Wednesday, August 02, 2006

JSP Vulernability

Besides DCOM I am wondering if there is some type of security problem with JSP. In one of my last entries you'll see some comments from people about various hosting companies. One of them mentions problems at a company I also have had problems with. They also mention that they wonder whether the problem stems from a JSP application.

Two things come to mind after reading this statement.

#1. That hosting company is partnered with JBoss, and open source Java Application Server that serves up JSP. They must have some expertise in that area - and potentially some people who are aware of known hacks who may have internal access at the organization.

#2. Maybe there is some sort of flaw in JSP...which was something I was starting to wonder prior to reading this. The thing about JSP is that it is compiled after the fact and there are some temporary files that contain the compiled code. What this means is that if someone can get into your cache off compiled JSP pages, they could potentially change those cached pages and alter the functionality of your application. You wonder what is going on so you do a diff on your code and it all looks the same...but in reality what was altered was the cached files. In the past I have found permissions changed on these cached files as well so they could not be deleted. That means that the code you think you are running may not be the code you are actually running.

#2 does not just apply to JSP but any programming language that compiles at run time. There needs to be a way to verify that the cache has not been poisoned.

So don't use JSP? I don't think that is the answer here because so many other application programs work in a similar way. In terms of Java application servers you could opt for using servlets. You can also perform some security auditing on your system to verify this is not happening.