Vulnerability Development mailing list archives
Re: JSP hacking
From: Ben Galehouse <bgalehou () PACBELL NET>
Date: Fri, 29 Sep 2000 22:19:44 -0700
You need to treat JSP pages the way that you would servlet class files, or perl modules. You can do _anything_ within <% %> tags. Load classes? heck, write you own classes (inner classes, that is). Class.forName is totally irrelevant. If Class.forName("org.evil.BadClass") works, org.evil.BadClass.class does the same thing. They need to be protected and audited for all the same reasons that servlets and perl modules need to be protected and audited. Personally, I think good style demands that the bulk of the JSP be static (pull the serious logic out into a servlet), so the auditing should be short. JSPs are not intended to be safe from malicious coders. Basically, you can't give strangers access to write them, they are not 'safe' the way static html is. In theory, they could be run in a sandbox, using the java security model. I haven't a clue if this is done, or of they typically run with the same access as the web-server's jvm.
Current thread:
- JSP hacking Sid Womac (Sep 27)
- Re: JSP hacking Ben Galehouse (Sep 30)