JSP Scan rules
Contrast Scan supports these rules for JSP.
Severity | Contrast rule | Engine rule ID | Description |
|---|---|---|---|
Critical | Expression Language Injection | OPT.JSP.SEC_JSP.ExpressionLanguageInjection | ExpressionLanguageInjection: Expression Language (EL / OGNL) injection |
Critical | Long JavaScript scripts | OPT.JSP.CFFJSP.ALJS | ALJS: Avoid long js scripts |
Critical | Duplicate pages in multiple locations | OPT.JSP.CFFJSP.DPNM | DPNM: There are duplicate pages in different locations |
Critical | JSP Page Name | OPT.JSP.CFFJSP.JSPPageName | JSPPageName: The name of the jsp page should follow a naming standard |
Critical | JSP Forward found | OPT.JSP.CFFJSP.NJFW | NJFW: There are direct invocations to other jsp pages |
Critical | Long script code | OPT.JSP.CFFJSP.NLSC | NLSC: Avoid long scriptlets |
Critical | JSP files no in the configured folder | OPT.JSP.CFFJSP.UECD | UECD: JSP pages located in a folder different from the configured folder |
Critical | Dont Mix Jstl And Jsf Tags | OPT.JSP.PB_JSF.DontMixJstlAndJsfTags | DontMixJstlAndJsfTags: Nesting JSTL tags within JSF tags, or vice versa |
Critical | Dont Use Conditional Tags In Iterative Tags | OPT.JSP.PB_JSF.DontUseConditionalTagsInIterativeTags | DontUseConditionalTagsInIterativeTags: Do not use conditional tags inside iterative tags |
Critical | Avoid Architecture Classes From JSP Rule | OPT.JSP.SEC_JSP.AvoidArchitectureClassesFromJSPRule | AvoidArchitectureClassesFromJSPRule: JSP pages should not import architecture classes |
Critical | File Inclusion Vulnerability | OPT.JSP.SEC_JSP.FileInclusionVulnerability | FileInclusionVulnerability: JSP File Inclusion vulnerability |
Critical | Database access from a JSP page | OPT.JSP.CFFJSP.ABDP | ABDP: Database access from a JSP page |
Critical | Missing Password Field Masking | OPT.JSP.SEC_JSP.MissingPasswordFieldMasking | MissingPasswordFieldMasking: Password input field is not masked |
Critical | Unprotected Transport Credential | OPT.JSP.SEC_JSP.UnprotectedTransportCredential | UnprotectedTransportCredential: Unprotected transport of credentials |
High | Path Relative Stylesheet Import | OPT.JSP.SEC_JSP.PathRelativeStylesheetImport | PathRelativeStylesheetImport: Path-Relative Stylesheet Import. |
High | Target Blank Vulnerability | OPT.JSP.SEC_JSP.TargetBlankVulnerability | TargetBlankVulnerability: Improper Neutralization of links to external sites |
High | Unnecessary spaces, tab and line terminators | OPT.JSP.CFFJSP.AWLL | AWLL: The page contains many unnecessary spaces, tabs and line terminators overall inside loops |
High | Check URL | OPT.JSP.CFFJSP.CheckURL | CheckURL: Check the URL in the JSP page |
High | Missing comments in JSP pages | OPT.JSP.CFFJSP.ICPJ | ICPJ: There are not any comment in the JSP page |
High | Multiple CSS tags | OPT.JSP.CFFJSP.NAEE | NAEE: There are many css tags in the elements included in a loop |
High | JavaScript code in JSP pages | OPT.JSP.CFFJSP.NFJS | NFJS: Use of Javascript code in pages |
High | Java source code found | OPT.JSP.CFFJSP.NSCR | NSCR: There is JAVA source code in some pages |
High | Use of document.write | OPT.JSP.CFFJSP.NUSDW | NUSDW: Insertion of HTML code from JSP file including document.write commands |
High | Commented out JavaScript code | OPT.JSP.CFFJSP.NUSJSC | NUSJSC: There are commented lines of javascript |
High | Allowed Uris | OPT.JSP.GEN_JSF.AllowedUris | AllowedUris: Taglib declarations must include standard URI's |
High | Information Exposure In Get Request | OPT.JSP.SEC_JSP.InformationExposureInGetRequest | InformationExposureInGetRequest: Information exposure through strings sent by GET |
Info | Duplicate imports | OPT.JSP.CFFJSP.DJIM | DJIM: Do not put duplicate imports in the JSP files |
Low | Form Without Captcha | OPT.JSP.SEC_JSP.FormWithoutCaptcha | FormWithoutCaptcha: Form without CAPTCHA |
Low | Managed Beans Naming Convention | OPT.JSP.NAM_JSF.ManagedBeansNamingConvention | ManagedBeansNamingConvention: managed-bean names must comply the pattern |
Low | IFrames missing src attribute | OPT.JSP.CFFJSP.IMSA | IMSA: Do not use iframes without src attribute |
Medium | Specify Integrity Attribute | OPT.JSP.SEC_JSP.SpecifyIntegrityAttribute | SpecifyIntegrityAttribute: Specify a integrity attribute on the <script> and <link> elements |
Medium | Literals in JSP pages | OPT.JSP.CFFJSP.ELED | ELED: There are literals in the JSP page |
Medium | Empty pages | OPT.JSP.CFFJSP.ISEM | ISEM: There are empty pages |
Medium | Class attribute found | OPT.JSP.CFFJSP.NCAT | NCAT: No class attribute |
Medium | HTML commented code | OPT.JSP.CFFJSP.NHMC | NHMC: HTML commented code |
Medium | Inline style found | OPT.JSP.CFFJSP.NISI | NISI: There is no style information in JSP |
Medium | Use of repoeated data in option lists | OPT.JSP.CFFJSP.NUSO | NUSO: Use combo list with static information,so that you will not need option lists |
Medium | No header comments | OPT.JSP.CFFJSP.UHCP | UHCP: JSP page does not have header comments |