Java Web Application Code Review

R3zk0n · October 2, 2025

API   Web
Contents

    Introduction to Java File Formats

    • Java web applications can be packaged in several different file formats, such as JARs, WARs, and EARs.
    • All three of these file formats are essentially ZIP files with different extensions.
      • Java Archive (JAR) files are typically used for stand-alone applications or libraries.
      • Web Application Archive (WAR) files are used to collect multiple JARs and static content, such as HTML, into a single archive.
      • Enterprise Application Archive (EAR) files can contain multiple JARs and WARs to consolidate multiple web applications into a single file.

    Enterprise Application Archive

    • application.xml file contains deployment information, including location of external libraries. Usually in the META-INF directory: cat META-INF/application.xml.
      • Search for <library-directory>APP-INF/lib</library-directory>
      • Tomcat Server + Enterprise: https://tomee.apache.org/

    What are Java Server Pages (JSP)?

    • In Java web applications, “servlet” is a shorthand for the classes that handle requests, such as HTTP requests.
    • Each framework has its own versions of servlets; in general, they implement code that takes in a request and returns a response.
    • Java Server Pages (JSP) are a form of servlet used for dynamic pages. JSPs can mix Java code with traditional HTML.

    What is a Java Interface?

    • Interfaces define a list of methods (sometimes referred to as behaviors) but do not implement the actual code within those methods.
    • Instead, classes can implement one or more interfaces. If a class implements an interface, it must include code for all the methods defined in that interface.
    • If the name of a class is appended with “Impl”, it implements an interface.

    Discovery

    Starters

    • Start with Deployment Descriptor, such as the web.xml file.
    • For Java Server Pages (JSP) applications: Read through JSP files first, if application mixes application logic such as HTML within the JSPs.
    • Inspect authentication and password reset functionalities, as this can be leveraged to gain access to application.

    JSP Password Reset Functionality Flow

    1. Read through JSP files with interesting names –> password reset, authentication etc.
    2. Pay attention to any imported libraries in the code base that needs further discovery.
    3. Interesting methods:
      • Locate external libraries (JAR files) such as via application.xml.
      • If class file only contains an Interface, search for the method (e.g. requestPasswordReset) to find implementation.
      • If class is appended with “Impl”, it implements an interface.
      • Search for method within implementation
      • Continue to investigate newly discovered methods

    Twitter, Facebook