Abstract
This layout is completely based on run time analysis of the exceptions occur in the websites
running java server pages. The functional aspect can be web transactions or login purposes.
As nothing is perfect so , many websites are vulnerable to injections which result in unhandled
exceptions in web pages during transaction of processed input by the server.The server is unable
to handle rogue input request and hence exceptions occur.The prime point of anlaysis is to
retrieve useful information and re tracing of internal servlets. Its very crucial to reverse
the artifacts of web generated error outputs.
Lets look how exactly the JSP handler mechanism works.
Thats how exactly event handler mechanism is undertaken in JSP.Now for our analysis.
ExplanationI am going to provide just an outline of exception handling in java so that one should get in momentum to understand the real core web problems related to unhandled exceptions..Our come aim is to leverage information from the error generated output.The main point of dissection is web JSP errors.We have to understand the working aspect of web services from the rogue output generated in the web application.Remember The exception generated is structured into two specifc layout and that are:
1. When code is designed , the exceptions can be from the compiler.
2. Runtime Class exception that is too code oriented but one specific factor comes to play and that is the human inclusion because the classes are designed and coded by the programmers.The error is basically in the source code.
But our point is to understand the web based exceptions.The schema of transaction is changed to three tier but the basic remains the same. Moreover the structure used to handle the exceptions is in the underlined format:
- Try/Catch Exception handling routine.
- Throw Exception. / Throw new Exception.
- Finally routine with or without exception.
The exceptions can occur because of :
- Bytecode unhandling.
- Integer Overflows.
- Source code Errors.
- Input Validation Handling.
The overall model of errors and exceptions are undertaken as:
Lets look at the first HTTPservlet class and the structure it possesses.HttpServlet() is just an abstract class.But the methods it encompasses used in service designing.The web uses a request and response architecture.For every request,there must be a response.As we know web request has to be completed if input is subjected to web application.Its very clear in its context that the methods which the web server supports will be processed only.The specific request-response methods are as:
protected void doGet(HttpServletRequest req,HttpServletResponse resp) protected long getLastModified(HttpServletRequest req) protected void doHead(HttpServletRequest req ,HttpServletResponse resp) protected void doPost(HttpServletRequest req,HttpServletResponse resp) protected void doPut(HttpServletRequest req, HttpServletResponse resp) protected void doDelete(HttpServlet req,HttpServletResponse resp) protected void doOptions(HttpServletRequest req ,HttpServletResponse resp) protected void doTrace(HttpServletRequest req, HttpServletResponse resp) protected void service(HttpServletRequest req, HttpServletResponse resp)
These are the very specific methods that a HttpServlet class define and processed by the server Our prime aim is to leverage information from the errors that are thrown by the server. The very basic step is to first understand the HttpServlet errors and the relative stats to it.
URI Spoofing Trick - Efficient Handling of URI Parameters.
Usually you have found that when ever GET/POST request is sent to web server through web browser the arguments are not displayed.
Most of the time a PST request is used mainly.As a result of which the request is posted to server there by reducing or fully
dethrone the visibility of URI parameters. This also enhances the functionality because through POST requests only URI arguments
are updated. The full URI is not required. One reason is of security as attacker would not be able to subjugate rogue input
in the url that disrupts the functioning of the web application.This has become a web security countermeasure while serving for
mainly web container dependent operations ie web transactions.This can be bypassed by looking at the html code in the browser.
But this is preferred now a days.Lets first undertake the injections working with respect to different arguments passed. If the web application is vulnerable the exception will be generated otherwise a simple error is thrown.The main cause occurs in the web application coding when no proper filters are applied.The URI prone to java injections are mainly of two specifc kinds:
URI with Single parameter padding: These type of URIs hold only one argument element as :
http://www.website.com/viewsection?lang=See only one parameter is passed and the argument value will be specific.
URI with Multiple parameter padding: These type of URIs hold multiple parameters and having number of arguments to be supplied
http://www.website.com/viewsection?lang= & id=Remember these type of URI’s are mainly query driven which directly reflects the injection scenario. There can be Login based exceptions and code based exceptions which also result in the injection scenario. Now we go directly into our example to understand the web container functioning which throw exceptions while injecting bad input.We are going to construct reverse code class for the error code being provided.This reverse class means from the error code we are going to write java code which in further helps us to understand the layout more clear and relay us to find more injections on the web.The main point of regenerating code is that we can test the virtual application on local server to find more java based SQL injections and other exceptions. It also helps in understanding security in a diversified aspect.
Example 1:
Example 2:
As one can see clearly the Java.sql exception have been generated due to sql injection occured in the system. It means the Java servlet is handling sql queries through the URI specified. Before tracing a class its very critical to understand handling of sql based queries through Java web application. The understated projection will disseminate the working functionality of databases.
Functional view:
Lets get back to the injection example.
The Exception Ouput:org.apache.jasper.JasperException org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:370) org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:291) org.apache.jasper.servlet.JspServlet.service(JspServlet.java:241) javax.servlet.http.HttpServlet.service(HttpServlet.java:802) org.netbeans.modules.web.monitor.server.MonitorFilter.doFilter(MonitorFilter.java:362)We are encountering number of functional servlets.
javax.servlet.http.HttpServlet.service(HttpServlet.java:802)The point at this stage is to understand the request undertaken by servlet due to which an exception occurs. It indicates a POST request is used internally by the servlet program and the server. The code specific error ie 802 is undertaken which means an invalid input is not processed by the server. Like:
protected void doPost(HttpServletRequest req,HttpServletRespon resp)This method is used to make the request to the web container and now we are very sure that how the servlet is coded upto maximum extent.The other point is to check always if you supply no input than what kind of output is thrown to the web page.In my case I found a string is being displayed on the web page which makes me very sure of that string is a simple output with null parameters.
The stated facts are:
1.The method used is doPost 2.The string is used to display null input validation check.
Now we are going to design a very basic servlet from the information that we have examined. The simplistic servlet designed as:
import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class TraceServelet extends HttpServlet
{
public void doPost(HttpServletRequest req, HttpServletResponse res);
String DATA = request.getParameter("DATA");
if(DATA != null)
{
out.println("No Exception");
}
else
{
out.println("Error! No Output..");
}
This is a skeletal view and method for generating HTTP servlet class for understanding the code
flow. It is somewhat like re engineering a web application from infection point of view. This
process is very effective in analysing weaknesses in Java web applications.One Line Conclusion.
These type of analysis are beneficial from pen testing point of view and all.