How does Zimbra process JSP files and how can you enumerate JspServletWrapper instances?

Zimbra uses the Jetty framework as its web container. When a JSP is requested, the server compiles it into a Java file stored under /opt/zimbra/jetty_base/work/zimbra/jsp/. Each compiled JSP registers a JspServletWrapper instance in a ConcurrentHashMap. You can enumerate these instances via reflection by accessing the request's _scope, then _servlet, rctxt, and finally the jsps field to iterate over keys.

---
**Related reading:**
- Setting up Zimbra Vulnerability Debugging Environment — original article
- Penetration Techniques - Enabling Anonymous Access Shares on Windows Systems via Command Line
- Steganography Techniques - Hiding Payloads Using JPEG File Format
- vRealize Log Insight Vulnerability Debugging Environment Setup