Apache Example Servlet leads to $$$$
Hey Friends, hope you’re doing good during these quarantine days! It’s been quite some time I blogged about something.
So, There’s an interesting vulnerability I found lately and want to share it with you guys!
But first, Let’s get to know what Apache Examples are!
Apache Tomcat Examples are a part of the default Tomcat Installation Page that appears right when you first install the application. It is recommended to remove this page ASAP to be on a safer side.
Path: site.com/examples
OR site.com/tomcat-dir/examples
Firstly, I’d like to reference another blogpost by Rapid7:
This has a list of pages potentially vulnerable to XSS issues. Altough in my case I wasn’t so lucky :/
Anyway, there were 3 servlets available:
- Servlet Examples
- JSP Examples
- Websocket Examples
First, I went for the Websocket examples.
There was a functionality as described below, allowing to connect to an external WSS(WebSocket) Server and possibly display messages here. But since this was on a secluded subdomain, away from the main application, CSWSH(Cross-Site-Websocket-Hijacking) would’nt be much impactful here. Still, there was an external connection initiated here(exploitable by connecting to your own WSS server)
Had a quick chat with hakluke about the impact, he said likewise and cleared my doubts with some questions of his and shared some of his valuable experience :D .
Moving On! I looked at the JSP Servlet to find something other than XSS
Hmmpph! Interesting but nothing so impactful. There could very well be vulnerabilities in this JSP Servlet buttt I didn’t find any responsive input fields. Sooo, TRASHED!
Then, I finally moved on to the Servlets Examples.
First, I tried the Byte Counter example, since it had an upload functionality. But but but but but hard luck :( No success here too. If you guys find this in the wild, feel free to use your ideas, try and get an exploit here and ping me too maybe) :P
At last, I targeted the Session Example and Cookie Example.
Interesting! But since its on a secluded sub, not that much impactful.
Then, I checked the Cookie Example and it was gold!
Cookies from the main site were reflecting here! I quickly thought of a scenario, on how can this be exploited. Click-jacking came to my mind. I quickly head over to SecurityHeaders andddddd as expected :D
Wrote a hasty piece of code(which obviously can be improved further, haha)
[NOTE: you can reduce the opacity to minimal and add an overlay element to make it more convincing. I didn’t do it due to time constraints/i am just too lazy?]
Here it comes!!! Now, simply paste the url-encoded cookie to a decoder and its done!
COOKIES == STOLEN
Thank you guys for reading till the end! Hope you liked it!
Dox me at https://twitter.com/debangshu_kundu
Timeline:
Reported: 29 Jun 2020
Rewarded: 17 Jul 2020
Takeaways: Always stay on the lookout for abandoned/rarely-used subdomains. Specially, If the site says “This Web Application Has Been Disabled” !
Take care guys! Stay safe and secure.
./logout.sh
