Security Research
Showing results for 
Search instead for 
Do you mean 

File Disclosure == Intellectual Property Exfiltration

abekang on ‎09-13-2012 08:49 AM

As you already know from my previous blogs, you can expose sensitive information (web.xml, applicationContext.xml,,, etc.) or invoke any web executable file (*.jsp, *.asp, *.jspx, *.aspx, *.cshtml, *.vbhtml, etc.) through a File Disclosure vulnerability.  This got me thinking about other files/folders under WEB-INF.


With JEE, the WEB-INF directory not only holds your web application configuration files but also your application binaries as *.jar and *.class files (in the “WEB-INF/lib” and “WEB-INF/classes” folders).    I hope you see where I am going with this…


Upon my first test (with GlassFish application server), things did not go well.  All of my attempts to remotely download application binaries (re: intellectual property) through a File Disclosure vulnerability failed.  I let some time pass and discussed the problem with a friend who informed me that other application servers were not as strict and allowed files to be downloaded from the “WEB-INF/lib” and “WEB-INF/classes” directory.


Sure enough, when I tested it out on Tomcat 6.x it worked.


Just for review: a File Disclosure vulnerability looks like:


//Spring MVC and Groovy on Grails

return new ModelAndView( untrustedPathSegmentVar, …);


//Struts 1

return new ActionForward (untrustedPathVar, …);


//In Struts 2 struts.xml file where url is an Action attribute

<result name="success">${url}</result>


//In Struts 2 Action class annotation where url is an Action attribute



//Ruby on Rails

render params[“forwardPath”]



return View(untrustedPathVar);


//Zend PHP

this -> _forward($untrustedPathVar, …);



<jsp:include path=”untrustedPathVar” />

<jsp:forward page="${param.forward}"/>


RequestDispatcher rd = new RequestDispatcher(untrustedPathVar);



Here is what it looks like when an attacker can remotely download your application’s binaries.



<%@page contentType="text/html"%>

<%@page pageEncoding="UTF-8"%>


<jsp:forward page="${param.forward}"/>


Given a file path as pictured:





You can remotely download jar files using the following URL:






You can even download class files:






It is true that you are not getting the source, but it is trivially easy to decompile *.class files.  You can also glean information about the available *.jar files from the META-INF directory files.  Finally, disgruntled insiders can use knowledge of the application to download known *.jar and *.class application files.


So if you see this vulnerability, don’t take it too lightly.


0 Kudos
About the Author


Home Security Alarm
on ‎09-24-2012 10:53 PM

Excellent post. I was checking continuously this blogs and I’m impressed! Very helpful information specially the remaining part :) I care for such information much. I was looking for this particular info for a long time. Thanks and best of luck.

Home Monitoring
on ‎12-19-2012 09:55 PM

Superb post.
I was looking at regularly this blogs and I’m satisfied! Very valuable info specially the remaining part :-) I care for such information much.
I was looking for this unique info for a long time.
Thanks and best of luck.

Each Month in 2016
Software Expert Days - 2016
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
Sep 30
Seattle, WA
OpenStack Days Seattle
OpenStack Days Seattle, September 30, is the largest gathering of OpenStack users and prospective users in the Pacific Northwest region.
Read more
View all