OWASP LAPSE Project is an initiative by The Open Web Application Security Project (OWASP) to make available to developers and auditors a tool for detecting vulnerabilities in Java EE Applications. The project aims to put at their disposal a tool based on the static analysis of code, due to the importance and difficulty of this type of analysis to detect security flaws in Java EE Applications. The difficulty of this analysis increases when they face applications consisting of thousands of lines of code or having a complex structure with many Java classes. Hence, OWASP LAPSE Project offers a tool that helps the developer and auditor to carry out the static analysis of code in the most effective and efficient way. The tool that is provided and gives the name to the project is LAPSE+.
LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher. LAPSE+ is based on the GPL software LAPSE, developed by the SUIF Compiler Group of Stanford University. This new release of the plugin developed by Evalues Lab of Universidad Carlos III de Madrid provides more features to analyze the propagation of the malicious data through the application and includes the identification of new vulnerabilities.
LAPSE+ is based on the static analysis of code to detect the source and the sink of a vulnerability. The source of a vulnerability refers to the injection of untrusted data, e.g. in the parameters of an HTTP request or a Cookie. The sink of a vulnerability refers to the process of data modification to manipulate the behaviour of the application, such as a servlet response or a HTML page. The vulnerability sources can lead to sinks by simple assignments, method calls or parameters passing. When it is possible to reach a vulnerability sink from a vulnerability source then we have a vulnerability in our application.
You can download LAPSE+ and its tutorial in the following links:
- LapsePlus_2.8.1.jar - LAPSE+ 2.8.1 plugin for Eclipse Helios.
- LapsePlus_Tutorial.pdf - Tutorial for the installation and use of LAPSE+.