[Owasp-o2-platform] Current O2 support for analyzing Spring MVC

dinis cruz dinis.cruz at owasp.org
Tue Jul 19 03:03:10 EDT 2011


During the past week I spent some time documenting O2's support for Spring
MVC apps.

There is still quite a lot to do before we can do a proper security analysis
of the JPetStore and PetClinic applications (for example 'mapping the JSPs
to the controllers'), but hopefully these blog posts show the kind of
analysis that is possible using O2:

   - O2 Script with BlackBox exploits for Spring MVC AutoBinding
   vulnerabilities in
JPetStore<http://o2platform.wordpress.com/2011/07/11/o2-script-with-blackbox-exploits-for-spring-mvc-autobinding-vulnerabilities-in-jpetstore/>

   - O2 Script: ‘Spring MVC Util – View
Controllers’<http://o2platform.wordpress.com/2011/07/12/o2-script-spring-mvc-util-view-controllers/>

   - Finding the JSP views that are mapped to controllers in JPetStore
   (Spring MVC)<http://o2platform.wordpress.com/2011/07/15/finding-the-jsp-views-that-are-mapped-to-controlers-in-jpetstore-spring-mvc/>

   - Visualizing Spring MVC Annotations based Controls (and Autobinding
   PetClinic’s vulnerabilities)<http://o2platform.wordpress.com/2011/07/19/visualizing-spring-mvc-annotations-based-controls-and-autobinding-petclinics-vulnerabilities/>

   - Visualizing the links in JPetStore (Spring
MVC)<http://o2platform.wordpress.com/2011/07/15/visualizing-the-links-in-jpetstore-spring-mvc/>

   - O2 Script for “Spring MVC JPetStore – Start Servers” (start/stop apache
   and hsqldb)<http://o2platform.wordpress.com/2011/07/12/o2-script-for-spring-mvc-jpetstore-start-servers-startstop-apache-and-hsqldb/>

   - Simple Viewer to see JSP files (example using Spring MVC
SPetStore)<http://o2platform.wordpress.com/2011/07/18/simple-viewer-to-see-jsp-files-example-using-spring-mvc-spetstore/>

   - Util – Java, Jsp and Xml File Search (Example using Spring MVC
   JPetStore)<http://o2platform.wordpress.com/2011/07/18/util-java-jsp-and-xml-file-search-example-using-spring-mvc-jpetstore/>


JPetStore and PetClinic are demo apps which can be downloaded from
here Packaged
Spring MVC Security Test Apps: JPetStore and
PetClinc<http://o2platform.wordpress.com/2011/07/18/packaged-spring-mvc-security-test-apps-jpetstore-and-petclinc/>
(includes
tomcat), or from the main Spring Framework source
distribution<http://www.springsource.com/download/community>(look in
the samples folder)

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110719/23e977c2/attachment.html 


More information about the Owasp-o2-platform mailing list