SUPPORT

Contact Support

OPEN A TICKET

Deploying Netsparker Shark (IAST) for Node.js - Docker

Netsparker Shark enables you to carry out interactive security testing (IAST) in your web application in order to confirm more vulnerabilities and further minimize false positives.  

  • Node.js is an open-source server environment designed to build scalable network applications, as it is capable of handling a vast number of simultaneous connections with high throughput. Depending on the specific frameworks and libraries, debugging a Node.js application can be tricky though.
  • You can take advantage of Netsparker’s unique DAST-induced IAST approach to get an inside view into how security checks and test payloads are processed within these environments. These additional insights will let you isolate the location and root cause of security defects quickly.

For further information, Netsparker adds IAST support for Node.js.

The most principled way of deploying Netsparker Shark in a Docker scenario is to simply layer the Shark modifications onto your already existing container definition.

The following example demonstrates how you can deploy the Shark together with your web application.

Step 1. Adding your website to Netsparker Enterprise

For this example, we will assume that the URL for your target is http://netsparkerexample.com:60000.
  1. Add your website to Netsparker. For further information, see How to add a website in Netsparker Enterprise.
  2. Download the Node.js sensor. For further information, see Downloading Shark sensors in Netsparker Enterprise.
  3. Save the Node.js sensor file to use it later on.

Step 2. Defining the web application image

The following file structure defines the simple web application.

/testnodejs-docker/
/testnodejs-docker/Dockerfile
/testnodejs-docker/src/app.js
/testnodejs-docker/src/package.json

  1. Create your /testnodejs-docker/Dockerfile file to read as follows:

From node:12

#setup the web pages

Copy src/..

#install npm and dependencies

Run npm install

  1. Create your /testnodejs-docker/src/app.js file to read as follows:
const app = require('express')();
const port = 60000;

app.get('/', function (req, res) {
  res.send(
  '<html><body>' +
  '<h1>Shark(IAST) Example for Node.JS</h1>' +
  '<br>' +
  'Hello World! - Main Page' +
  '<br>' +
  '<a href="/page1">Go to Page 1</a>' +
  '</body></html>'
  );
});

app.get('/page1', function (req, res) {
  res.send(
  '<html><body>' +
  '<h1>Shark(IAST) Example for Node.JS</h1>' +
  '<br>' +
  'Hello World! - Page 1' +
  '<br>' +
  '<a href="/">Go to Main Page</a>' +
  '</body></html>'
  );
});

app.listen(port, function(err){
  if (err) console.log(err);
  console.log("Server listening on port: ", port);
});

  1. Create your /testnodejs-docker/src/package.json file to read as follows:
{
  "name": "testnodejs-docker",
  "version": "1.0.0",
  "dependencies": {
  "express": "*"
  }
}

  1. Finally, build the image with:

cd /testnodejs-docker

docker build -t testnodejs-docker

Step 3. Defining the Shark layer image

The Shark layer will be defined through the following file structure:

/testnodejs-docker-shark/
/testnodejs-docker-shark/Dockerfile
/testnodejs-docker-shark/Shark(IAST).tar


Copy the Shark(IAST).tar file you created in the first step to your docker host into the /testnodejs-docker-shark directory.

Create your /testnodejs-docker-shark/Dockerfile file to read as follows:

From testnodejs-docker

#setup and install Netsparker Shark

Run mkdir /shark

Copy node-shark(IAST).tar /shark/node-shark(IAST).tar

#expose port and launch the app with Netsparker Shark

Expose 60000

Cmd [ "npx", "/shark/node-shark(IAST).tar", "app.js" ]

Build and run your image with:

cd /testnodejs-docker-shark
docker build -t testnodejs-docker-shark
docker run -d -p 60000:60000 --name mytestnodejs testnodejs-docker-shark

Step 4. Testing and scanning your web application

  1. Point your browser to your web application - in this example http://netsparkerexample.com:60000 to confirm it is running as intended.
  2. Run a scan on your URL. The scan summary displays whether Netsparker Shark is used for the scan.
Netsparker

Highly accurate, fast & easy-to-use Web Application Security Scanner

Get a demo