Security Research
Showing results for 
Search instead for 
Do you mean 

File Disclosure == Intellectual Property Exfiltration

abekang on ‎09-13-2012 08:49 AM

As you already know from my previous blogs, you can expose sensitive information (web.xml, applicationContext.xml,,, etc.) or invoke any web executable file (*.jsp, *.asp, *.jspx, *.aspx, *.cshtml, *.vbhtml, etc.) through a File Disclosure vulnerability.  This got me thinking about other files/folders under WEB-INF.


With JEE, the WEB-INF directory not only holds your web application configuration files but also your application binaries as *.jar and *.class files (in the “WEB-INF/lib” and “WEB-INF/classes” folders).    I hope you see where I am going with this…


Upon my first test (with GlassFish application server), things did not go well.  All of my attempts to remotely download application binaries (re: intellectual property) through a File Disclosure vulnerability failed.  I let some time pass and discussed the problem with a friend who informed me that other application servers were not as strict and allowed files to be downloaded from the “WEB-INF/lib” and “WEB-INF/classes” directory.


Sure enough, when I tested it out on Tomcat 6.x it worked.


Just for review: a File Disclosure vulnerability looks like:


//Spring MVC and Groovy on Grails

return new ModelAndView( untrustedPathSegmentVar, …);


//Struts 1

return new ActionForward (untrustedPathVar, …);


//In Struts 2 struts.xml file where url is an Action attribute

<result name="success">${url}</result>


//In Struts 2 Action class annotation where url is an Action attribute



//Ruby on Rails

render params[“forwardPath”]



return View(untrustedPathVar);


//Zend PHP

this -> _forward($untrustedPathVar, …);



<jsp:include path=”untrustedPathVar” />

<jsp:forward page="${param.forward}"/>


RequestDispatcher rd = new RequestDispatcher(untrustedPathVar);



Here is what it looks like when an attacker can remotely download your application’s binaries.



<%@page contentType="text/html"%>

<%@page pageEncoding="UTF-8"%>


<jsp:forward page="${param.forward}"/>


Given a file path as pictured:



Sample File Path



You can remotely download jar files using the following URL:




Downloading a Jar



You can even download class files:





Downloading a Class File.png


It is true that you are not getting the source, but it is trivially easy to decompile *.class files.  You can also glean information about the available *.jar files from the META-INF directory files.  Finally, disgruntled insiders can use knowledge of the application to download known *.jar and *.class application files.


So if you see this vulnerability, don’t take it too lightly.


About the Author


Home Security Alarm on ‎09-24-2012 10:53 PM

Excellent post. I was checking continuously this blogs and I’m impressed! Very helpful information specially the remaining part :) I care for such information much. I was looking for this particular info for a long time. Thanks and best of luck.

Home Monitoring on ‎12-19-2012 09:55 PM

Superb post.
I was looking at regularly this blogs and I’m satisfied! Very valuable info specially the remaining part :-) I care for such information much.
I was looking for this unique info for a long time.
Thanks and best of luck.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
February 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during the online Expert Days - see details below. Software experts do not monitor this foru...
Read more
See board event postings
Vivit Events - 2016
Learn about upcoming Vivit webinars and live events in 2016.
Read more
View all