So if I would want to check out the JSP code in a website that uses jsp's wich I would of course want to do SOLELY FOR EDUCATIONAL PURPOSES ;) is there any standard hacking procedure like there is in peeking at ASP pages hosted on IIS ? Remember I am a very good citizen you know. I have no bad intentions ! ;)
I should certainly hope not. If there was, then I would be embarrassed because then people would learn that I occasionally embed small scriptlets in my JSP's. :)
I don't know of anyway to do this, but why don't you tell us how it is done for ASP? I wasn't aware that there was a way to see that from a browser.
Viewing the source of an ASP/JSP (and also PHP, PERL, PYTHON, ...) page is only possible by using (exploiting)bug's of the server or container.
These languages are SERVER-SIDE and not intended to be 'open-source'.
You can view the source of ASP pages by using following requests:
test.asp+.htr (newer, but mostly fixed)
executing cmd.exe by using unicodes to type a asp page (new)
and other more difficult methods (setting server vars, ...)
To view the source of a JSP page you need to be aware of a server bug. I remember there was a bug in Tomcat or some other server (early beta) where the source of a page could be viewed by changing the extension to uppercase (page.jsp -> page.JSP (source))....
So...good luck finding bugs... :))
I was going to reply earlier but I couldn't find the IIS-ASP bug story anymore. This is what I meant. I know it's not really nice to try and outsmart the intended 'closed-source' but sometimes I just wish I could take a look at how other people solve things. Most of the time I end up writing my own code anyway because thinking about it on my own is usually less of a hassle than trying to figure out someone else's code. Hacking the JSP code would be much less usefull than in the case of ASP since the bulk would still be hidden.
P.S. Floyd, isn't that true!! I am starting to feel ambivalent towards those rigid coding morals! Some people are clearly overdoing it! But don't worry Floyd I wouldn't hold against you! Don't let them bad boys tell you you can't use scriptlets. LOL!
There was a "ConsoleHelp" vulnerability in a version of WebLogic that let you see the JSP source if you did something special to the URL in the browser (hee hee).
Easily plugged by turning off the feature in weblogic.properties. However, perhaps such vulnerabilities are a good argument for "presentation-only" JSPs... maybe
source code for business logic shouldn't really be sitting under a document root of a web server, hmmm?
Can't view it if it isn't there (so use a Servlet as entry-point, JSP for layout).