Penetration Testing mailing list archives

Re: donloading jsp for pen-test

From: Todd Haverkos <fsbo () haverkos com>
Date: Fri, 11 Apr 2008 23:32:29 -0500

victorfrankenstein () yahoo com writes:

Helo
I'm currently doing a pen-test against my company site. We have a
web application runing over tomcat - in jsp format, one of my goals
is try to conect to my datebase from internet using my webapp
code. I try to download the jsp files from web server but when i
chek it the file contets is only a html code, for this propose i do
it whit linux wget, flashget, and others but all ways whit the same
result. If any one colud give me any idea about how can i downlad
the full jsp file i will appreciate a lot.

Hi Victor,

What you're learning here is how the web application server interprets
the jsp and outputs only the html result of its evaluation. Despite
the url ending in .jsp, the server is (quite by design) sending you
the _output_ of the .jsp evaluation, and not the source itself.

Short of compromising the server (or using your own legitimate access
to it as a company employee) to gain source file transfer ability
directly via ftp/tftp or the like, if you want the web server to give
up the jsp source, the most common ways are to

o search for backup versions of the file by fuzzing on common
backup file extensions e.g. for blah.jsp try to get
blah.jsp.bak blah.jsp~ etc. Web app testing software like
paros proxy and I believe nikto will looks for these and
several other variants of url's found during their spider of
the site.

o there are several jsp source disclosure vulns out there worth
trying as well. Here's a search for "jsp source disclosure"
at Security Focus for example
http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=jsp+source+disclosure&x=0&y=0

Automated web vuln scanners will look for many of these vulns. Nikto
and Paros are two free tools that are easy to find that will help look
for jsp source disclosure possibilities. Commercial tools like IBM
Rational Appscan (Watchfire Appscan), or HP (SPI Dynamics) WebInspect
also flag these goodies rather reliably.

Hopefully others will chime in with other tools/tips for finding vulns
like this that can complement manual fuzzing of requests to see what
might trigger a jsp disclosure.

Cheers,
--
Todd Haverkos
http://www.linkedin.com/in/toddhaverkos

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

donloading jsp for pen-test victorfrankenstein (Apr 11)
- Re: donloading jsp for pen-test Todd Haverkos (Apr 12)
- Re: donloading jsp for pen-test Shreyas Zare (Apr 12)
- Re: donloading jsp for pen-test Deniz CEVIK (Apr 12)
- <Possible follow-ups>
- Re: donloading jsp for pen-test xx yy (Apr 12)
- Re: donloading jsp for pen-test arvind doraiswamy (Apr 12)