share your technology and add some temperature for safety

Posted by barello at 2020-02-25

Java is a relatively complex language compared with PHP, so when I first came into contact with java source audit, I would encounter some difficulties in environment and configuration. This article records some preparations for Doo to audit java code, hoping to help novice friends.

0x00 Java environment description

1. Install Java environment

The first is to install the corresponding Java JDK installation package and the configuration of the corresponding environment variables.

Default installation directory after installation:

The configuration of environment variables mainly tells us the path of several key files after Java installation.

● where is the installation path of JDK? ——JAVA_HOME

● JDK command file location (bin folder path) - path

● location of class library files (LIB folder path) - classpath

2. Run Java program

Java code needs to be compiled before execution. The compiler first compiles java source files into binary files, and then parses them into binary files.

[PHP] plain text view copy code

Generally, java source files can't be parsed directly like PHP or python, so without IDE, we need to compile through javac.

After compiling, we get the bytecode file corresponding to. Class, which can be directly parsed in Java.

3. Java Decompilation

Because most of the time, we get the bytecode file at the end of. Class instead of the Java source file. So we need a tool to help us decompile and see the corresponding source code. It is recommended to use the JD GUI tool.

The above process is described in the following figure:

4. Java platform

When I first came into contact with the Java platform, I would come into contact with several nouns, such as javase, JavaEE, javame and so on. To understand:

● Java se - developing computer software

Java EE - develop web site

● java me - developing mobile software

Java se (Java platform, Standard Edition): allows the development and deployment of Java applications for use in desktop, server, embedded and real-time environments. Java se includes classes that support Java Web service development.

Java EE (Java platform, Enterprise Edition): Java EE is built on the basis of Java se. It provides Web services, component models, management and communication APIs to implement enterprise level service-oriented architecture and Web 2.0 applications.

Java me (Java platform, Micro Edition): provides a robust and flexible environment for applications running on mobile and embedded devices such as mobile phones, PDAs, TV set-top boxes, and printers.

0x02 installation and use of Tomcat

1. Introduction to Tomcat

Common Java servers: Tomcat, Weblogic, JBoss, GlassFish, jetty, resin, IBM WebSphere, etc.

Tomcat server is a free open source web application server, which belongs to the lightweight application server. It is widely used in many occasions such as small and medium-sized systems and concurrent access, and is the first choice for developing and debugging JSP programs. The Tomcat installation package can be downloaded on Apache's official website. After decompression, its directory structure is as follows:

2. Tomcat deployment source code

Example: javapms public beta source deployment

Rename the root directory to javapms1.4 and copy it to the webapp directory of Tomcat.


0x03 use of IDE

1. Choose your own IDE

I am quite used to using idea. In addition to idea, MyEclipse is also a good choice.

2. Deploy web project on idea

Because it is more convenient for us to debug code and code trace when we deploy projects on ide. Example: javapms public beta source deployment.

Configure the running program, such as Tomcat.


3. Debugging function on idea

Here, we mainly use the debugging function of idea.

Here are some shortcut keys that will be used in debugging:

● F7, enter the next step. If the current breakpoint is a method, enter the method body.

● F8, go to the next step, but not into the method body.

● Alt + Shift + F7, go to the next step, if the current breakpoint is a method, and there are other methods in the method, cycle in.

● Shift + F8, jump to the next breakpoint, or press F9.

● drop frame, you can use this key when entering a method body and want to back out of the method body.

0x04 Maven - project management and build tool

1. Introduction to maven

Maven is a way to build projects automatically, which can help us automatically pull associated jar packages from local and remote repositories. Official website address:

Maven remote warehouse:

The previously audited webgoat was deployed using Maven.

2. Maven deployment project

To deploy Maven project on idea, take deploying webgoat source code as an example.

3. Deployment, operation and troubleshooting

If the old version of idea is used, the compatibility of the program is relatively high. Run the file directly. The full path of the file is \ webgoat \ webload server \ SRC \ main \ Java \ ORG \ OWASP \ webload \ Unfortunately, the latest version of idea reports an error. The error information is as follows:

This is because webgoat's code writing is not standardized. Pom.xml under the project does not write the relevant information of the package com.beust.jcommander.internal, which needs to be supplemented completely, as follows:

[PHP] plain text view copy code

The full path to pom.xml is \ webgoat \ webload container \ pom.xml.

After the modification, run again. If there is no error, the spring boot running interface of the console indicates that the compilation and running are successful. Visit to see the landing page of webgoat.

0x05 fortify code audit tool

Fortify is an automated code audit tool. Doogo uses a 2009 version of freebuf, which is based on eclipse + rule base. And the cost of his paid version is amazing. The 2009 version of the rule base is earlier. It allows us to customize rules, so we can add audit rules based on this version.