Scanning an Application in Docker Using AcuSensor for Java

The following article shows you how you can run a Java application in a Docker container and then use AcuSensor to run an interactive application security testing (IAST) scan for that application.

Step 1: Prepare an Example Application Using Eclipse IDE

• Go to the menu item File → New → Project
• In the New Project wizard, search for and select the Dynamic Web Project option and click on the Next > button

  

• Perform the following steps:
  • Set the Project name field to HelloWorld
  • Set the Target runtime field to Apache Tomcat v9.0
  • Set the Dynamic web module version field to 4.0
  • Set the Configuration field to Default Configuration for Apache Tomcat v9.0
  • Click on the Finish button

  

• In the Open Associated Perspective? dialog, click on the No button

  

• Perform the following steps:
  • Expand the HelloWorld project
  • Right-click on the src folder
  • Select the New → Other option
  • Highlight the Servlet option
  • Click on the Next > button

  

• Perform the following steps:
  • Set the Java package field to com.mytest.helloworld
  • Set the Class name field to HelloWorldServlet
  • Click on the Finish button

  

• Edit the contents to read as follows:

  package com.mytest.helloworld;
  
  import java.io.IOException;
  import java.io.PrintWriter;
  import javax.servlet.ServletException;
  import javax.servlet.annotation.WebServlet;
  import javax.servlet.http.HttpServlet;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  
  /**
   * Servlet implementation class HelloWorldServlet
   */
  @WebServlet("/HelloWorldServlet")
  public class HelloWorldServlet extends HttpServlet {
  	private static final long serialVersionUID = 1L;
         
      /**
       * @see HttpServlet#HttpServlet()
       */
      public HelloWorldServlet() {
          super();
          // TODO Auto-generated constructor stub
      }
  
  	/**
  	 * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
  	 */
  	protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
  		PrintWriter out = response.getWriter();
  		out.print("<html><body><h1>Servlet Invoked Successfully!</h1></body></html>");
  	}
  
  	/**
  	 * @see HttpServlet#doPost(HttpServletRequest request, HttpServletResponse response)
  	 */
  	protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
  		// TODO Auto-generated method stub
  		doGet(request, response);
  	}
  
  }
  

• Expand the HelloWorld project, right-click on the WebContent folder, and select the New → File option

  

• Set the filename to index.html, click on the Finish button, and edit the contents to read as follows:

  <html>
  <head>
  <title>Hello World!</title>
  </head>
  <body>
  <h1>Hello World!</h1><br/><br/>
  <a href="HelloWorldServlet">Click here to invoke servlet</a> 
  </body>
  </html>
  

• Make sure that the changes to both new files are saved
• Right-click on the HelloWorld project, click on the Export… option, search for the WAR file option and select it

  

• Click on the Next > button and select a Destination for your exported WAR file

  

• Click on the Finish button

Step 2: Prepare a Location on Your Docker Host

You must prepare a location on your Docker host to contain all the resources to build your docker container. To do this, run the following commands on the Docker host:

mkdir ~/mynewapp

Step 3: Download and Prepare AspectJWeaver

Run the following commands on the Docker host:

cd ~/mynewapp
wget -c https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.5/aspectjweaver-1.9.5.jar
mv aspectjweaver-1.9.5.jar aspectjweaver.jar

Step 4: Prepare AcuSensor for Java

We will deploy the test application to the following URL: http://mydockerhostipaddress:8080/helloworld

• Create a new target for the above URL, replacing mydockerhostipaddress with the IP address of your Docker host
• Download AcuSensor for Java from the Acunetix UI
• Copy the AcuSensor.jar file into your Docker host folder ~/mynewapp

Step 5: Prepare the Environment Variables for Tomcat to Use AcuSensor

• Run the following commands on the Docker host:

  nano ~/mynewapp/setenv.sh
  

  – this will create a new setenv.sh file

• Add the following line to the setenv.sh file:

  JAVA_OPTS="$JAVA_OPTS -javaagent:/usr/local/tomcat/lib/aspectjweaver.jar -Dacusensor.debug.log=ON"
  

• Exit the Nano editor and save the changes to the setenv.sh file

Step 6: Prepare Your Web Application for Docker

Copy the HelloWorld.war file that you created into your docker host folder ~/mynewapp

Step 7: Prepare Your Dockerfile

• Run the following commands on the Docker host:

  nano ~/mynewapp/Dockerfile
  

• Enter the following content into your Dockerfile:

  FROM tomcat:9.0-alpine
  COPY AcuSensor.jar /usr/local/tomcat/lib/AcuSensor.jar
  COPY aspectjweaver.jar /usr/local/tomcat/lib/aspectjweaver.jar
  COPY HelloWorld.war /usr/local/tomcat/webapps/helloworld.war
  EXPOSE 8080
  CMD ["catalina.sh", "run"]
  

Step 8: Build Your Image

Run the following commands on the Docker host:

cd ~/mynewapp
docker build -t mynewapp:test .

Step 9: Start a Container Based on Your New Image

Run the following commands on the Docker host:

docker run --publish 8080:8080 --detach --name myapp mynewapp:test

Step 10: Confirm That Your New Web Application Works

To confirm that your new web application works, point your browser to your Docker container: http://mydockerhostipaddress:8080/helloworld

Step 11: Launch an Acunetix Scan Against the Target

Run an Acunetix scan using the http://mydockerhostipaddress:8080/helloworld as the target.

THE AUTHOR

Kevin Attard Compagno
Technical Writer
LinkedIn

Kevin Attard Compagno is a Technical Writer working for Acunetix. A technical writer, translator, and general IT buff for over 30 years, Kevin used to run Technical Support teams and create training documents and other material for in-house technical staff.