3. Introducing LAPSE+
An eclipse IDE plug-in for Java.
A static code analyzing software.
A security scanner for detecting
vulnerabilities of un-trusted data
injection in Java EE Applications.
Developed by the SUIF Compiler
Group of Stanford University
4. LAPSE+
LAPSE+ is based on the static analysis of code
to detect the source and the sink of a
vulnerability.
The source of a vulnerability refers to the
injection of un-trusted data in the parameters
of an HTTP request, a Cookie, etc.
The sink of a vulnerability refers to the process
of data modification to manipulate the behavior
of the application, such as a servlet response
or a HTML page.
The vulnerability sources can lead to sinks by
simple assignments, method calls or
parameters passing.
5. Demo- Loading LAPSE+ in Eclipse
D:techeclipse
LAPSE+ plugin consists of a Java JAR
file called LapsePlus_2.8.X.jar.
To load the plugin we have to copy it
in the plugins folder of our Eclipse
Helios
Once we have copied the Java JAR file
in plugins folder we can run Eclipse.
LAPSE+ is ready!
6. LAPSE+ Eclipse Plug-in Views
LAPSE+ provides three different views for the analysis of
vulnerabilities:
Vulnerability Sources View: It shows the points of
code that can be source of un-trusted data injection.
Vulnerability Sinks View: It shows the points of
code that can insert the un-trusted data in the
application, manipulating its behavior.
Provenance Tracker View: This view traces the
backward propagation tree from a vulnerability sink in
order to check if it reaches a vulnerability source. If
this happens we have a vulnerability in our code.
7. Advantages
Accurate result.
It automatically places cursor to the
relevant source code.
It helps you to test your validation
logic from a security perspective even
without compiling your code.
8. Limitations
Limited to Java.
Limited to eclipse environment hence
cannot be triggered during build phase.
Copy-to-clipboard functionality is not
proper.
Does not analyze JSP/web pages.
Cannot identify whether a code contains
any compilation errors.
Cannot block a vulnerable code from
entering the code repository (subversion).
9. Conclusion
LAPSE+ is not a complete fool proof
solution for static code analysis but it
provides very accurate results.
LAPSE+ is better than YASCA and
ARACHNI in terms of results and
convenience.