The analysis consists of a front-end that computes a context-free grammar that captures the possible output of the given servlet (i.e. string fragments printed to the output stream) and a back-end that analyzes the grammar for XML well-formedness and XHTML validity as well as HTML validity. Furthermore it has a back end that statically checks for client-state manipulation vulnerabilities.
- View the online javadoc API specifications.
- servletvalidator.jar - precompiled Java archive, or
- servletvalidator-all.jar - full jar including necessary libraries
To see the command-line usage for the HTML analyzer, run
java -classpath servletvalidator-all.jar dk.brics.servletvalidator.Analyzer
To run the client-state manipulation vulnerability analyzer, first run the hidden field analysis
java -classpath servletvalidator-all.jar dk.brics.servletvalidator.WARLordTool hidden base_directory jsp_directory webxml_locationwhere base_directory is the location of the application, jsp_directory is the relative location of where the JSP files are stored and webxml_location is the relative location of the web.xml file of the application.
Then run the command
java -classpath servletvalidator-all.jar dk.brics.servletvalidator.WARLordTool interaction class methodwhere class is the name of the class to analyze and method is the name of the start method in the class (for example "doGet").
Note that the tool will need the application classes to be in the classpath too.
- Source code is available on request.
- Read the research papers: