Shulou(Shulou.com)05/31 Report--

This article mainly shows you "how to find Cookie information disclosure vulnerabilities through the Tomcat Servlet sample page", the content is easy to understand, well-organized, hope to help you solve your doubts, the following let Xiaobian lead you to study and learn "how to find Cookie information disclosure vulnerabilities through the Tomcat Servlet sample page" this article.

Writeup is a very interesting vulnerability. In the legacy test example of the target website Tomcat Examples, the author found that the Cookie Example sample page shows all the Cookie information of the master site, which can be stolen by Cookie. The vulnerability finally received a reward of four digits $.

First of all, let's take a look at the sample file of Tomcat, which is displayed by default after Tomcat is installed, which contains many test examples of servlets and JSP, especially the session sample interfaces / examples/servlets/servlet/SessionExample and / examples/servlets/servlet/CookieExample. Due to the globality of session variables, attackers can manipulate the session through this interface as an administrator, which is a security risk.

Loophole discovery

Generally speaking, many Tomcat Examples sample pages have XSS vulnerabilities, but this is not the case in the sites I tested. Fortunately, there are three sample directories that are effectively accessible:

Servlet Examples

JSP Examples

Websocket Examples

First, I visited its Websocket sample page:

Its function is probably to allow you to connect to an external WebSocket server and display its connection valid information. Because the test target site is an ion-isolated domain name and has no connection with the master application, the WebSocket cross-domain hijacking vulnerability (Cross-Site-Websocket-Hijacking) is of no use here. In any case, it initiates a connection request to the external WebSocket server, as follows:

After communicating with a friend about the page, his experience reassured me, and that's the only way to take advantage of this point. Let's move on. Then I came to its JSP Servlet page:

It's interesting, but it doesn't do much harm. Then I came to its Servlets Examples sample page:

First of all, I tried the Byte Counter operation because it includes an upload function, but it has been tested to no avail, so if you have any other good methods, you can try it.

After that, I went to the Session Example sample and Cookie Example sample pages. Since this is a sub-domain site, there is nothing in the Session Example session example here:

But when I opened its Cookie Example sample page, https://target.com/examples/servlets/servlet/CookieExample, I found something good!

It can be seen that all the Cookie information of the master site of the target website is displayed here, so I immediately thought of Click-jacking and wrote the following simple exploit script code:

The following POC authentication pages are formed:

Of course, you can also make the page border transparent, or add an overlapping element to it to make it more camouflage. After executing the above POC page, my control side successfully received the Cookie message.

After decoding by url, you can see the complete and intuitive Cookie content:

The above is all the contents of the article "how to discover Cookie information disclosure vulnerabilities through the Tomcat Servlet sample page". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.