Skip to content

Modules: Add apache_tomcat_examples_cookie_disclosure module #2205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
bcoles merged 1 commit into from
Nov 9, 2021
Merged

Modules: Add apache_tomcat_examples_cookie_disclosure module #2205

bcoles merged 1 commit into from
Nov 9, 2021

Conversation

@bcoles
Copy link
Collaborator

@bcoles bcoles commented Oct 24, 2021

Category

Apache Tomcat RequestHeaderExample Cookie Disclosure module.

Feature Description

I still encounter Apache Tomcat with the examples app deployed from time to time. The examples include a RequestHeaderExample servlet which returns request headers in the HTTP response body, including all cookies. This offers a trivial method to bypass HttpOnly protection on cookies. This is an old and well known technique that has existed for at least 5 years (likely much longer).

RequestHeaderExample servlet

All your cookies are belong to BeEF

Test Cases

  1. Install Apache Tomcat. I used bitnami: https://bitnami.com/stack/tomcat/virtual-machine
  2. Ensure the examples application is installed and deployed.
  3. Browse to a page on the server which issues cookies. Most of the JSP examples at /examples/jsp/ (such as /examples/jsp/jsp2/simpletag/hello.jsp) will generate cookies (with HttpOnly).
  4. Hook a browser from a page on the Tomcat server (a lazy option is to use the BeEF bookmarklet).
  5. Run the Apache Tomcat RequestHeaderExample Cookie Disclosure module from the Browser -> Hooked Domain category.
  6. Observe that all cookies from the hooked origin were returned to BeEF.

@bcoles bcoles added the Module label Oct 24, 2021
@wheatley wheatley temporarily deployed to Integrate Pull Request November 8, 2021 00:34 Inactive
@wheatley wheatley requested review from DeezyE and wheatley November 9, 2021 04:41
wheatley
wheatley approved these changes Nov 9, 2021
View reviewed changes
Copy link
Contributor

@wheatley wheatley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Walked through using this module, everything seems to be working and retrieving the session id without any obvious issues.

DeezyE
DeezyE approved these changes Nov 9, 2021
View reviewed changes
Copy link
Contributor

@DeezyE DeezyE left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can confirm this runs well :) I'll share blog draft with you

@bcoles bcoles force-pushed the apache_tomcat_examples_cookie_disclosure branch from 9863378 to c8595b0 Compare November 9, 2021 05:36
@bcoles bcoles had a problem deploying to Integrate Pull Request November 9, 2021 05:36 Failure
@bcoles bcoles merged commit d7a3ffb into beefproject:master Nov 9, 2021
@bcoles bcoles deleted the apache_tomcat_examples_cookie_disclosure branch November 9, 2021 05:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@wheatley wheatley wheatley requested changes

@DeezyE DeezyE DeezyE approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

Module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@bcoles @wheatley @DeezyE