You can use Ocular to examine the software elements and flows in your JSP application, to identify complex business logic vulnerabilities that can't be scanned for automatically. Note that this support does not include JSP Expression Language.
This tutorial illustrates the use of Ocular with JSP, based on the Java Vulnerable Lab sample project.
Start Ocular by running
Create the Code Property Graph (CPG) and Security Profile (SP), and then query for findings:
findings query returns a comprehensive list of findings, each with its own title, score, description and associated vulnerable flow:
The identified vulnerabilities can be prevented by using prepared statements on the HTTP data.
Identifying the Vulnerable Flow Through JSP
In the flow associated with the vulnerability, the call starts from
io/shiftleft/precompiledjsp/admin/manageusers_jsp.java, which is essentially a precompiled JSP created by Ocular as part of the process of generating the CPG. The JSP is derived from the webapp/admin/manageusers.jsp file.
All precompiled files are part of the
io.shiftleft.precompiledjsp namespace. This is one way to identify and audit JSP-only methods while investigating data flows using Ocular. For example, the following query lists the methods that are part of the precompiled JSP from Java Vulnerable Lab
Please note that currently the line numbers don't correspond to the actual lines in the JSP files, since the information is derived from compiled Java files.