https://github.com/HXSecurity/DongTai-agent-java

Java Agent is a Java application probe of DongTai IAST, which collects method invocation data during runtime of Java application by dynamic hooks.
https://github.com/HXSecurity/DongTai-agent-java

agent applicationsecuritymonitoring appsec-tutorials devsecops dongtai-iast iast java security-scan

Last synced: 3 months ago
JSON representation

Java Agent is a Java application probe of DongTai IAST, which collects method invocation data during runtime of Java application by dynamic hooks.

• Host: GitHub
• URL: https://github.com/HXSecurity/DongTai-agent-java
• Owner: HXSecurity
• License: apache-2.0
• Created: 2021-03-22T04:03:11.000Z (over 3 years ago)
• Default Branch: beta
• Last Pushed: 2023-12-25T02:00:01.000Z (10 months ago)
• Last Synced: 2024-05-13T20:33:30.627Z (6 months ago)
• Topics: agent, applicationsecuritymonitoring, appsec-tutorials, devsecops, dongtai-iast, iast, java, security-scan
• Language: Java
• Homepage: https://dongtai.io
• Size: 30.6 MB
• Stars: 666
• Watchers: 22
• Forks: 189
• Open Issues: 12
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Code of conduct: .github/CODE_OF_CONDUCT.md
  • Security: SECURITY.md

Awesome Lists containing this project

• awesome-hacking-lists - HXSecurity/DongTai-agent-java - Java Agent is a Java application probe of DongTai IAST, which collects method invocation data during runtime of Java application by dynamic hooks. (Java)

README

        
## DongTai-agent-java

------

[中文版本(Chinese version)](README_CN.md)

[![license Apache-2.0](https://img.shields.io/github/license/HXSecurity/DongTai-agent-java)](https://github.com/HXSecurity/DongTai-agent-java/blob/main/LICENSE)

[![GitHub stars](https://img.shields.io/github/stars/HXSecurity/DongTai-agent-java.svg?label=Stars&logo=github)](https://github.com/HXSecurity/DongTai-agent-java)

[![GitHub forks](https://img.shields.io/github/forks/HXSecurity/DongTai-Agent-Java?label=Forks&logo=github)](https://github.com/HXSecurity/DongTai-agent-java)

[![GitHub Contributors](https://img.shields.io/github/contributors-anon/HXSecurity/DongTai-agent-java?label=Contributors&logo=github)](https://github.com/HXSecurity/DongTai-agent-java)

[![CI](https://github.com/HXSecurity/DongTai-agent-java/actions/workflows/release-agent.yml/badge.svg)](https://github.com/HXSecurity/DongTai-agent-java/actions/workflows/release-agent.yml)

[![Github Version](https://img.shields.io/github/v/release/HXSecurity/DongTai-agent-java?display_name=tag&include_prereleases&sort=semver)](https://github.com/HXSecurity/DongTai-agent-java/releases)

[![Release downloads](https://shields.io/github/downloads/HXSecurity/DongTai-Agent-Java/total)](https://github.com/HXSecurity/DongTai-agent-java/releases)

## Project Introduction

Dongtai-agent-java is DongTai Iast's data acquisition tool for Java applications. In a Java application with the iast agent added, the required data is collected by rewriting class bytecode, and then the data is sent to dongtai-OpenAPI service, and then the cloud engine processes the data to determine whether there are security holes.

Dongtai-agent-java consists of `agent.jar`, `dongtai-core-jar`, `dongtai-spy. Jar` and `dongtai-servlet.jar`:

- `agent.jar` It is used to manage agent life cycle and configuration. The life cycle of the Agent includes downloading, installing, starting, stopping, restarting, and uninstalling the agent. Agent configuration includes application startup mode, vulnerability verification mode, whether to enable agent, etc.

- `dongtai-core.jar ` The main functions of dongtai-core.jar are: bytecode piling, data collection, data preprocessing, data reporting, third-party component management, etc.

- `dongtai-inject.jar` It is used to inject into the BootStrap ClassLoader. The data collection method in 'iast-core.jar' is then invoked in the target application.

- `dongtai-servlet.jar` It is used to obtain the requests sent by the application and the responses received. It is used for data display and request replay.

## Application Scenarios

- DevOps

- Security test the application before it goes online

- Third-party Component Management

- Code audit

- 0 Day digging

## Quick Start

Please refer to the [Quick Start](https://doc.dongtai.io).

## Quick Development

1. Fork the [DongTai-agent-java](https://github.com/HXSecurity/DongTai-agent-java) , clone your fork:

   ```

   git clone https://github.com//DongTai-agent-java

   ```

2. Write code to your needs.

3. Compile Dongtai-agent-Java using Maven:

   ```

   mvn clean package -Dmaven.test.skip=true

   ```

    - notice: JDK version is 1.8.

4. folder `./release` is generated in the project root directory after compilation:

   ```

   release

   ├── dongtai-agent.jar

   └── lib

       ├── dongtai-servlet.jar

       ├── dongtai-core.jar

       └── dongtai-spy.jar

   ```

5. Copy `dongtai-core.jar`、`dongtai-spy.jar`、`dongtai-servlet.jar` to the system temporary directory. Get the system temporary directory to run the following Java code:

   ```

   System.getProperty("java.io.tmpdir.dongtai");

   ```

6. Run the application and test the code (for example, SpringBoot) : `java -javaagent:/path/to/dongtai-agent.jar -Ddongtai.debug=true -jar app.jar`

7. Contribute code. If you want to contribute code to the DongTai IAST team, please read the full [contribution guide](https://github.com/HXSecurity/DongTai/blob/main/CONTRIBUTING.md).

### Supported Java versions and middleware

- Java 1.8+

- Tomcat, Jetty, WebLogic, WebSphere, SpringBoot and Mainstream software and middleware.