The plugin does not support applications that employ HTTP Auth Basic.

The Authentication header should be copied to the structure of the issued requests, just like any other header originally used by the tested application.

Defect Jetty 11.x and 10.x End of Life checks
The Jetty EoL check does not work correctly. It only checks for the major version and thus generates a scan issue for Jetty 11.X.X and 10.X.X

Tested on Burp Pro version:
-Tested J2EEScan-1.2.6-jar-with-dependencies.jar version

-Tested public J2EEScan-2.0.1-dev-jar-with-dependencies.jar version

Defect Jetty 11.x.x

Defect Jetty 10.x.x

Defect 9.4.48,v202206.22 <= 9.4.x is now EoL References
https://github.com/eclipse/jetty.project/releases
https://www.eclipse.org/jetty/download.php

J2EEScan scans for Struts class loader manipulation ( https://github.com/ilmila/J2EEScan/blob/master/src/main/java/burp/j2ee/issues/impl/ApacheStrutsS2020.java ) with the type of payload engineered AFTER the first fix which is Class.classLoader Ex:
Class.classLoader.URLs[0]=testClassloaderManipulation1509723031
During testing I've seen that most of the times this payload will not trigger anything/any reaction , but the original one , class.classLoader would . I did class.classLoader.classAssertionStatus=test , this , in turn , would either generate a beanutils error regarding the fact that classAssertionStatus has no setter or give a 404 in the response. J2EEScan didn't detect anything wrong with the application even though it was vulnerable to this issue .

My suggestion is the following : Adding class.classLoader and class['classLoader'] to the list of payloads for S2-20 scanning . I really think that this will improve the detection of this issue !
There is also a pretty well explained list of payload for struts vulns here :
https://github.com/lanjelot/kb/blob/master/struts

For some reason, this extension can cause Burp scanner to lock up. I am not the author of the below thread, just found it when I was having this problem. Disabling the J2EEScan extension solved my problem.

https://support.portswigger.net/customer/portal/questions/11323602-freezes-in-scanner

Hi,

I am wondering if this can be checked for?

Examples:

• https://github.com/rapid7/metasploit-framework/pull/8924/files
• https://github.com/mazen160/struts-pwn_CVE-2017-9805/blob/master/struts-pwn.py

Thx, Dirk

Using this useful extension I found CVE-2013-3770 (Oracle IDoc Injection) vulnerability but unfortunately can't find a way/exploit/payload to exploit it successfully. Can you please help? I have already tried 'exploitdb' and google but no luck.

In this project;
why use "List<IScanIssue> issues = new ArrayList<>()";
when I take it in Elipse ,this will come a error; why not use "List<IScanIssue> issues = new ArrayList<IScanIssue>()" or "List<IScanIssue> issues = new ArrayList()"

My eclipse's verison is 10.0 and java version is 1.7.x

The following exceptions are thrown during a scan. This is due to the use of non-thread-safe collection containers in the various scan checkers. You may want to use something like a ConcurrentHashMap instead of an ArrayList or use Java's ugly mutual exclusion/multi-threading model to ensure critical regions are only entered by one thread at a time. The latter is uglier to implement whilst the former is more elegant but requires some refactoring on your end.

java.util.ConcurrentModificationException
    at java.util.ArrayList$Itr.checkForComodification(ArrayList.java:901)
    at java.util.ArrayList$Itr.next(ArrayList.java:851)
    at burp.WeakPasswordBruteforcer.HTTPBasicBruteforce(WeakPasswordBruteforcer.java:49)
    at burp.j2ee.issues.impl.JBossWebConsole.scan(JBossWebConsole.java:130)
    at burp.BurpExtender.doActiveScan(BurpExtender.java:130)
    at burp.sq.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:745)
java.util.ConcurrentModificationException
    at java.util.ArrayList$Itr.checkForComodification(ArrayList.java:901)
    at java.util.ArrayList$Itr.next(ArrayList.java:851)
    at burp.WeakPasswordBruteforcer.HTTPBasicBruteforce(WeakPasswordBruteforcer.java:49)
    at burp.j2ee.issues.impl.JBossJMXInvoker.scan(JBossJMXInvoker.java:127)
    at burp.BurpExtender.doActiveScan(BurpExtender.java:130)
    at burp.sq.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:745)
java.util.ConcurrentModificationException
    at java.util.ArrayList$Itr.checkForComodification(ArrayList.java:901)
    at java.util.ArrayList$Itr.next(ArrayList.java:851)
    at burp.WeakPasswordBruteforcer.HTTPBasicBruteforce(WeakPasswordBruteforcer.java:49)
    at burp.j2ee.issues.impl.JBossWS.scan(JBossWS.java:113)
    at burp.BurpExtender.doActiveScan(BurpExtender.java:130)
    at burp.sq.run(Unknown Source)
    at java.lang.Thread.run(Thread.java:745)

Please update the extension with latest vulnerabilities

Hello,
Subject says it all. Expanded the zip file and no .jar files.
I did install J2EEScan from the BApp store but that is an older version.
Sorry for the headache.
Thanks!

The Apache Tomcat EoL check does not work correctly. It only checks for the major version and thus generates a scan issue for Apache 8.5.X.

Hey,

I think the Apache Axis 2 - Weak Admin Password part might need a change as it still flags on a page where the user and password are being asked for causing a false positive.

Robbie

I noticed that this extender doesn't highlight payloads; and the information in Advisory is always identical.
When I have an issue discovered, and press "Move to the next match" in both Request and Response; it would be very nice to see the payload as well as identified response highlighted.
Also, the Advisory tab for found issue could be more specific -> e.g. "Referer: ${9*2}" resulted in "blablabla18blabla" in response; so that false positives could be found faster.

I noticed a few findings on my assessment were 'missing' and working with portswigger we narrowed it down to J2EEScan finding similar issues in different injection points in the same application. It was confirmed with Logger++ that J2EEScan doesn't roll up the finding in a similar manner to other extensions.

In the the attached screen shot you can see that NoSQL Injection Detected (from a different extension) rolls up mutiliple findings in different requests and injection points.

Even though this project has multiple findings for the same XXE in different locations i only see one finding. This makes it hard to validate the other findings (apart from the first ) as the Request and Response aren't logged anywhere (unless you are using additional logging which you need to go search through the find the other effected injection points).
This issue also presents itself as an inconsistency throughout the UI (especially when using mutiple Audit tasks) as additional findings are shown in some areas but not others e.g.

e.g. Details page of audit screen shows 0 high severity issues:

Audit Items page shows 3 high severity issues (i confirmed these were J2EEScan issues)

Issue activity page shows no issue:

Issue activity summary page shows only one High severity issue for a different task.

Is this just me or is this a possible improvement that could be made to how mutliple issues are combined in J2EEScan

Let me know if you need any other info

I'm not sure whether this value is static or variable, but noticed a couple of false positives when the #{584*540} payload is submitted. The result of this expression being evaluated would be 315360. Unfortunately this is a substring of 31536000, which is the number of seconds in a year and, also, quite common as a value for max-age in the Strict-Transport-Security header.

Hi,

I came across some false positives today, where the payload was #{305*3}. I assume the plugin detected "915" in the response (which I also found as part of a SHA1 sum). Could the multiplication be of larger numbers to prevent such false positives?

Cheers.

Hi,

Can you please send us a message on [email protected] so that we can process your latest update? The BApp Store version has not been updated for over 3 years.

Thank you!

Do you have a plan to create a J2EEScan version for ZAP proxy??

Hey, while scanning a struts app it was not picking up issues that should have been identified. While looking though the code i realized it only triggers on the common file extensions like .do and .action. These extensions are often customized for the organization. I manually updated the code to add the extensions that we use but it would be great if this could be configurable or even allowed to scan regardless of the file extension. For instance you don't even need to put a file extension on struts like www.example.com/test.action and www.example.com/test will work the same.