Tuesday, March 15, 2011

OWASP Lapse+ v.2.8.1 Released

Vulnerabilities detection in Java EE Applica

LAPSE+ is a security scanner for detecting vulnerabilities of untrusted data injection in Java EE Applications. It has been developed as a plugin for Eclipse Java Development Environment, working specifically with Eclipse Helios and Java 1.6 or higher. LAPSE+ is based on the GPL software LAPSE, developed by the SUIF Compiler Group of Stanford University. This new release of the plugin developed by Evalues Lab of Universidad Carlos III de Madrid provides more features to analyze the propagation of the malicious data through the application and includes the identification of new vulnerabilities.

The vulnerabilities detected by LAPSE+ are related to the injection of untrusted data to manipulate the behavior of the application. This type of vulnerabilities are the most common in web applications. The vulnerability categories detected by LAPSE+ are enumerated below:

Parameter Tampering.
URL Tampering.
Header Manipulation.
Cookie Poisoning.
SQL Injection.
Cross-site Scripting (XSS).
HTTP Response Splitting.
Command Injection.
Path Traversal.
XPath Injection.
XML Injection.
LDAP Injection.

Download: http://evalues.es

Tutorial for the installation and use of LAPSE+: PDF


No comments: