Netsparker Shark enables you to carry out interactive security testing (IAST) in your web application in order to confirm more vulnerabilities and further minimize false positives. For Netsparker Shark to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.
This topic explains how to download and deploy Netsparker Shark to a JAVA web application.
Netsparker Shark for Java requires Tomcat (7+) and Java (1.7+). Current testing is with Tomcat 9 and Java 1.8.
This document assumes that you will be using version 1.9.5 (latest at the time of writing) of AspectJWeaver. Also, you will be using regular repositories for Ubuntu Linux.
Deploying Netsparker Shark in Java consists of 3 steps:
1. Deploying AspectJWeaver into your web application
- Open a terminal
sudo apt install libaspectj-java
2. Deploying Shark into your web application
- Download the Netsparker JAVA Shark from Netsparker
- Copy Netsparker Shark (Shark.jar) to %TOMCAT-HOME%\lib
- If deploying to Ubuntu 18.04.3 where Tomcat 9 was installed using the regular Ubuntu repositories to install tomcat and needed components (
sudo apt install tomcat9 libaspectj-java), copy the Shark.jar file to /usr/share/tomcat9/lib
3. Configure Tomcat to use AspectJWeaver and Shark
- Launch Tomcat with Load Time Weaving enabled. This can be done by adding a -javaagent parameter with the path to aspectjweaver.jar when launching Tomcat, and optionally a parameter to enable Shark debug logging
- For Ubuntu 18.04.3 where Tomcat 9 was installed using the regular Ubuntu repositories to install tomcat and needed components (
sudo apt install tomcat9 libaspectj-java), add two parameters into the Tomcat setenv.sh script (normally you will be creating a new file):
sudo nano /usr/share/tomcat9/bin/setenv.sh
- At the end of the file, add the line: JAVA_OPTS="$JAVA_OPTS -javaagent:/usr/share/java/aspectjweaver.jar -Dacusensor.debug.log=ON"
- Save the file
sudo systemctl restart tomcat9
The parameter "-Dacusensor.debug.log=ON" is optional, and can be omitted. If this parameter is retained, this will output Shark logging as additional lines in the Tomcat logs starting with "[Netsparker-debug]".
Disabling and Removing Netsparker Shark for Java
To remove and disable the sensor from your website, you need to revert the changes done during the deployment of the Agent:
- Remove the Netsparker Shark (Shark.jar) from the folder where it was deployed. In the case of Ubuntu 18.04.3 where Tomcat 9 was installed using the regular Ubuntu repositories to install tomcat and needed components (
sudo apt install tomcat9 libaspectj-java), remove the Shark.jar file by running the command:
- Remove aspectjweaver.jar by running the command: sudo apt remove libaspectj-java
- Reconfigure Tomcat with Load Time Weaving disabled:
- Under Ubuntu 18.04.3 this can be done as follows:
- remove the "JAVA_OPTS" line added earlier in the setenv.sh file
sudo systemctl restart tomcat9
Although the Netsparker Shark agent is secured with a strong password, it is recommended that the Shark client files are uninstalled and removed from the web application if they are no longer in use.