Apache AXIS server pentest
In one of my pentest engagement the scope was to test a website abc.com/xyz/pqr.html and its mobile application.
The website seems to be stronger and I was not able to find any vulnerability. So I switched to mobile application.
When I was testing the mobile application, I was doing code analysis and found a URL in the code which was invoking a web service. The URL is as follows.
After going through some vulnerability reading of AXIS server I triggered the following URL which gave me the version of Apache Axis server and other details.
There is an information disclosure exploit present for this version of Apache Axis which can be found on https://www.exploit-db.com/exploits/29930/
The exploit says:
Apache AXIS is prone to a path-information-disclosure vulnerability. Remote unauthorized attackers may be able to determine webserver directory paths.
Information obtained may aid attackers in launching further attacks against an affected server.
Apache AXIS 1.0 is vulnerable to this issue.
So accessing similar URL for my server gave me the following:
It seems that debugging is disabled from the webserver side and I did not get sensitive information from the error.
There was also an instance of Content-injection with CRLF vulnerability on Apache Axis 1.4 reported by nososecure.com
This was all about Apache Axis pentest.