Investigate a Java Server Pages Application

You can use Ocular to examine the software elements and flows in your JSP application, to identify complex business logic vulnerabilities that can't be scanned for automatically. Note that this support does not include JSP Expression Language.

This tutorial illustrates the use of Ocular with JSP, based on the Java Vulnerable Lab sample project.

Getting Started

Start Ocular by running sl ocular.

Create the Code Property Graph (CPG) and Security Profile (SP), and then query for findings:

importCode("JavaVulnerableLab.war")
run.securityprofile
cpg.finding.p

The findings query returns a comprehensive list of findings, each with its own title, score, description and associated vulnerable flow:

-------------------------------------
Title: SQL Injection: HTTP data to SQL database via `request`
Score: 9
Categories: [a1-injection]
Flow ids: [9212286253158463995]
Description: HTTP data is used in a SQL query without undergoing escaping or validation. This could allow an attacker to read sensitive data from the database, modify its content or gain control over the server.

Countermeasures

The identified vulnerabilities can be prevented by using prepared statements on the HTTP data.

-------------------------------------
_________________________________________________________________________________________________________________________
| tracked | lineNumber| method | file |
|========================================================================================================================|
| request | 103 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| request | 266 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| this | N/A | getParameter | javax/servlet/http/HttpServletRequest.java |
| ret | N/A | getParameter | javax/servlet/http/HttpServletRequest.java |
| request.getParameter("user")| 266 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| param1 | N/A | <operator>.assignment| N/A |
| param0 | N/A | <operator>.assignment| N/A |
| user | 266 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| user | 267 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| param0 | N/A | append | java/lang/StringBuilder.java |
| ret | N/A | append | java/lang/StringBuilder.java |
| $r33.append(user) | 267 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| param1 | N/A | <operator>.assignment| N/A |
| param0 | N/A | <operator>.assignment| N/A |
| $r34 | 267 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| $r34 | 267 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| this | N/A | append | java/lang/StringBuilder.java |
| ret | N/A | append | java/lang/StringBuilder.java |
| $r34.append("\'") | 267 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| param1 | N/A | <operator>.assignment| N/A |
| param0 | N/A | <operator>.assignment| N/A |
| $r35 | 267 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| $r35 | 267 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| this | N/A | toString | java/lang/StringBuilder.java |
| ret | N/A | toString | java/lang/StringBuilder.java |
| $r35.toString() | 267 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| param1 | N/A | <operator>.assignment| N/A |
| param0 | N/A | <operator>.assignment| N/A |
| $r36 | 267 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| $r36 | 267 | _jspService | io/shiftleft/precompiledjsp/admin/manageusers_jsp.java|
| param0 | N/A | executeUpdate | java/sql/Statement.java

Identifying the Vulnerable Flow Through JSP

In the flow associated with the vulnerability, the call starts from io/shiftleft/precompiledjsp/admin/manageusers_jsp.java, which is essentially a precompiled JSP created by Ocular as part of the process of generating the CPG. The JSP is derived from the webapp/admin/manageusers.jsp file.

All precompiled files are part of the io.shiftleft.precompiledjsp namespace. This is one way to identify and audit JSP-only methods while investigating data flows using Ocular. For example, the following query lists the methods that are part of the precompiled JSP from Java Vulnerable Lab

cpg.namespace.name("io.shiftleft.precompiledjsp.vulnerability.sqli").method.fullName.l

Please note that currently the line numbers don't correspond to the actual lines in the JSP files, since the information is derived from compiled Java files.