Investigate a Java Server Pages Application
You can use Ocular to examine the software elements and flows in your JSP application, to identify complex business logic vulnerabilities that can't be scanned for automatically. Note that this support does not include JSP Expression Language.
This tutorial illustrates the use of Ocular with JSP, based on the Java Vulnerable Lab sample project.
Getting Started
Start Ocular by running sl ocular
.
Create the Code Property Graph (CPG) and Security Profile (SP), and then query for findings:
The findings
query returns a comprehensive list of findings, each with its own title, score, description and associated vulnerable flow:
Countermeasures
The identified vulnerabilities can be prevented by using prepared statements on the HTTP data.
Identifying the Vulnerable Flow Through JSP
In the flow associated with the vulnerability, the call starts from io/shiftleft/precompiledjsp/admin/manageusers_jsp.java
, which is essentially a precompiled JSP created by Ocular as part of the process of generating the CPG. The JSP is derived from the webapp/admin/manageusers.jsp file.
All precompiled files are part of the io.shiftleft.precompiledjsp
namespace. This is one way to identify and audit JSP-only methods while investigating data flows using Ocular. For example, the following query lists the methods that are part of the precompiled JSP from Java Vulnerable Lab
Please note that currently the line numbers don't correspond to the actual lines in the JSP files, since the information is derived from compiled Java files.