During the past week I spent some time documenting O2's support for Spring MVC apps.
There is still quite a lot to do before we can do a proper security analysis of the JPetStore and PetClinic applications (for example 'mapping the JSPs to the controllers'), but hopefully these blog posts show the kind of analysis that is possible using O2:
- O2 Script with BlackBox exploits for Spring MVC AutoBinding vulnerabilities in JPetStore
- O2 Script: 'Spring MVC Util – View Controllers'
- Finding the JSP views that are mapped to controllers in JPetStore (Spring MVC)
- Visualizing Spring MVC Annotations based Controls (and Autobinding PetClinic's vulnerabilities)
- Visualizing the links in JPetStore (Spring MVC)
- O2 Script for "Spring MVC JPetStore – Start Servers" (start/stop apache and hsqldb)
- Simple Viewer to see JSP files (example using Spring MVC SPetStore)
- Util – Java, Jsp and Xml File Search (Example using Spring MVC JPetStore)
JPetStore and PetClinic are demo apps which can be downloaded from here
Packaged Spring MVC Security Test Apps: JPetStore and PetClinc (includes tomcat), or from the main
Spring Framework source distribution (look in the samples folder)
For more details on the Spring MVC Autobinding Vulnerabilities see: "Two Security Vulnerabilities in the Spring Framework’s MVC" pdf (from 2008)
For more details on the Spring MVC Autobinding Vulnerabilities see: "Two Security Vulnerabilities in the Spring Framework’s MVC" pdf (from 2008)
