Re: donloading jsp for pen-test

[xx yy <thenucker2004 () yahoo com>]

If we could download php/jsp/asp files we could have compromised 99% of the sites running them. The purpose of jsp is 
to deliver html from a higher level language,
not to give you the real source.

Cases when you can download jsp/php/asp files directly are : 1) when the server is misconfigured instead of delivering 
html it will prompt you to save the source file
2) you can try a sql injection and then through a small shell to get the sources, but in that case the host is already 
partially if not all compromised
3) check tomcat, jboss in detail to better understand how to play with a poor configuration
3) probably other ways too



----- Original Message ----
From: "victorfrankenstein () yahoo com" <victorfrankenstein () yahoo com>
To: pen-test () securityfocus com
Sent: Friday, April 11, 2008 5:59:56 PM
Subject: donloading jsp for pen-test

Helo
I'm currently doing a pen-test against my company site. We have a web application runing over tomcat - in jsp format, 
one of my goals is try to conect to my datebase from internet using my webapp code. I try to download the jsp files 
from web server but when i chek it the file contets is only a html code, for this propose i do it whit linux wget, 
flashget, and others but all ways whit the same result. If any one colud give me any idea about how can i downlad the 
full jsp file i will appreciate a lot.

Tahnks very much.

Regards,
Victor






__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------