This is the Servlet configuration in Deployment Descriptor:
<servlet> <servlet-name>TestServlet</servlet-name> <servlet-class>org.huahsin.TestServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>TestServlet</servlet-name> <url-pattern>/test</url-pattern> </servlet-mapping> <security-constraint> <web-resource-collection> <web-resource-name>Wildcard means whole apps requires authentication</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>tomcat</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> </login-config>
public class TestServlet extends HttpServlet { protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException { response.setContentType("text/html"); PrintWriter out = response.getWriter(); out.println("This is a Test Servlet."); Enumeration headerNames = request.getHeaderNames(); while( headerNames.hasMoreElements() ) { String headerName = (String) headerNames.nextElement(); out.println("Header Name: < i >" + headerName); String headerValue = request.getHeader(headerName); out.println("< /i >, Header Value: < i >" + headerValue); out.println("< /i >"); } out.println("< hr / >"); String authHeader = request.getHeader("authorization"); String encodeValue = authHeader.split(" ")[1]; out.println("Base64-encoded Authorization Value: < i >" + encodeValue); String decodeValue = Base64.base64Decode(encodeValue); out.println("< /i >Base64-encoded Authorization Value: < i >" + decodeValue + "< /i >"); } }The users are define in Tomcat server, when the page launch, a prompt to user to enter a valid login credential in order to view the content. Unfortunately ZAProxy not able to do any test on it as it doesn't contain any JSP page. Since ZAProxy couldn't run any test on it, I move on to plan B. This time I create a JSP page, this JSP will replace the server authentication:
<form action="login" method="POST" name="loginForm"> Username:<input name="txtUserName" type="text" value="" /> Password:<input name="txtPassword" type="password" value="" /> <input type="submit" value="login" /> <input type="reset" value="clear" /> </form>Next thing is to remove the <security-constraint> from Deployment Descriptor to get rid of server authentication and allow user to authenticate through a web page. That's all about the change. When I run the test again on ZAProxy, there is no sign of vulnerability found on this example, I think I need to move on to bigger challenge to realize CSRF thing.
No comments:
Post a Comment