chienthan9x / wavsep Goto Github PK

This is not a problem or an issue; just a suggestion:
- I've tested several major open source scanners. One of the most challenging 
thing for these scanners is the language of the file and when the different 
languages are mixed. Is it possible to support other languages such as .Net, 
php, and asp in this project?

- I've also attached some vulnerable stored procedures and ASPfiles that can be 
added to this project for open source scanners. Could you please check them and 
add them to the project if they are useful. I found out that the most of the 
open source scanners cannot find vulnerabilities of these ASP files.

- Could you please negotiate with the famous source scanners to have their test 
version as well. (Fortify, IBM Rational AppScan, Checkmarx, and so on)

What steps will reproduce the problem?
1. Install war file
2. go to http://localhost:8080/wavsep/wavsep-install/install.jsp
3. fill in mysql password and hit enter

What is the expected output? What do you see instead?

Expect database initialization.

Get error message:

javax.servlet.ServletException: java.sql.SQLException: Database 
'db/WavsepConfigDB' not found.


What version of the product are you using? On what operating system?
1.1.1, xubuntu 12.04, with system openjdk-6 and tomcat-6

Please provide any additional information below.

org.apache.jasper.JasperException: An exception occurred processing JSP page 
/wavsep-install/install.jsp at line 109

106:    
107:    
108:    try {
109:        conn = ConnectionPoolManager.getDerbyConnection();
110:        
111:        
112:        //#############################################


Stacktrace:
    org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:521)
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:412)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

javax.servlet.ServletException: java.sql.SQLException: Database 
'db/WavsepConfigDB' not found.
    org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:865)

What steps will reproduce the problem?
1. 
/wavsep-v1.2/active/LFI-Detection-Evaluation-GET-500Error/Case10-LFI-FileClass-F
ilenameContext-Unrestricted-FileDirective-DefaultFullInput-NoPathReq-Read.jsp?ta
rget=content.ini
2. HTTP Status 500 with Exception details: java.lang.IllegalArgumentException: 
URI has an authority component is returned

What is the expected output? What do you see instead?
Should see contents of content.ini and be able to traversal attacks to access 
web.xml or include.jsp.

What version of the product are you using? On what operating system?
WAVSEP v1.2

Please provide any additional information below.
Installed into tomcat 6.0.20


Looks like your path is being concatenated incorrectly. The two 'exploits' you 
list don't work due as is. It's pretty apparent from the output log what is 
happening, unless of course I'm missing something obvious (which might be the 
case :>)

Log output:
File delimiter: /
Line delimiter (encoded):

User Directory Path (Absolute): /root
Deployment Path Root (Absolute): /usr/share/tomcat6/webapps/wavsep-v1.2
Deployment Path Current File (Absolute): 
/usr/share/tomcat6/webapps/wavsep-v1.2/active/LFI-Detection-Evaluation-GET-500Er
ror/Case10-LFI-FileClass-FilenameContext-Unrestricted-FileDirective-DefaultFullI
nput-NoPathReq-Read.jsp
Deployment Path Current Directory (Absolute): 
/usr/share/tomcat6/webapps/wavsep-v1.2/active/LFI-Detection-Evaluation-GET-500Er
ror
Web Path Root (Relative): /wavsep-v1.2
Web Path of File (Relative-no-root): 
/active/LFI-Detection-Evaluation-GET-500Error/Case10-LFI-FileClass-FilenameConte
xt-Unrestricted-FileDirective-DefaultFullInput-NoPathReq-Read.jsp
Web Path of Dir (Relative-no-root): 
/active/LFI-Detection-Evaluation-GET-500Error
request URL: 
http://192.168.218.131:8080/wavsep-v1.2/active/LFI-Detection-Evaluation-GET-500E
rror/Case10-LFI-FileClass-FilenameContext-Unrestricted-FileDirective-DefaultFull
Input-NoPathReq-Read.jsp
Current directory's canonical path: /root
Current directory's absolute path: /root/.
*****Initial Prefix*****: 
/usr/share/tomcat6/webapps/wavsep-v1.2/active/LFI-Detection-Evaluation-GET-500Er
ror


Default Target File (Prior to Concat): content.ini
Default Base Path (Prior to Concat): 
file://usr/share/tomcat6/webapps/wavsep-v1.2/active/LFI-Detection-Evaluation-GET
-500Error/
Default Target File: content.ini
Default Base Path: 
file://usr/share/tomcat6/webapps/wavsep-v1.2/active/LFI-Detection-Evaluation-GET
-500Error/



Final Relative Access:/active/LFI-Detection-Evaluation-GET-500Error/content.ini
Final Full 
Access:/usr/share/tomcat6/webapps/wavsep-v1.2/active/LFI-Detection-Evaluation-GE
T-500Error/content.ini
Target File: content.ini

File:file://usr/share/tomcat6/webapps/wavsep-v1.2/active/LFI-Detection-Evaluatio
n-GET-500Error/content.ini
prefix:/usr/share/tomcat6/webapps/wavsep-v1.2/active/LFI-Detection-Evaluation-GE
T-500Error/
File to 
access:/usr/share/tomcat6/webapps/wavsep-v1.2/active/LFI-Detection-Evaluation-GE
T-500Error/file://usr/share/tomcat6/webapps/wavsep-v1.2/active/LFI-Detection-Eva
luation-GET-500Error/content.ini
Current Absultoe File Path: /root/.
Current Canonical Dir Path: /root


Note the 'File to access' line has the path + the file:// path concatented 
together. My question is, does this work in your environment? It seems like a 
code issue not an environment issue that would allow for this test case to 
succeed. I've seen this error in a number of other cases (still working through 
which ones at the moment). 
-Isaac

What steps will reproduce the problem?
1. Run the wavsep_DB_generation_script.txt
2. Script installs a db called authority
3. Application looks for a database called wavsepDB

After entering username and password, it gives the following error:
type Exception report

message

description The server encountered an internal error () that prevented it from 
fulfilling this request.

exception

org.apache.jasper.JasperException: An exception occurred processing JSP page 
/wavsep-install/install.jsp at line 109

106:    
107:    
108:    try {
109:        conn = ConnectionPoolManager.getDerbyConnection();
110:        
111:        
112:        //#############################################


Stacktrace:
    org.apache.jasper.servlet.JspServletWrapper.handleJspException(JspServletWrapper.java:510)
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:401)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

javax.servlet.ServletException: java.sql.SQLException: Database 
'db/WavsepConfigDB' not found.
    org.apache.jasper.runtime.PageContextImpl.doHandlePageException(PageContextImpl.java:862)
    org.apache.jasper.runtime.PageContextImpl.handlePageException(PageContextImpl.java:791)
    org.apache.jsp.wavsep_002dinstall.install_jsp._jspService(install_jsp.java:676)
    org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

java.sql.SQLException: Database 'db/WavsepConfigDB' not found.
    org.apache.derby.impl.jdbc.SQLExceptionFactory40.getSQLException(Unknown Source)
    org.apache.derby.impl.jdbc.Util.newEmbedSQLException(Unknown Source)
    org.apache.derby.impl.jdbc.Util.newEmbedSQLException(Unknown Source)
    org.apache.derby.impl.jdbc.Util.generateCsSQLException(Unknown Source)
    org.apache.derby.impl.jdbc.EmbedConnection.newSQLException(Unknown Source)
    org.apache.derby.impl.jdbc.EmbedConnection.handleDBNotFound(Unknown Source)
    org.apache.derby.impl.jdbc.EmbedConnection.<init>(Unknown Source)
    org.apache.derby.impl.jdbc.EmbedConnection30.<init>(Unknown Source)
    org.apache.derby.impl.jdbc.EmbedConnection40.<init>(Unknown Source)
    org.apache.derby.jdbc.Driver40.getNewEmbedConnection(Unknown Source)
    org.apache.derby.jdbc.InternalDriver.connect(Unknown Source)
    org.apache.derby.jdbc.AutoloadedDriver.connect(Unknown Source)
    java.sql.DriverManager.getConnection(DriverManager.java:620)
    java.sql.DriverManager.getConnection(DriverManager.java:222)
    com.sectooladdict.database.ConnectionPoolManager.getDerbyConnection(ConnectionPoolManager.java:45)
    org.apache.jsp.wavsep_002dinstall.install_jsp._jspService(install_jsp.java:166)
    org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

root cause

java.sql.SQLException: Database 'db/WavsepConfigDB' not found.
    org.apache.derby.impl.jdbc.SQLExceptionFactory.getSQLException(Unknown Source)
    org.apache.derby.impl.jdbc.SQLExceptionFactory40.wrapArgsForTransportAcrossDRDA(Unknown Source)
    org.apache.derby.impl.jdbc.SQLExceptionFactory40.getSQLException(Unknown Source)
    org.apache.derby.impl.jdbc.Util.newEmbedSQLException(Unknown Source)
    org.apache.derby.impl.jdbc.Util.newEmbedSQLException(Unknown Source)
    org.apache.derby.impl.jdbc.Util.generateCsSQLException(Unknown Source)
    org.apache.derby.impl.jdbc.EmbedConnection.newSQLException(Unknown Source)
    org.apache.derby.impl.jdbc.EmbedConnection.handleDBNotFound(Unknown Source)
    org.apache.derby.impl.jdbc.EmbedConnection.<init>(Unknown Source)
    org.apache.derby.impl.jdbc.EmbedConnection30.<init>(Unknown Source)
    org.apache.derby.impl.jdbc.EmbedConnection40.<init>(Unknown Source)
    org.apache.derby.jdbc.Driver40.getNewEmbedConnection(Unknown Source)
    org.apache.derby.jdbc.InternalDriver.connect(Unknown Source)
    org.apache.derby.jdbc.AutoloadedDriver.connect(Unknown Source)
    java.sql.DriverManager.getConnection(DriverManager.java:620)
    java.sql.DriverManager.getConnection(DriverManager.java:222)
    com.sectooladdict.database.ConnectionPoolManager.getDerbyConnection(ConnectionPoolManager.java:45)
    org.apache.jsp.wavsep_002dinstall.install_jsp._jspService(install_jsp.java:166)
    org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:377)
    org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:313)
    org.apache.jasper.servlet.JspServlet.service(JspServlet.java:260)
    javax.servlet.http.HttpServlet.service(HttpServlet.java:717)

note The full stack trace of the root cause is available in the Apache 
Tomcat/6.0.24 logs.

Case 37 and a few similar test cases (which perform slash validation) don't 
work properly on Linux.

Although under Windows the could be bypassed by replacing / with \, or by 
accessing one of the files installed by default in tomcat's root directory 
(minor), in Linux that does not seem to work.

For the moment - the best way to reproduce the benchmark results is to use 
wavsep on windows XP or windows 7 (right click and run tomcat as admin), and 
although the vast majority of test cases will work on Linux, several LFI test 
cases might not.

Reported by Tasos Laskos (arachni's developer).

I've had problems running wavsep on some machines due to the use of the 
windows-1255 charset.
I've had to remove all instances of it from the jsps to get it to work.
Either removing it or changing to use something like 8859-8 would fix this 
(relatively minor) problem.

Hi,

I see that there are 10 False Positive cases for GET requests but there are 
none for POST requests. Is there a specific reason for that or is it just a new 
feature that can be implemented?

Thanks,
Fahad

Very minor point ... but if you named the tests:
Case01-Tag2HtmlPageScope.jsp
Case02-Tag2TagScope.jsp
etc (ie include a zero for 0-9), then they would sort better.

As opposed to:
Case1-Tag2HtmlPageScope.jsp
Case10-Js2DoubleQuoteJsEventScope.jsp
Case11-Js2SingleQuoteJsEventScope.jsp
:
Case2-Tag2TagScope.jsp

:)

What steps will reproduce the problem?
1. Start Tomcat 6.0 on an Ubuntu machine 
2. Navigate for example to 
http://localhost:8080/Wavsep/active/LFI-Detection-Evaluation-GET-200Valid/Case21
-LFI-FileClass-FilenameContext-Unrestricted-OSPath-DefaultFullInput-BackslashPat
hReq-Read.jsp?target=\content.ini
3. I am getting: "The information is unavailable at this time. Please try again 
later."

What is the expected output? What do you see instead?
An automatic handling (translation to slash) of the backslash on operating 
systems that use slash as a file path delimiter.

What version of the product are you using? On what operating system?
Wavsep 1.2 - Eclipse Archive Version
Ubuntu 12.04
Eclipse EE Indigo 

Thank you!

Depending on how your webserver is set up some scanners may report that all 
pages have a low level vulnerability as the session cookie isnt set with 
httponly.
The following bit of code in each jsp would fix this:

<%
    // Standard bit of code to ensure any session ID is protected using HTTPOnly
    String sessionid = request.getSession().getId();
    if (sessionid != null && sessionid.length() > 0) {
        response.setHeader("SET-COOKIE", "JSESSIONID=" + sessionid + "; HttpOnly");
    }
%>

Ripped off from ZAP WAVE, but thats ok as I'm the author ;)

TODO: need to improve the instructions in wavsep installer, to help install it 
properly on linux / win 7