Exploiting WebSphere Application Server's JSP Engine

Presented at DEF CON 18 (2010), July 30, 2010, 4 p.m. (50 minutes)

WebSphere Application Server (WAS), IBM's Java Enterprise Edition (JEE) application server, is one of the leading application servers and is the predominate application server in the financial and insurance sectors. It is also embedded in several of IBM's other products including WebSphere Portal, WebSphere Process Server and WebSphere Message Broker. In March 2009, IBM released PK81387 which patches a "Possible application source file exposure" in WAS. Detailed explanation of this vulnerability and it's exploitation will be provided including how implementation details such as character encoding and multiple vulnerabilities, some still unpatched, can be orchestrated to provide file and directory exposure inside a applications Web Archive (WAR). In some cases, with common libraries or WAS feature use, these vulnerabilities can be extended to achieve arbitrary code execution resulting in full compromise of the application server. Exploitation details will be described and use of this vulnerability and others to execute a remote operating system shell will be demonstrated. Source code to the exploit and other tools will be provided.


  • Ed Schaller - Security Researcher
    Ed Schaller has had a long interest in computer security from both the defensive and offensive angles. Before professionally focusing on security, he worked as systems administrator, developer and architect at various companies. In his security work, he was a researcher at Brigham Young University's Internet Security Research Laboratory and is now employed by a health insurance company doing security assessments on both internally developed and third party applications and systems. Most of his current work involves Java applications running on IBM's WebSphere Application Server. Outside of work, Ed is married and has three small children, who, given their current ability to get into things at home, are destined to be great hackers.