Introducing LAPSE+ An eclipse IDE plug-in for Java. A static code analyzing software. A security scanner for detectingvulnerabilities of un-trusted datainjection in Java EE Applications. Developed by the SUIF CompilerGroup of Stanford University
LAPSE+ LAPSE+ is based on the static analysis of codeto detect the source and the sink of avulnerability. The source of a vulnerability refers to theinjection of un-trusted data in the parametersof an HTTP request, a Cookie, etc. The sink of a vulnerability refers to the processof data modification to manipulate the behaviorof the application, such as a servlet responseor a HTML page. The vulnerability sources can lead to sinks bysimple assignments, method calls orparameters passing.
Demo- Loading LAPSE+ in Eclipse D:techeclipse LAPSE+ plugin consists of a Java JARfile called LapsePlus_2.8.X.jar. To load the plugin we have to copy itin the plugins folder of our EclipseHelios Once we have copied the Java JAR filein plugins folder we can run Eclipse. LAPSE+ is ready!
LAPSE+ Eclipse Plug-in ViewsLAPSE+ provides three different views for the analysis ofvulnerabilities: Vulnerability Sources View: It shows the points ofcode that can be source of un-trusted data injection. Vulnerability Sinks View: It shows the points ofcode that can insert the un-trusted data in theapplication, manipulating its behavior. Provenance Tracker View: This view traces thebackward propagation tree from a vulnerability sink inorder to check if it reaches a vulnerability source. Ifthis happens we have a vulnerability in our code.
Advantages Accurate result. It automatically places cursor to therelevant source code. It helps you to test your validationlogic from a security perspective evenwithout compiling your code.
Limitations Limited to Java. Limited to eclipse environment hencecannot be triggered during build phase. Copy-to-clipboard functionality is notproper. Does not analyze JSP/web pages. Cannot identify whether a code containsany compilation errors. Cannot block a vulnerable code fromentering the code repository (subversion).
Conclusion LAPSE+ is not a complete fool proofsolution for static code analysis but itprovides very accurate results. LAPSE+ is better than YASCA andARACHNI in terms of results andconvenience.