Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: donloading jsp for pen-test

from [Todd Haverkos] Network Security [Permanent Link]
Subject: Re: donloading jsp for pen-test
Date: Fri, 11 Apr 2008 23:32:29 -0500 
victorfrankenstein@yahoo.com writes:

Helo
I'm currently doing a pen-test against my company site. We have a
web application runing over tomcat - in jsp format, one of my goals
is try to conect to my datebase from internet using my webapp
code. I try to download the jsp files from web server but when i
chek it the file contets is only a html code, for this propose i do
it whit linux wget, flashget, and others but all ways whit the same
result. If any one colud give me any idea about how can i downlad
the full jsp file i will appreciate a lot. 


Hi Victor, 

What you're learning here is how the web application server interprets
the jsp and outputs only the html result of its evaluation.  Despite
the url ending in .jsp, the server is (quite by design) sending you
the _output_ of the .jsp evaluation, and not the source itself.

Short of compromising the server (or using your own legitimate access
to it as a company employee) to gain source file transfer ability
directly via ftp/tftp or the like, if you want the web server to give
up the jsp source, the most common ways are to

     o search for backup versions of the file by fuzzing on common
       backup file extensions e.g.  for blah.jsp try to get
       blah.jsp.bak blah.jsp~ etc.  Web app testing software like
       paros proxy and I believe nikto will looks for these and
       several other variants of url's found during their spider of
       the site.

     o there are several jsp source disclosure vulns out there worth
       trying as well.  Here's a search for "jsp source disclosure"
       at Security Focus for example
       
http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=jsp+source+disclosure&x=0&y=0


Automated web vuln scanners will look for many of these vulns.  Nikto
and Paros are two free tools that are easy to find that will help look
for jsp source disclosure possibilities.  Commercial tools like IBM
Rational Appscan (Watchfire Appscan), or HP (SPI Dynamics) WebInspect
also flag these goodies rather reliably.

Hopefully others will chime in with other tools/tips for finding vulns
like this that can complement manual fuzzing of requests to see what
might trigger a jsp disclosure.

Cheers, 
--
Todd Haverkos  
http://www.linkedin.com/in/toddhaverkos


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: get MD5-Hash from /etc/shadow file, Larry Offley
Next by Date:  Re: Pen testing techniques, Nathan Sportsman
Previous by Thread:  donloading jsp for pen-test, victorfrankenstein
Next by Thread:  Re: donloading jsp for pen-test, Shreyas Zare
Indexes:  [Date] [Thread] [Top] [All Lists]