суббота, 2 марта 2013 г.

Tomcat Servlet Examples threats

Tomcat application server by default contains "/examples" directory which has many example servlets and JSPs.
We strongly recommend to disable public access to this directory by following security reasons:

  • Bypassing HttpOnly Cookies protection
  • CSRF cookies manipulation
  • Session manipulation
HttpOnly flag must protect user's cookies from client-side attacks such as XSS. There are two example servlets in Tomcat which shows all cookies in plain/text HTTP response:
  • /examples/servlets/servlet/RequestHeaderExample
  • /examples/servlets/servlet/CookieExample
Second servlet also provides CSRF-based cookie manipulations: set/redefine by GET and POST requests both.

Session manipulation is more interesting. Looks at /examples/servlets/servlet/SessionExample servlet. It is simplest way to gain admin privileges in target webapps which hosted on same Tomcat with SessionExample servlet.

Session is global and this servlet provides you any manipulations with your session!
We strongly recommend to disable public access to /examples directory again.