Security Research
Showing results for 
Search instead for 
Do you mean 

File Disclosure == Intellectual Property Exfiltration

abekang on ‎09-13-2012 08:49 AM

As you already know from my previous blogs, you can expose sensitive information (web.xml, applicationContext.xml,,, etc.) or invoke any web executable file (*.jsp, *.asp, *.jspx, *.aspx, *.cshtml, *.vbhtml, etc.) through a File Disclosure vulnerability.  This got me thinking about other files/folders under WEB-INF.


With JEE, the WEB-INF directory not only holds your web application configuration files but also your application binaries as *.jar and *.class files (in the “WEB-INF/lib” and “WEB-INF/classes” folders).    I hope you see where I am going with this…


Upon my first test (with GlassFish application server), things did not go well.  All of my attempts to remotely download application binaries (re: intellectual property) through a File Disclosure vulnerability failed.  I let some time pass and discussed the problem with a friend who informed me that other application servers were not as strict and allowed files to be downloaded from the “WEB-INF/lib” and “WEB-INF/classes” directory.


Sure enough, when I tested it out on Tomcat 6.x it worked.


Just for review: a File Disclosure vulnerability looks like:


//Spring MVC and Groovy on Grails

return new ModelAndView( untrustedPathSegmentVar, …);


//Struts 1

return new ActionForward (untrustedPathVar, …);


//In Struts 2 struts.xml file where url is an Action attribute

<result name="success">${url}</result>


//In Struts 2 Action class annotation where url is an Action attribute



//Ruby on Rails

render params[“forwardPath”]



return View(untrustedPathVar);


//Zend PHP

this -> _forward($untrustedPathVar, …);



<jsp:include path=”untrustedPathVar” />

<jsp:forward page="${param.forward}"/>


RequestDispatcher rd = new RequestDispatcher(untrustedPathVar);



Here is what it looks like when an attacker can remotely download your application’s binaries.



<%@page contentType="text/html"%>

<%@page pageEncoding="UTF-8"%>


<jsp:forward page="${param.forward}"/>


Given a file path as pictured:





You can remotely download jar files using the following URL:






You can even download class files:






It is true that you are not getting the source, but it is trivially easy to decompile *.class files.  You can also glean information about the available *.jar files from the META-INF directory files.  Finally, disgruntled insiders can use knowledge of the application to download known *.jar and *.class application files.


So if you see this vulnerability, don’t take it too lightly.


0 Kudos
About the Author


Home Security Alarm
on ‎09-24-2012 10:53 PM

Excellent post. I was checking continuously this blogs and I’m impressed! Very helpful information specially the remaining part :) I care for such information much. I was looking for this particular info for a long time. Thanks and best of luck.

Home Monitoring
on ‎12-19-2012 09:55 PM

Superb post.
I was looking at regularly this blogs and I’m satisfied! Very valuable info specially the remaining part :-) I care for such information much.
I was looking for this unique info for a long time.
Thanks and best of luck.

27 Feb - 2 March 2017
Barcelona | Fira Gran Via
Mobile World Congress 2017
Hewlett Packard Enterprise at Mobile World Congress 2017, Barcelona | Fira Gran Via Location: Hall 3, Booth 3E11
Read more
Each Month in 2017
Software Expert Days - 2017
Join us online to talk directly with our Software experts during online Expert Days. Find information here about past, current, and upcoming Expert Da...
Read more
View all