ERPScan WEBXML Checker- Security Testing for SAP J2EE applications

ERPScan WEBXML checker is a freeware tool that is intended for checking security configuration of SAP J2EE applications by scanning a WEB.XML file . It is intended to checking WEB.XML files for different vulnerabilities and missconfigurations like Verb Tampering, Invoker servlet bypass and other missconfigurations. Detailed information about that vulnerabilities can be found in whitepaper “Architecture and program vulnerabilities in SAP’s J2EE engine” presented at BlackHat conference.

WEB.xml is J2EE Deployment Descriptor that descripes the classes, resources and configuration of the application and how the web server uses them to serve web requests.When the web server receives a request for the application, it uses the deployment descriptor to map the URL of the request to the code that ought to handle the request.

Features:

Check for possibilities of those attacks on J2EE application:

  1. Information disclose through error code.  Checking for <error-page>

    <error-page>
    <error-code>500</error-code>
    #
    for
    every
    error
    code
    <location>/path/to/error.jsp</location>
    </error-page>
    And also for
    <error-page>
    <exception-type>java.lang.Throwable</exception-type>
    <location>/path/to/error.jsp</location>
    </error-page>

  2. Auth bypass through verb tampering. Checking for <security-constraint>. If
    <http-
    method> does exist and doesn’t contain HEAD method it means that WEB.XML is vulnerable to
    Verb Tampering.
  3. Intercept critical data through lack of SSL encryption for data transfer. Checking for
    <transport-guarantee> equals CONFIDENTIAL
  4. Cookie stealing thought lack of SSL for an authorization
  5. Cookie stealing through XSS. Checking for Httponly=true
  6. Session stealing when JSESSIONID are not in Cookie. Checking for <tracking-
    mode>COOKIE</tracking-mode>,
  7.  Increased CSRF or XSS probability with big session timeout. Checking for

    <session-
    config>
    <session-config>
    <session-timeout>15</session-timeout>
    </session-config>

  8.  Unauthorized actions by locally enabled invoker servlets.
    Checking for <param>InvokerServletLocallyEnabled</param>.
  9. Invoker servlet bypass by checking for /* and /servlet/* in security-constraint
Download WEBXML Checker from Here:

http://erpscan.com/products/erpscan-webxml-checker/