Useful configuration files
Java web applications map API routes to Java servlets, as described in our Source code analysis methodology notes. The default location Java web applications store their Java servlet mappings is:
- web.xml No guaranteed which folder this can typically be found in, but be on the lookout for this configuration file in a Java web application.
Useful method names
Java servlets typically name functions that handle HTTP methods as such:
- doGet
- doPost
- doPut
- doDelete
- doCopy
- doOptions Java servlets handling HTTP requests usually operate on
HttpServletRequestobjects, and extractsGETorPOSTparameters using methods like: - getParameter
- getParameterValues
Enabling database logging
Relevant to web application pentesting in general, it’s important to turn on database logging to debug our interactions with a target’s underlying database. This helps us determine how our queries are executed on the host’s database to uncover any possible input sanitization.