private void secondPass(IExtensionHelpers helpers) {
publish("Second Pass...");
publish(0);
Set<Map<String, CorrelatedParam>> allStats = new HashSet<>();
allStats.add(urlParameters);
allStats.add(bodyParameters);
allStats.add(cookieParameters);
int x = 0;
for (IHttpRequestResponse message : inScopeMessagesWithResponses) {
publish(100 * x / inScopeMessagesWithResponses.size());
x += 1;
String responseString = helpers.bytesToString(message.getResponse());
for (Map<String, CorrelatedParam> paramMap : allStats) {
for (String paramName : paramMap.keySet()) {
publish("Analyzing " + paramName + "...");
for (CorrelatedParam param : paramMap.values()) {
for (String value : param.getUniqueValues()) {
if (responseString.contains(value)) {
param.putSeenParam(value, message);
}
}
}
}
}
}
}
public static void analyzeWEBXML(
byte[] webxmlFile, IBurpExtenderCallbacks cb, IHttpRequestResponse baseRequestResponse) {
IExtensionHelpers helpers = cb.getHelpers();
PrintWriter stderr = new PrintWriter(cb.getStderr(), true);
Pattern pattern =
Pattern.compile("(<web-app.*?</web-app>)", Pattern.DOTALL | Pattern.MULTILINE);
String webxml = helpers.bytesToString(webxmlFile);
Matcher matcher = pattern.matcher(webxml);
if (matcher.find()) {
try {
String webxmlContent = matcher.group(1);
DocumentBuilderFactory dbFactory = DocumentBuilderFactory.newInstance();
DocumentBuilder dBuilder;
dBuilder = dbFactory.newDocumentBuilder();
InputSource is = new InputSource(new StringReader(webxmlContent));
Document doc = dBuilder.parse(is);
/**
* HTTP VERB Tampering
*
* <p>http://docs.oracle.com/cd/E14571_01/web.1111/e13712/web_xml.htm#WBAPP502
* https://weblogs.java.net/blog/swchan2/archive/2013/04/19/deny-uncovered-http-methods-servlet-31
* http-method should not be defined, to restrict access to a resources using HTTP verbs In
* Servlet 3.1 spec, the attribute "deny-uncovered-http-methods" could be used to deny
* uncovered HTTP verbs
*/
try {
NodeList httpMethods = doc.getElementsByTagName("http-method");
if ((httpMethods != null) && (httpMethods.getLength() >= 1)) {
cb.addScanIssue(
new CustomScanIssue(
baseRequestResponse.getHttpService(),
helpers.analyzeRequest(baseRequestResponse).getUrl(),
baseRequestResponse,
"Compliance Checks - web.xml - HTTP Verb Tampering",
"J2EEScan identified a potential HTTP Verb Tampering vulnerability inspecting"
+ " the remote web.xml resource.<br /><br />"
+ "One or more resources defined into the web.xml uses some definitions to restrict "
+ "access based on the HTTP Verb used with requests; based on this context, in some scenarios "
+ "it's possible to bypass these resctrictions providing a different HTTP verb to access to the remote resource."
+ "<br /> This allows the attacker to access data that should otherwise be protected."
+ "<br /><br />An example of vulnerable configuration that could lead to Authentication Bypass vulnerabilities:<br /><br />"
+ "<div style=\"font: courier;\"><pre>"
+ "<security-constraint>\n"
+ " <display-name>\n"
+ " Protect GET only, leave all other methods unprotected\n"
+ " </display-name>\n"
+ " <web-resource-collection>\n"
+ " <url-pattern>/company/*</url-pattern>\n"
+ " <http-method>GET</http-method>\n"
+ " </web-resource-collection>\n"
+ " <auth-constraint>\n"
+ " <role-name>sales</role-name>\n"
+ " </auth-constraint>\n"
+ "</security-constraint>"
+ "</pre></div> "
+ "<br />"
+ "<br /><b>References:</b><br />"
+ "https://www.owasp.org/index.php/Testing_for_HTTP_Verb_Tampering_(OTG-INPVAL-003)<br />"
+ "http://www.aspectsecurity.com/research-presentations/bypassing-vbaac-with-http-verb-tampering<br />"
+ "http://capec.mitre.org/data/definitions/274.html<br />"
+ "http://jeremiahgrossman.blogspot.it/2008/06/what-you-need-to-know-about-http-verb.html",
"Remove <i>http-method</i> elements to avoid possible HTTP Verb Tampering attacks",
Risk.Medium,
Confidence.Tentative));
}
} catch (Exception ex) {
ex.printStackTrace(stderr);
}
/**
* URL Parameters for Session Tracking
* http://docs.oracle.com/javaee/6/api/javax/servlet/SessionTrackingMode.html
*/
try {
NodeList sessionTracking = doc.getElementsByTagName("tracking-mode");
if ((sessionTracking != null) && (sessionTracking.getLength() >= 1)) {
String value = sessionTracking.item(0).getTextContent();
if (value.equalsIgnoreCase("URL")) {
cb.addScanIssue(
new CustomScanIssue(
baseRequestResponse.getHttpService(),
helpers.analyzeRequest(baseRequestResponse).getUrl(),
baseRequestResponse,
"Compliance Checks- web.xml - URL Parameters for Session Tracking",
"J2EEScan identified a potential Information Disclosure vulnerabilitiy inspecting"
+ " the remote web.xml resource.<br /><br />"
+ "The remote applications seems to put the JSESSIONID into the URL using the directive <i>tracking-mode</i> with the URL value;<br />"
+ "the tracking-mode element in the Servlet 3.0 specification allows to define whether the JSESSIONID should be stored in a cookie or in a URL parameter. <br />"
+ "If the session id is stored in a URL parameter it could lead to and Information Disclosure vulnerability, because the URLs could be inadvertently "
+ "saved in browser history, proxy server logs, referrer logs etc. <br />"
+ "<br /><b>References:</b><br />"
+ "http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files<br />",
"Change the <i>tracking-mode</i> value to avoid possible Information Disclosure vulnerabilities",
Risk.Low,
Confidence.Tentative));
}
}
} catch (Exception ex) {
ex.printStackTrace(stderr);
}
/**
* Incomplete Error Handling
*
* <p>https://blog.whitehatsec.com/error-handling-in-java-web-xml/
* http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files
* http://www.jtmelton.com/2010/06/02/the-owasp-top-ten-and-esapi-part-7-information-leakage-and-improper-error-handling/
*/
try {
NodeList exceptionType = doc.getElementsByTagName("exception-type");
Boolean incompleteErrorHandling = true;
int excTypeLen = exceptionType.getLength();
for (int i = 0; i < excTypeLen; i++) {
Node s = exceptionType.item(i);
String value = s.getTextContent();
if (value.equalsIgnoreCase("java.lang.Throwable")) {
incompleteErrorHandling = false;
break;
}
}
if (incompleteErrorHandling) {
cb.addScanIssue(
new CustomScanIssue(
baseRequestResponse.getHttpService(),
helpers.analyzeRequest(baseRequestResponse).getUrl(),
baseRequestResponse,
"Compliance Checks - web.xml - Incomplete Error Handling (Throwable)",
"J2EEScan identified a potential Information Disclosure vulnerabilitiy inspecting"
+ " the remote web.xml resource.<br /><br />"
+ "The remote application seems to not correctly handle application errors; the web.xml does not "
+ "provide an error page for <i>java.lang.Throwable</i> exceptions.<br /><br />"
+ "<b>References:</b><br />"
+ "https://blog.whitehatsec.com/error-handling-in-java-web-xml/<br />"
+ "http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files<br />",
"Modify the error handling catching the <i>java.lang.Throwable</i> exception to avoid possible Information Disclosure vulnerabilities<br /><br />"
+ "<div style=\"font: courier;\"><pre>"
+ "<error-page>\n"
+ " <error-code>404</error-code>\n"
+ " <location>/error.jsp</location>\n"
+ "</error-page>\n"
+ "<error-page>\n"
+ " <error-code>500</error-code>\n"
+ " <location>/error.jsp</location>\n"
+ "</error-page>\n"
+ "<error-page>\n"
+ " <exception-type>java.lang.Throwable</exception-type>\n"
+ " <location>/error.jsp</location>\n"
+ "</error-page>\n"
+ "</pre></div>",
Risk.Low,
Confidence.Tentative));
}
} catch (Exception ex) {
ex.printStackTrace(stderr);
}
try {
NodeList exceptionType = doc.getElementsByTagName("error-code");
Boolean incompleteErrorHandling500 = true;
int excTypeLen = exceptionType.getLength();
for (int i = 0; i < excTypeLen; i++) {
Node s = exceptionType.item(i);
String value = s.getTextContent();
if (value.equalsIgnoreCase("500")) {
incompleteErrorHandling500 = false;
break;
}
}
if (incompleteErrorHandling500) {
cb.addScanIssue(
new CustomScanIssue(
baseRequestResponse.getHttpService(),
helpers.analyzeRequest(baseRequestResponse).getUrl(),
baseRequestResponse,
"Compliance Checks - web.xml - Incomplete Error Handling (HTTP Code 500)",
"J2EEScan identified a potential Information Disclosure vulnerabilitiy inspecting"
+ " the remote web.xml resource.<br /><br />"
+ "The remote application seems to not correctly handle application errors; the web.xml does not "
+ "provide an error page for <i>500</i> HTTP code.<br /><br />"
+ "<b>References:</b><br />"
+ "https://blog.whitehatsec.com/error-handling-in-java-web-xml/<br />"
+ "http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files<br />",
"Modify the error handling catching the <i>500</i> error code to avoid possible Information Disclosure vulnerabilities<br /><br />"
+ "<div style=\"font: courier;\"><pre>"
+ "<error-page>\n"
+ " <error-code>404</error-code>\n"
+ " <location>/error.jsp</location>\n"
+ "</error-page>\n"
+ "<error-page>\n"
+ " <error-code>500</error-code>\n"
+ " <location>/error.jsp</location>\n"
+ "</error-page>\n"
+ "<error-page>\n"
+ " <exception-type>java.lang.Throwable</exception-type>\n"
+ " <location>/error.jsp</location>\n"
+ "</error-page>\n"
+ "</pre></div>",
Risk.Low,
Confidence.Tentative));
}
} catch (Exception ex) {
ex.printStackTrace(stderr);
}
try {
NodeList exceptionType = doc.getElementsByTagName("error-code");
Boolean incompleteErrorHandling404 = true;
int excTypeLen = exceptionType.getLength();
for (int i = 0; i < excTypeLen; i++) {
Node s = exceptionType.item(i);
String value = s.getTextContent();
if (value.equalsIgnoreCase("404")) {
incompleteErrorHandling404 = false;
break;
}
}
if (incompleteErrorHandling404) {
cb.addScanIssue(
new CustomScanIssue(
baseRequestResponse.getHttpService(),
helpers.analyzeRequest(baseRequestResponse).getUrl(),
baseRequestResponse,
"Compliance Checks - web.xml - Incomplete Error Handling (HTTP Code 404)",
"J2EEScan identified a potential Information Disclosure vulnerabilitiy inspecting"
+ " the remote web.xml resource.<br /><br />"
+ "The remote application seems to not correctly handle application errors; the web.xml does not "
+ "provide an error page for <i>404</i> HTTP code.<br /><br />"
+ "<b>References:</b><br />"
+ "https://blog.whitehatsec.com/error-handling-in-java-web-xml/<br />"
+ "http://software-security.sans.org/blog/2010/08/11/security-misconfigurations-java-webxml-files<br />",
"Modify the error handling catching the <i>404</i> error code to avoid possible Information Disclosure vulnerabilities<br /><br />"
+ "<div style=\"font: courier;\"><pre>"
+ "<error-page>\n"
+ " <error-code>404</error-code>\n"
+ " <location>/error.jsp</location>\n"
+ "</error-page>\n"
+ "<error-page>\n"
+ " <error-code>500</error-code>\n"
+ " <location>/error.jsp</location>\n"
+ "</error-page>\n"
+ "<error-page>\n"
+ " <exception-type>java.lang.Throwable</exception-type>\n"
+ " <location>/error.jsp</location>\n"
+ "</error-page>\n"
+ "</pre></div>",
Risk.Low,
Confidence.Tentative));
}
} catch (Exception ex) {
ex.printStackTrace(stderr);
}
/** InvokerServlet */
try {
NodeList exceptionType = doc.getElementsByTagName("servlet-class");
int excTypeLen = exceptionType.getLength();
for (int i = 0; i < excTypeLen; i++) {
Node s = exceptionType.item(i);
String value = s.getTextContent();
if (value.contains("InvokerServlet")) {
cb.addScanIssue(
new CustomScanIssue(
baseRequestResponse.getHttpService(),
helpers.analyzeRequest(baseRequestResponse).getUrl(),
baseRequestResponse,
"Compliance Checks - web.xml - Invoker Servlet",
"J2EEScan identified the <i>InvokerServlet</> enabled inspecting"
+ " the remote web.xml resource.<br /><br />"
+ "It allows any class in your classpath to be accessed, as long as the class is a valid servlet. <br />"
+ "This functionality could potentially introduces a security risk; different servlets could be directly accessed from remote bypassing any Authorization Layers<br /><br />"
+ "<b>References:</b><br />"
+ "http://www.coderanch.com/how-to/java/InvokerServlet<br />"
+ "https://tomcat.apache.org/tomcat-4.1-doc/catalina/funcspecs/fs-invoker.html<br />",
"Disable or restrict access to the remote InvokerServlet",
Risk.Medium,
Confidence.Tentative));
break;
}
}
} catch (Exception ex) {
ex.printStackTrace(stderr);
}
} catch (ParserConfigurationException | SAXException | IOException ex) {
ex.printStackTrace(stderr);
}
}
}
/**
* Analyze and categorize each of the parameters in scope.
*
* @param helpers The standard burp ExtensionHelpers object.
* @param messages The set of request messages to be processed.
*/
private void firstPass(IExtensionHelpers helpers, IHttpRequestResponse[] messages) {
publish("Examining parameters...");
for (int i = 0; i < messages.length; i++) {
publish(100 * i / messages.length);
messages[i].getHttpService();
// Analyze response for cookies
if (messages[i].getResponse() != null) {
IResponseInfo responseInfo = helpers.analyzeResponse(messages[i].getResponse());
List<String> headers = responseInfo.getHeaders();
for (String header : headers) {
if (startsWithIgnoreCase(header, "set-cookie:")) {
processCookieHeader(header);
}
}
}
IRequestInfo requestInfo = helpers.analyzeRequest(messages[i]);
if (callbacks.isInScope(requestInfo.getUrl())) {
byte[] responseBytes = messages[i].getResponse();
String responseString = "";
if (responseBytes != null) {
responseString = helpers.bytesToString(responseBytes);
inScopeMessagesWithResponses.add(messages[i]);
}
List<IParameter> params = requestInfo.getParameters();
for (IParameter param : params) {
if ((!ignoreEmpty || param.getValue().length() > 0)
&& !ignoreList.contains(param.getName())) {
int type = param.getType();
Map<String, CorrelatedParam> paramMap;
switch (type) {
case IParameter.PARAM_URL:
paramMap = urlParameters;
break;
case IParameter.PARAM_BODY:
paramMap = bodyParameters;
break;
case IParameter.PARAM_COOKIE:
paramMap = cookieParameters;
break;
case IParameter.PARAM_JSON:
paramMap = jsonParameters;
break;
default:
paramMap = null;
// nothing
}
if (paramMap != null) {
if (messages[i] == null) {
callbacks.printOutput("Warning... adding null message!");
}
if (paramMap.containsKey(param.getName())) {
paramMap
.get(param.getName())
.put(param, messages[i], requestInfo, responseString, helpers);
} else {
paramMap.put(
param.getName(),
new CorrelatedParam(param, messages[i], requestInfo, responseString, helpers));
}
}
}
}
}
}
}
