Tuesday, 29 October 2013

[EN] JSP Code Review - part 1

Durning pentesting of webapps in various companies, often happens that
few pages are written in JSP.

I described here few different cases of testing webapps - by white box and/or black box 
testing - so today I decide, why not do it again for JSP-based pages? ;)

For our purpose, a great example we can find at one of pages with tutorials 
in section called 'HTTP Header Request Example'. Below I will show you
how we can check if this or that (or part of ;)) page is vulnerable to attacks.

(In case you don't know how to prepare your virtual environment for testing 
JSP-based pages, check this site. Here you will find nearly step-by-step list
to install Tomcat with Java at your linux-box. If you will have any troubles
leave me an email or comment below.)

Ok. Let's get back to our JSP tutorial.
Example code will show headers after request to our 'test page'.

<%@ page import="java.io.*,java.util.*" %>
<title>HTTP Header Request Example</title>
<h2>HTTP Header Request Example</h2>
<table width="100%" border="1" align="center">
<tr bgcolor="#949494">
<th>Header Name</th><th>Header Value(s)</th>
   Enumeration headerNames = request.getHeaderNames();
   while(headerNames.hasMoreElements()) {
      String paramName = (String)headerNames.nextElement();
      out.print("<tr><td>" + paramName + "</td>\n");
      String paramValue = request.getHeader(paramName);
      out.println("<td> " + paramValue + "</td></tr>\n");


Ok. Let's save this code as 'headers.jsp'.

It's not the problem to test this site by using Burp like it was described
in few mini-arts here but in this case we will do a little 'code review'. ;)

Few short examples was also described here or here. So here we will use 
similar trick. In case we know that if user's input is not (or properly) sanitized
then it's possible to inject code in web.

So now we will search for 'something' that will print out 'text' (string) added 
by user. In our JSP, it will befunction out.print. Let's find out if we can 
grab this string in our source code:

# cat -n header.jsp | grep out.print
    17        out.print("<tr><td>" + paramName + "</td>\n");
    19        out.println("<td> " + paramValue + "</td></tr>\n");

Yes, we can. ;)

We can see 2 lines, both with 'some parameter/value names'.
Let's find out what are those:

      String paramName = (String)headerNames.nextElement();

It seems to be some 'string', let's check the other 'parameter':

# grep paramValue header.jsp
      String paramValue = request.getHeader(paramName);
      out.println("<td> " + paramValue + "</td></tr>\n");

Great. So now we can see that 'paramName' is from request, and it gets
some header value(s) (getHeader() function). And, because its not filtered
in any way before printing out, we can try to inject here some code.

Let's check if we can change one of presented headers, for example,
lets change an user Agent. 

To do that we can use DataTamper or mentioned Burp Proxy (but honestly 
in my opinion for this kind of 'simple checking' - DataTamper will be fine.

Let's catch request to server (our 'header page' in JSP) and next we will 
change value from userAgent to our favourite 'XSS payload':

Tampered header
As a response from this not-filtered input, we can see nice and old XSS alert box ;)

XSS in JSP webapp

Good luck with code review!

If you have any questions - as always - leave me an email. ;)


No comments:

Post a Comment

What do You think...?