Re: donloading jsp for pen-test

victorfrankenstein@xxxxxxxxx writes:
Helo
I'm currently doing a pen-test against my company site. We have a
web application runing over tomcat - in jsp format, one of my goals
is try to conect to my datebase from internet using my webapp
code. I try to download the jsp files from web server but when i
chek it the file contets is only a html code, for this propose i do
it whit linux wget, flashget, and others but all ways whit the same
result. If any one colud give me any idea about how can i downlad
the full jsp file i will appreciate a lot.

Hi Victor,

What you're learning here is how the web application server interprets
the jsp and outputs only the html result of its evaluation. Despite
the url ending in .jsp, the server is (quite by design) sending you
the _output_ of the .jsp evaluation, and not the source itself.

Short of compromising the server (or using your own legitimate access
to it as a company employee) to gain source file transfer ability
directly via ftp/tftp or the like, if you want the web server to give
up the jsp source, the most common ways are to

o search for backup versions of the file by fuzzing on common
backup file extensions e.g. for blah.jsp try to get
blah.jsp.bak blah.jsp~ etc. Web app testing software like
paros proxy and I believe nikto will looks for these and
several other variants of url's found during their spider of
the site.

o there are several jsp source disclosure vulns out there worth
trying as well. Here's a search for "jsp source disclosure"
at Security Focus for example
http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=jsp+source+disclosure&x=0&y=0


Automated web vuln scanners will look for many of these vulns. Nikto
and Paros are two free tools that are easy to find that will help look
for jsp source disclosure possibilities. Commercial tools like IBM
Rational Appscan (Watchfire Appscan), or HP (SPI Dynamics) WebInspect
also flag these goodies rather reliably.

Hopefully others will chime in with other tools/tips for finding vulns
like this that can complement manual fuzzing of requests to see what
might trigger a jsp disclosure.

Cheers,
--
Todd Haverkos
http://www.linkedin.com/in/toddhaverkos


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • Re: J2ME or network programming or...what do you recommend?
    ... I started doing the servlets along with the JSP. ... Well depending on how dynamic you want the client to ... needed) to java server programs? ...
    (comp.lang.java.programmer)
  • Re: How to open the jsp pages by click on the APPLET
    ... I want to know is there is any way to open the new window of jsp ... By this i get only html tags nothing beyond that.That is not my ... requirement.Will give syntax for getting jsp page on applet. ... only load URLs from the same server as the containing page ...
    (comp.lang.java.advocacy)
  • Re: Please Answer Newbie Question
    ... > Servlet and JSP classes are not in the J2SE, ... > the application server as a separate download. ... > that you're going to develop servlets and JSP. ... Just install *that* server, and use the ...
    (comp.lang.java.programmer)
  • Re: windows integrated authentication question
    ... > I am writing a JSP application. ... I have a servlet container (actually a ... > Websphere application server) running on an IBM iSeries. ... > ..."is a secure form of authentication because the user name and password ...
    (microsoft.public.inetserver.iis)
  • Re: Running Servlet
    ... The Web server has .jsp resources associated with the ... The server serves that document to the browser, ... The browser passes that code to the client-side script engine. ...
    (comp.lang.javascript)