How to find security vulnerabilities in JARs with SpotBugs…
[Note: burpsuite is just being used as an example]
Spotbugs is awesome. But, the instructions for compiling it and running as a standalone app were not that clear to me. Because of this, I decided to put together the rather simple steps below.
Decompile the JAR being analyzed using JD/JD-GUI (or similar). Google it, if needed. There’s a lot of info out there.
wget https://github.com/spotbugs/spotbugs/archive/release-3.1.zip unzip http://release-3.1.zip cd spotbugs-release-3.1 ./gradlew ./gradlew spotbugs:build cp spotbugs/build/distributions/spotbugs-3.1.7-SNAPSHOT.tgz ../. cd .. tar -xvzf spotbugs-3.1.7-SNAPSHOT.tgz
java -jar spotbugs-3.1.7-SNAPSHOT/lib/spotbugs.jar
After the above finishes processing, you’ll be presented with a list of possible vulnerabilities (under security) as well as best practice-type findings. I’ve found that there is a high false-positive rate, in terms of exploitable findings. Spotbugs appears to just be performing simple string/regex comparison but does not (due to complexity) actually walk back up the logical flow to determine if a certain finding is actually exploitable. That will be your part :-).
Original Source: https://twitter.com/redeemedHacker/status/1039315054661967872