How does Zimbra handle JSP files, and how can you enumerate loaded JSP servlets for vulnerability analysis?
Zimbra uses Jetty as its web container. When a JSP is accessed, Jetty compiles it into a Java file stored under /opt/zimbra/jetty_base/work/zimbra/jsp/. A JspServletWrapper instance is registered for each JSP. Using reflection, you can access the internal 'jsps' ConcurrentHashMap from the request's servlet context and enumerate all registered JSPs, which is useful for identifying potential attack surfaces.
---
**Related reading:**
- Setting up Zimbra Vulnerability Debugging Environment — original article
- Penetration Techniques - Lateral Movement via WSUS
- Penetration Techniques - Clearing Single Records in RecentFileCache.bcf and Amcache.hve
- ProxyShell Exploitation Analysis 2 - CVE-2021-34523
---
**Related reading:**
- Setting up Zimbra Vulnerability Debugging Environment — original article
- Penetration Techniques - Lateral Movement via WSUS
- Penetration Techniques - Clearing Single Records in RecentFileCache.bcf and Amcache.hve
- ProxyShell Exploitation Analysis 2 - CVE-2021-34523
JSPJettyJspServletWrapperreflectionvulnerability analysis