Penetration Testing mailing list archives
Re: donloading jsp for pen-test
From: Todd Haverkos <fsbo () haverkos com>
Date: Fri, 11 Apr 2008 23:32:29 -0500
victorfrankenstein () yahoo com writes:
Helo I'm currently doing a pen-test against my company site. We have a web application runing over tomcat - in jsp format, one of my goals is try to conect to my datebase from internet using my webapp code. I try to download the jsp files from web server but when i chek it the file contets is only a html code, for this propose i do it whit linux wget, flashget, and others but all ways whit the same result. If any one colud give me any idea about how can i downlad the full jsp file i will appreciate a lot.
Hi Victor, What you're learning here is how the web application server interprets the jsp and outputs only the html result of its evaluation. Despite the url ending in .jsp, the server is (quite by design) sending you the _output_ of the .jsp evaluation, and not the source itself. Short of compromising the server (or using your own legitimate access to it as a company employee) to gain source file transfer ability directly via ftp/tftp or the like, if you want the web server to give up the jsp source, the most common ways are to o search for backup versions of the file by fuzzing on common backup file extensions e.g. for blah.jsp try to get blah.jsp.bak blah.jsp~ etc. Web app testing software like paros proxy and I believe nikto will looks for these and several other variants of url's found during their spider of the site. o there are several jsp source disclosure vulns out there worth trying as well. Here's a search for "jsp source disclosure" at Security Focus for example http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=jsp+source+disclosure&x=0&y=0 Automated web vuln scanners will look for many of these vulns. Nikto and Paros are two free tools that are easy to find that will help look for jsp source disclosure possibilities. Commercial tools like IBM Rational Appscan (Watchfire Appscan), or HP (SPI Dynamics) WebInspect also flag these goodies rather reliably. Hopefully others will chime in with other tools/tips for finding vulns like this that can complement manual fuzzing of requests to see what might trigger a jsp disclosure. Cheers, -- Todd Haverkos http://www.linkedin.com/in/toddhaverkos ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- donloading jsp for pen-test victorfrankenstein (Apr 11)
- Re: donloading jsp for pen-test Todd Haverkos (Apr 12)
- Re: donloading jsp for pen-test Shreyas Zare (Apr 12)
- Re: donloading jsp for pen-test Deniz CEVIK (Apr 12)
- <Possible follow-ups>
- Re: donloading jsp for pen-test xx yy (Apr 12)
- Re: donloading jsp for pen-test arvind doraiswamy (Apr 12)