Tuesday 19 July 2011

Current O2 support for analyzing Spring MVC

During the past week I spent some time documenting O2's support for Spring MVC apps.

There is still quite a lot to do before we can do a proper security analysis of the JPetStore and PetClinic applications (for example 'mapping the JSPs to the controllers'), but hopefully these blog posts show the kind of analysis that is possible using O2:
JPetStore and PetClinic are demo apps which can be downloaded from here Packaged Spring MVC Security Test Apps: JPetStore and PetClinc (includes tomcat), or from the main Spring Framework source distribution (look in the samples folder)

For more details on the Spring MVC Autobinding Vulnerabilities see: "Two Security Vulnerabilities in the Spring Framework’s MVC" pdf (from 2008)