WARlord

WARlord (formerly known as ServletValidator) is a static program analyzer for Java Servlets, JSP, and Struts.

The analysis consists of a front-end that computes a context-free grammar that captures the possible output of the given servlet (i.e. string fragments printed to the output stream) and a back-end that analyzes the grammar for XML well-formedness and XHTML validity as well as HTML validity. Furthermore it has a back end that statically checks for client-state manipulation vulnerabilities.

View the online javadoc API specifications.
Download
- servletvalidator.jar - precompiled Java archive, or
- servletvalidator-all.jar - full jar including necessary libraries
To see the command-line usage for the HTML analyzer, run
```
java -classpath servletvalidator-all.jar dk.brics.servletvalidator.Analyzer
```
To run the client-state manipulation vulnerability analyzer, first run the hidden field analysis
```
java -classpath servletvalidator-all.jar dk.brics.servletvalidator.WARLordTool hidden base_directory jsp_directory webxml_location 
```
where base_directory is the location of the application, jsp_directory is the relative location of where the JSP files are stored and webxml_location is the relative location of the web.xml file of the application.
Then run the command
```
java -classpath servletvalidator-all.jar dk.brics.servletvalidator.WARLordTool interaction class method
```
where class is the name of the class to analyze and method is the name of the start method in the class (for example "doGet").
Note that the tool will need the application classes to be in the classpath too.
Source code is available on request.
Read the research papers:
- Static Analysis for Java Servlets and JSP [abstract | PDF ]
- HTML Validation of Context-Free Languages [abstract | PDF ]
- Automated Detection of Client-State Manipulation Vulnerabilities [abstract | PDF ] (experimental data)

The WARlord package is implemented by Mathias Schwarz at Aarhus University.