Netsparker Shark enables you to carry out interactive security testing (IAST) in your web application in order to confirm more vulnerabilities and further minimize false positives. For Netsparker Shark to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.
This topic explains how to download and deploy Netsparker Shark to a Java web application.
Netsparker Shark for Java requires Tomcat (7+) and Java (1.7+). Current testing is with Tomcat 9 and Java 1.8. Also, the Shark requires:
- Deploying aspectjweaver.jar into your web server - provides the integration required for Netsparker Shark to work with your application
- Deploying the Netsparker Java Shark into your web server.
- Configuring your web server to use Load Time Weaving (AspectJWeaver)
Since your docker container can be built from a variety of different templates, the file locations (path) may be different. This document assumes:
- The docker container was built with "FROM tomcat:9.0-alpine".
- The docker container name is "mycontainer" - you will have to substitute with your docker container's name
- You will be using version 1.9.5 (latest at time of writing) of AspectJWeaver.
Deploying Netsparker Shark in Java consists of 3 steps:
1. Deploying AspectJWeaver into your web application
- Open a terminal
- Run the following commands to download and deploy AspectJWeaver:
- wget -c https://repo1.maven.org/maven2/org/aspectj/aspectjweaver/1.9.5/aspectjweaver-1.9.5.jar
- mv aspectjweaver-1.9.5.jar aspectjweaver.jar
- docker cp aspectjweaver.jar mycontainer:/usr/local/tomcat/lib/
2. Deploying Shark into your web application
- Download Netsparker Shark for Java
- Copy the Netsparker Shark (Shark.jar) to %TOMCAT-HOME%\lib
- If deploying to a docker container, copy the Shark.jar file to /usr/local/tomcat/lib/ using the command:
docker cp Shark.jar mycontainer:/usr/local/tomcat/lib/
3. Configure Tomcat to use AspectJWeaver and Shark
- Launch Tomcat with Load Time Weaving enabled. This can be done by adding a -javaagent parameter with the path to aspectjweaver.jar when launching Tomcat, and optionally a parameter to enable Shark debug logging
- For a docker container, add two parameters into the Tomcat setenv.sh script - this assumes that this file does not exist within the docker container:
- At the end of the file, add the line JAVA_OPTS="$JAVA_OPTS -javaagent:/usr/local/tomcat/lib/aspectjweaver.jar -Dacusensor.debug.log=ON"
- Save the file
- Move the file into the docker container:
docker cp setenv.sh mycontainer:/usr/local/tomcat/bin/
- Restart the container:
docker restart mycontainer
The parameter "-Dacusensor.debug.log=ON" is optional and should ONLY be used for troubleshooting purposes. If this parameter is retained, this will output Shark logging as additional lines in the Tomcat logs starting with "[Netsparker-debug]".
Disabling and Removing Shark for Java
To remove and disable the sensor from your website you need to revert the changes done during the deployment of the Agent.:
- Remove the Netsparker Shark (Shark.jar) from the folder where it was deployed. In the case of a docker environment, run the command:
docker exec mycontainer rm /usr/local/tomcat/lib/Shark.jar
- Remove aspectjweaver.jar; run the commands:
docker exec mycontainer rm /usr/local/tomcat/lib/aspectjweaver.jar
- Reconfigure Tomcat with Load Time Weaving disabled:
docker exec mycontainer rm /usr/local/tomcat/bin/setenv.sh
docker restart mycontainer
Although the Netsparker Shark agent is secured with a strong password, it is recommended that the Shark client files are uninstalled and removed from the web application if they are no longer in use.