J2EEScan is a plugin for Burp Suite Proxy. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications.
The plugin is fully integrated into the Burp Suite Scanner; it adds some new test cases and new strategies to discover different kind of J2EE vulnerabilities.
Jetty Version Detection and Remote Leak Shared Buffers vulnerability (CVE-2015-2080)
Apache Wicket Arbitrary Resource Access (CVE-2015-2080)
Misc
- Expression Language Injection (CVE-2011-2730)
- Apache Roller OGNL Injection (CVE-2013-4212)
- Local File include - /WEB-INF/web.xml Retrieved
- Local File Include - Spring Application Context Retrieved
- Local File Include - struts.xml Retrieved
- Local File Include - weblogic.xml Retrieved
- Local File Include - ibm-ws-bnd.xml Retrieved
- Local File Include - ibm-web-ext.xmi Retrieved
- Local File Include - ibm-web-ext.xml Retrieved
- Local File Include - /etc/shadow Retrieved
- Local File Include - /etc/passwd Retrieved
- HTTP Auth Weak Password
- WEB-INF Application Configuration Files Retrieved
- Status Servlet (CVE-2008-3273)
- Snoop Servlet (CVE-2012-2170)
- Extended Path Traversal Scan
- AJP Service Detection - thanks to @ikki
- Spring Boot Actuator console
- UTF8 Response Splitting
- JK Management Endpoints
- Pivotal Spring Traversal (CVE-2014-3625)
Apache Struts
- Apache Struts 2 S2-023 - thanks to @h3xstream
- Apache Struts 2 S2-016
- Apache Struts 2 S2-017
- Apache Struts 2 S2-020
- Apache Struts 2 S2-021
- Apache Struts 2 S2-032
- Apache Struts DevMode Enabled
- Apache Struts OGNL Console
Grails
- Grails Path Traversal (CVE-2014-0053)
Apache Wicket
- Apache Wicket Arbitrary Resource Access (CVE-2015-2080)
Java Server Faces
- Java Server Faces Local File Include (CVE-2013-3827 CVE-2011-4367)
JBoss SEAM
- JBoss SEAM Remote Command Execution (CVE-2010-1871)
Incorrect Error Handling
- JSF
- Apache Struts
- Apache Tapestry
- Grails
- GWT
- Java
XML Security
- XInclude Support
- XML External Entity
Information Disclosure Issues
- Remote JVM version
- Apache Tomcat version
- Jetty version
- Oracle Application Server version
- Oracle Glassfish version
- Oracle Weblogic version
Compliance Checks
- web.xml - HTTP Verb Tampering
- web.xml - URL Parameters for Session Tracking
- web.xml - Incomplete Error Handling
- web.xml - Invoker Servlet
JBoss
- JBoss Web Service Enumeration
- JBoss Admin Console Weak Password
- JBoss JMX/Web Console Not Password Protected
- JBoss JMX Invoker Remote Command Execution
- JBoss Undertow Directory Traversal (CVE-2014-7816)
- JBoss jBPM Admin Console
Tomcat
- Tomcat Manager Console Weak Password
- Tomcat Host Manager Console Weak Password
- End Of Life Software - Tomcat
Weblogic
- Weblogic UDDI Explorer Detection
- Weblogic UDDI Explorer SSRF Vulnerability (CVE-2014-4210)
- Weblogic Admin Console Weak Password
Oracle Application Server
- Added check for Oracle Log Database Accessible
- Added check for Multiple Oracle Application Server Default Resources (CVE-2002-0565, CVE-2002-0568, CVE-2002-0569)
- End Of Life Software - Oracle Application Server
Jetty
- Jetty Remote Leak Shared Buffers (CVE-2015-2080) found by @gdssecurity
- End Of Life Software - Jetty
Apache Axis
- Apache Axis2 - Web Service Enumeration
- Apache Axis2 - Admin Console Weak Password
- Apache Axis2 - Local File Include Vulnerability (OSVDB 59001)
- Apache Axis2 - Happy Axis
NodeJS
- NodeJS HTTP Redirect (CVE-2015-1164)
- NodeJS HTTP Response Splitting (CVE-2016-2216)
- From "Cookie jar" section in "Options" -> "Sessions" enable the Scanner field
- Load the J2EEscan jar in the Burp Extender tab
- The plugin requires at least Java 1.7
Special thanks to
- Added check for UTF8 Response Splitting
- Added check for JBoss Undertow Directory Traversal (CVE-2014-7816)
- Added check for NodeJS HTTP Redirect (CVE-2015-1164)
- Added check for NodeJS HTTP Response Splitting (CVE-2016-2216)
- Added check for JK Management Endpoints
- Added check for Pivotal Spring Traversal (CVE-2014-3625)
- Added check for JBoss jBPM Admin Consoles
- Adedd check for Apache Struts 2 S2-032 (CVE-2016-3081)
- Improved LFI payloads
- Improved EL Injection tests
- Improved WS Axis security checks
- Added check for Spring Boot Actuator console
- Improved LFI module with new UTF-8 payloads
- Improved EL Injection with new payloads
- Added check for Apache Roller OGNL Injection (CVE-2013-4212)
- Added check for Apache Struts 2 S2-023 - thanks to @h3xstream
- Added check for Weblogic Admin Console Weak Password
- Added check for Oracle Application Server multiple file disclosure issues
- Added check for Oracle Log Database Accessible
- Added check for AJP service identification
- Added check for Weblogic UDDI Explorer SSRF (CVE-2014-4210)
- Improved performance for passive checks
- Improved Apache Wicket Information Disclosure
- Improved J2EE incorrect exception handling
- Added check for End Of Life Software - Jetty
- Added check for End Of Life Software - Tomcat
- Added check for End Of Life Software - Oracle Application Server
- Added check for Oracle Application Server version
- Added check for Oracle Glassfish version
- Added check for Oracle Weblogic version
- Added check Apache Struts OGNL Console
- Added check for Happy Axis
- Added check for Jetty Remote Leak Shared Buffers (CVE-2015-2080) found by @gdssecurity
- Improved check for Information Disclosure Issues - Remote JVM version
- Added check for Apache Wicket Arbitrary Resource Access
- Added check for Incorrect Error Handling - Apache Tapestry
- Added check for Incorrect Error Handling - Grails
- Added check for Incorrect Error Handling - GWT
- Fixed references for EL Injection issue
- Added check for Information Disclosure Issues - Remote JVM version
- Added check for Information Disclosure Issues - Apache Tomcat version
- Added check for weak password on HTTP Authentication
- Fix some bugs on issues reporting
- Improved LFI checks
- Added initial support for compliance checks
- Added checks for Apache Axis2
- Added checks for Jboss Admin Console Weak Password
- Added checks for Jboss JMX Invoker
- Added checks for Status Servlet
- Added checks for Snoop Resources
- Added checks for Apache Tomcat Host Manager Console
- Multiple bug fixes
- Pushed BApp Store.
- Initial Public Release