Introduction to Java code auditing

I spring and autumn core white hat Yanzmi

Originally from: https://bbs.ichunqiu.com/thread-42149-1-1.html

This issue brings some of the environment and tools for Java code audits to prepare.

Java is a relatively complex language relative to PHP, so the beginning of exposure to Java source Code audit will encounter some environmental and configuration difficulties, this article records brother in the beginning to audit Java code Some of the preparation, hoping to help the novice friends just getting started.

0x00 Java Environment Description

1. Installing the Java Environment

The default installation directory after installation is complete:

environment variable configuration, environment variable configuration is mainly to tell our own computer Java installation after a few key files path.

Where is the JDK installation path? --java_home

JDK Command file location (Bin folder path)--path

The location of the class library file (Lib folder path)--classpath

2. Running Java programs

Java code needs to be compiled prior to execution, the compiler first compiles the Java source files into binary files, and the parser parses the binary files.

Helloworld.java

General Java source code files can not be like PHP or Python directly parse, so without the help of the IDE, we need to javac this command to compile.

After compiling, get the. class corresponding bytecode file, which can be parsed directly in Java.

3. Java Anti-compilation

Because many times we get the source code file that is not Java, but the. class end of the bytecode file. So we need a tool to help us decompile and see the corresponding source code. It is recommended that you use the Jd-gui tool here.

Describe the process described above:

4. Java Platform

When it comes to the Java platform, it touches a few nouns, such as javase,javaee,javame and so on. Simple to understand:

Java se--Development computer software

Java ee--Development Web site

Java me--developing mobile software

Java SE (Java platform,standard Edition): Allows the development and deployment of Java applications for use in desktops, servers, embedded environments, and live environments. Java SE contains classes that support the development of Java WEB Services.

Java EE (Java platform,enterprise Edition): Java EE is built on the basis of Java SE, which provides Web services, component models, management, and communication APIs for enterprise-class service-oriented architecture and WEB 2.0 applications Program.

Java ME (Java Platform,micro Edition): Provides a robust and flexible environment for applications running on mobile devices and embedded devices such as mobile phones, PDAs, TV set-top boxes, and printers.

Installation and use of 0x02 Tomcat

1. About Tomcat

Common Java servers: Tomcat, Weblogic, JBoss, GlassFish, Jetty, Resin, IBM WebSphere, and more.

Tomcat server is a free open source Web application server, belonging to the lightweight application server, in small and medium-sized systems and concurrent access and many other occasions are widely used, is the first choice to develop and debug JSP programs.

The Tomcat installation package can go to Apache's official website to download, after extracting its directory structure as follows:

2.Tomcat Deployment Source

Example: Javapms public beta version of the source deployment

Rename the root directory to javapms1.4 copy to Tomcat's WebApp directory.

Visit http://127.0.0.1:8080/javapms1.4/

0x03 use of the IDE

1. Select the IDE that's right for you

MyEclipse is also a good choice for individuals who are more accustomed to using idea.

Deploy Web projects on 2.IDEA

Because deploying the project on the IDE makes it easier for us to debug code and Code tracking.

Example: Javapms public beta version of the source code deployment.

Configure the Run program, such as configuring Tomcat.

Installation: http://127.0.0.1:8080/javapms1.4

3.IDEA Debug function on

The main use of this is the idea of the debug function.

Here are a few shortcuts that you'll use in a few debugs:

F7, go to the next step, if the current breakpoint is a method, enter the method body.

F8, go to the next step, but not into the method body.

Alt+shift+f7, go to the next step, if the current breakpoint is a method, the method also has a method to loop into.

Shift+f8, jump to the next breakpoint, you can also press F9 to achieve.

Drop Frame, this key can be used when entering a method body to fallback to a method body.

0X04 maven--project management and build tools

1.Maven Introduction

MAVEN is a way to automatically build projects that can help us automatically pull associated jar packages from both local and remote repositories.

Website address:

MAVEN Remote repository:

The webgoat of the previous audits was deployed using MAVEN.

2.Maven Deployment Project

Deploy the MAVEN project on idea, here's an example of deploying Webgoat source code.

3. Deployment complete, running and troubleshooting

If you use the older version of idea, then the program is more compatible, run the Startwebgoat.java file directly, the full path of the file is \webgoat\webgoat-server\src\main\java\org\owasp\ Webgoat\startwebgoat.java

Unfortunately, using the latest version of idea error, the error message is as follows:

This is due to the Webgoat code is not well-specification, under the project Pom.xml does not have the specification writing package com.beust.jcommander.internal information, need to complement the complete, add as follows:

The full path to the Pom.xml is \webgoat\webgoat-container\pom.xml.

After the modification is complete, rerun Startwebgoat.java, and if there is no error, see the console's Spring boot run interface to compile and run successfully.

Visit Http://127.0.0.1:8080/WebGoat to see the WebGoat landing page.

0X05 Fortify Code Audit tool

Fortify is an automated code audit tool, which is used by Freebuf in the 2009 edition of the predecessors, the framework is the Eclipse+ Rule library. And his fee-charging version is surprisingly expensive. The 2009 version of the rule base is earlier, it allows us to customize the rules, so we can add the audit rules based on this version.

There are questions you can leave a message oh also welcome to the spring and autumn forum to play a trick >>> click to jump

Introduction to Java code auditing