This tutorial is based on the popular Java project, Java Vulnerable Lab, a benchmarking application for vulnerability discovery tools. The project includes different sample vulnerabilities, such as typical injection vulnerabilities like SQL injection.
The variable request is of type HttpServletRequest and is part of the doGet signature. The object is passed to processRequest, where the parameter email is read as a string. The variable is concatenated to
the SQL query without prior checks. This leads to an SQL injection. This vulnerability is identified using Ocular.
This script loads the Security Profile at spFilename, and evaluates the expression sp.findings.sortedByScore.l to obtain a list of findings sorted by score. The list is piped to the file outFilename via the |> operator.
As a result, the text file report.txt is generated containing all findings in a human-readable format. Take a look at one of the findings to get an idea of the type of information the report contains:
Flow ids: 
Description: Attacker controlled data is used in a SQL query without undergoing escaping or validation. This could allow an attacker to read sensitive data from the database or modify its content.See http://cwe.mitre.org/data/definitions/89.html
IO Tags: Set(http) -> Set(sql)
Data Tags: Set(DATA_TYPE: pii, DATA_TYPE: contact, DATA_LANGUAGE: SQL)
Along with other findings, notice an SQL injection vulnerability
that can be trigged via HTTP with a score of 9.0. Findings are scored to allow for filtering. Findings also include a human-readable description that further characterizes the potential vulnerability, as well as the information flows associated with the vulnerability.
In this example, a single information flow is associated with the vulnerability. ShiftLeft Ocular identifies that the parameter request of the method doGet is attacker-controlled with high probability, since it is an HTTP request parameter. Tracking the flow of request, the variable is passed into the method processRequest
where it is Base64-decoded and used in the initialization of a ByteArrayInputStream. This input stream is itself used to initialize an ObjectInputStream. Lastly, the readObject method is invoked on the tainted input stream, resulting in the deserialization of attacker-controlled data. The flow description additionally provides
HTTP input routes when possible (/admin/login in this case), and externally triggerable methods to invoke the vulnerable flow (doPostLogin in this example).
Interactively Exploring and Filtering the Security Profile#
Using interactive mode, load the Security Profile javavulnerablelab.sp by
This creates an object named sp that provides access to the Security
Profile. Now enter:
!= category equals getClass isInstanceOf raw scoreAtMost spTestsFlows |>
to obtain a list of possible operations that can be executed on findings. In particular, findings support the scoreAtLeast method, which allows findings to be filtered such that only findings scored above or equal to a threshold are returned. For example
returns only findings with a score of at least 8. Note that the query language is lazily evaluated, that is, sp.findings.scoreAtLeast(8) only yields in an expression, and it is
only evaluated as it is converted to a list via the l directive (a shorthand for "toList").
All string properties support regular expressions. You can obtain all findings related to serialization with:
All lists support the functional combinators of the Scala language. Moreover, the functional combinators filter, map, and flatMap are provided directly for expression of the DSL. For example, instead of using the built-in method scoreAtLeast, the same effect can be achieved via a filter operation:
sp.findings.filter(_.score >= 8).size
This allows more complex filtering rules to be expressed via lambdas: