • Copy the AcuSensor.jar file into your Docker host folder ~/mynewapp

Step 5: Prepare the Environment Variables for Tomcat to Use AcuSensor

  • Run the following commands on the Docker host:nano ~/mynewapp/setenv.sh – this will create a new setenv.sh file
  • Add the following line to the setenv.sh file:JAVA_OPTS="$JAVA_OPTS -javaagent:/usr/local/tomcat/lib/aspectjweaver.jar -Dacusensor.debug.log=ON"
  • Exit the Nano editor and save the changes to the setenv.sh file

Step 6: Prepare Your Web Application for Docker

Copy the HelloWorld.war file that you created into your docker host folder ~/mynewapp

Step 7: Prepare Your Dockerfile

  • Run the following commands on the Docker host:nano ~/mynewapp/Dockerfile
  • Enter the following content into your Dockerfile:FROM tomcat:9.0-alpine COPY AcuSensor.jar /usr/local/tomcat/lib/AcuSensor.jar COPY aspectjweaver.jar /usr/local/tomcat/lib/aspectjweaver.jar COPY HelloWorld.war /usr/local/tomcat/webapps/helloworld.war EXPOSE 8080 CMD ["catalina.sh", "run"]

Step 8: Build Your Image

Run the following commands on the Docker host:

cd ~/mynewapp
docker build -t mynewapp:test .

Step 9: Start a Container Based on Your New Image

Run the following commands on the Docker host:

docker run --publish 8080:8080 --detach --name myapp mynewapp:test

Step 10: Confirm That Your New Web Application Works

To confirm that your new web application works, point your browser to your Docker container: http://mydockerhostipaddress:8080/helloworld

Step 11: Launch an Acunetix Scan Against the Target

Run an Acunetix scan using the http://mydockerhostipaddress:8080/helloworld as the target.
 

Source:https://www.acunetix.com/blog/docs/docker-acusensor-java/