Contact Support


Deploying Netsparker Shark agent for Java - Windows

Netsparker Shark enables you to carry out interactive security testing (IAST) in your web application in order to confirm more vulnerabilities and further minimize false positives. For Netsparker Shark to operate, you need to download an agent and deploy it on your server. Please note that this agent is generated uniquely for each target website for security reasons.

This topic explains how to download and install Netsparker Shark to a Java web application.

Netsparker Shark for Java requires Tomcat (7+) and Java (1.7+). Current testing is with Tomcat 9 and Java 1.8.
This document assumes that you will be using version 1.9.5 (latest at the time of writing) of AspectJWeaver.

Deploying Netsparker Shark in Java consists of 3 steps:

1. Deploying AspectJWeaver into your web application

2. Deploying Shark into your web server

    • Download the Netsparker Shark JAVA from Netsparker
    • Copy the Netsparker Shark JAVA (Shark.jar) to %TOMCAT-HOME%\lib
      • If installing on Windows where Tomcat 9 was installed using the official "32-bit/64-bit Windows Service Installer", copy the Shark.jar file to C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0\lib  

3. Configuring Tomcat to use AspectJWeaver and Shark

    • Launch Tomcat with Load Time Weaving enabled. This can be done by adding a -javaagent parameter with the path to aspectjweaver.jar when launching Tomcat, and optionally a parameter to enable the Shark debug logging.
    • Add two parameters into the Apache Tomcat Configuration > Java options tab
      • -javaagent: C:\Program Files (x86)\Apache Software Foundation\Tomcat 9.0\lib\aspectjweaver.jar (mandatory; adjust path depending on where you deployed the aspectjweaver.jar file)
      • -Dacusensor.debug.log=ON (optional; enables debug logging)

    • Restart the Tomcat service
The parameter "-Dacusensor.debug.log=ON" is optional and can be omitted. If this parameter is retained, this will output the Shark logging as additional lines in the Tomcat logs starting with "[Netsparker-debug]".

Disabling and Removing Netsparker Shark for Java

To remove and disable the sensor from your website, you need to revert the changes done during the deployment of the Agent.

  • Remove the Netsparker Shark (Shark.jar) from the folder where it was deployed
  • Remove aspectjweaver.jar from the folder where it was copied to
  • Reconfigure Tomcat with Load Time Weaving disabled, as follows:
    • Remove the -javaagent and -Dacusensor.debug.log parameters in the Apache Tomcat Configuration > Java options tab
    • Restart the Tomcat service
Although the Netsparker Shark agent is secured with a strong password, it is recommended that the Shark client files are uninstalled and removed from the web application if they are no longer in use.

Highly accurate, fast & easy-to-use Web Application Security Scanner