[Soot-list] analyzing applications using Java Web Framework?

Bernhard Berger berber at tzi.de
Tue Feb 12 15:21:41 EST 2013 

Hi Lu,

currently I am able to parse a web.xml file and build a model of the registered servlets, filters and listeners. Furthermore, the mappings are analyzed and a model is created that maps the available paths to the corresponding servlets and filters. Afterwards, a bunch of classes (a main class is among them) is generated to allow soot to analyze the project. Currently, I'm working with different projects that use plain HttpServlets (e.g. securibench) and JSP files and extending it to support Struts 1.

As far as I understand you are interested in tracking data flow between different resources? Is the application you want to analyze open source?

Bernhard

Am 12.02.2013 um 20:44 schrieb lu zhao <00luzhao at gmail.com>:

> Hi Bernhard,
> 
> At this moment, I'm not seeking something that supports full-fledged JEE applications. I'd like to start with HttpSession and page dispatching support. If this has been done, then I'll consider other features. The application at my hand uses subclasses of HttpSession and dispatches requests extensively. A typical use case is retrieving a session object from a request, modifying its attributes, and setting it back to the request, which is next forwarded to other resources. Similar operations may continue in the new resources.
> 
> Thanks very much,
> Lu
> 
> 
> On 02/11/2013 10:46 PM, Bernhard Berger wrote:
>> Hi Lu,
>> 
>> as Marc-André already mentioned it is not an easy task to accomplish. Especially, if you want to model the behavior of the container correctly (respecting filters, listeners, security checks and so forth). Furthermore, the work that has too done heavily depends on the frameworks you are using. If you support basic Servlets and JSP you have no chances in analyzing JSF, Struts and Spring since they have their own configuration files and framework magic.
>> 
>> If you are interested in full-fledged JavaEE applications (even if they are just using the Web profile) the problem gets even worse. I've already solved some of those problems to get a proper call graph for JavaEE systems and I'm working on improving the code base, currently. 
>> 
>> What kind of analysis are you trying to do? And do you already have a system in mind that you want to analyze??
>> 
>> Bernhard
>> 
>> Am 12.02.2013 um 01:54 schrieb lu zhao <00luzhao at gmail.com>:
>> 
>>> Hi,
>>> 
>>> I'm new to soot and trying to analyze a web application that uses Java 
>>> Servlet and JSP technologies. Because many control and data flows are 
>>> implicitly conducted by a web container, directly analyzing the code of 
>>> the application is not very helpful. Is there any work that has been 
>>> done on modeling data and control flows of the Java Web framework? Any 
>>> pointers to existing work are really welcomed.
>>> 
>>> Thanks very much,
>>> Lu
>> Am 12.02.2013 um 01:54 schrieb lu zhao <00luzhao at gmail.com>:
>> 
>>> Hi,
>>> 
>>> I'm new to soot and trying to analyze a web application that uses Java 
>>> Servlet and JSP technologies. Because many control and data flows are 
>>> implicitly conducted by a web container, directly analyzing the code of 
>>> the application is not very helpful. Is there any work that has been 
>>> done on modeling data and control flows of the Java Web framework? Any 
>>> pointers to existing work are really welcomed.
>>> 
>>> Thanks very much,
>>> Lu
>>> _______________________________________________
>>> Soot-list mailing list
>>> Soot-list at sable.mcgill.ca
>>> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
>> _______________________________________________
>> Soot-list mailing list
>> Soot-list at sable.mcgill.ca
>> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list
> 
> _______________________________________________
> Soot-list mailing list
> Soot-list at sable.mcgill.ca
> http://mailman.cs.mcgill.ca/mailman/listinfo/soot-list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.cs.mcgill.ca/pipermail/soot-list/attachments/20130212/9c45c050/attachment-0001.html

More information about the Soot-list mailing list