Wednesday, October 31, 2012

(Pentest Apache #1) Exposed Apache Axis - SOAP Objects

Recently, I was doing some open research. On compromising the Tomcat Apache Manager component, I came across Apache Axis.

Apache Axis2™ is a Web Services / SOAP / WSDL engine, the successor to the widely used Apache Axis SOAP stack. There are two implementations of the Apache Axis2 Web services engine - Apache Axis2/Java and Apache Axis2/C

Fore more information about Apache Axis, refer here :

It is highly advised that while conducting penetration tests (web + network), one should dig deeper to find exposed Apache Axis objects on the target servers. Primarily, misconfigured Apache web servers (Tomcat) results in exposed SOAP objects used for implementing Apache Axis services engine.

What to look for?

1. Default happyaxis.jsp: This file provides plethora of information about the configured web services on the target server. It leverages configuration as follows:

  • Examining web application configuration (Needed + Optional Configuration)
  • Examining application server
  • Examining system properties

2. Axis Servlet (/servlet/AxisServlet): It leverages information about the deployed web services on the
target server.

3. Echo Headers (/EchoHeaders.jws): This component calls the local endpoints to reveal HTTP headers.

3.1 If method name is not specified (EchoHeaders.jws?method=), it results in exception as follows:

3.2 If method name is specified (EchoHeaders.jws?method=list), it provides results as follows:

3.3 Call WSDL directory (EchoHeaders.jws?wsdl) it provides results as follows:

4. Traverse the exposed WSDL Endpoints listed by the Axis Servlet (/servlet/AxisServlet).

By default, Administer Axis and SOAP Monitor component is disabled. But, the above presented information still helps the attacker to get the configuration of the target server.

So use Google Dorks, analyze manually by provided information in this blog to detect exposed Apache Axis SOAP objects.