Saturday, February 4, 2017

SnoopServlet

Create a Dynamic Web project "SnoopServlet"

This is the web.xml:


<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://xmlns.jcp.org/xml/ns/javaee" xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd" id="WebApp_ID" version="3.1">
  <display-name>SnoopServlet</display-name>
  <welcome-file-list>
    <welcome-file>index.html</welcome-file>
    <welcome-file>index.htm</welcome-file>
    <welcome-file>index.jsp</welcome-file>
    <welcome-file>default.html</welcome-file>
    <welcome-file>default.htm</welcome-file>
    <welcome-file>default.jsp</welcome-file>
  </welcome-file-list>
  <servlet>
    <description></description>
    <display-name>MySnoopServlet</display-name>
    <servlet-name>MySnoopServlet</servlet-name>
    <servlet-class>MySnoopServlet</servlet-class>
  </servlet>
  <servlet-mapping>
    <servlet-name>MySnoopServlet</servlet-name>
    <url-pattern>/MySnoopServlet</url-pattern>
  </servlet-mapping>
</web-app>


This is the weblogic.xml:

<?xml version="1.0" encoding="UTF-8"?>
<wls:weblogic-web-app xmlns:wls="http://xmlns.oracle.com/weblogic/weblogic-web-app" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd http://xmlns.oracle.com/weblogic/weblogic-web-app http://xmlns.oracle.com/weblogic/weblogic-web-app/1.9/weblogic-web-app.xsd">
    <wls:weblogic-version>12.2.1.2</wls:weblogic-version>
    <wls:context-root>SnoopServlet</wls:context-root>
</wls:weblogic-web-app>



import java.io.IOException;
import java.io.PrintWriter;
import java.util.Enumeration;

import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;

@SuppressWarnings("serial")
public class MySnoopServlet extends HttpServlet
{
    public int mycount = 0;
    public MySnoopServlet()
    {
    }

    public void destroy()
    {
    }

    public void doGet(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException
    {
     mycount+=1;
        HttpSession session;
        PrintWriter out;
        response.setContentType("text/html");
        session = request.getSession();
        out = response.getWriter();
        try {
         out.println("<html>");
         out.println("<head><title>SnoopServlet</title></head>");
         out.println("<body text='#ffffff' bgcolor='#666699' link='#ffffff' vlink='#ffffff' alink='#ffffff'>");
         out.println("<p>The servlet has received a GET. This is the reply.</p>");
         out.flush();
         out.print("<p>Request");
         out.print("<br>Principal = " + request.getUserPrincipal());
         out.print("<br>URL = " + request.getRequestURL().toString());
         out.print("<br>AuthType = " + request.getAuthType());
         out.print("<br>RemoteUser = " + request.getRemoteUser());
         out.print("<br>ServerName = " + System.getProperty("weblogic.Name"));
         out.print("<br>SessionID = " + session.getId());
         out.println("<br><hr> <br>");
         Enumeration enum1 = request.getHeaderNames();
         out.print("<p>Header");
         String item;
         for(; enum1.hasMoreElements(); out.print("<br>" + item + "=" + request.getHeader(item)))
             item = (String)enum1.nextElement();
 
         out.flush();
         out.println("<br><hr> <br>");
         out.print("<p>Attributes");
         for(enum1 = request.getAttributeNames(); enum1.hasMoreElements(); out.print("<br>" + item + "=" + request.getAttribute(item)))
             item = (String)enum1.nextElement();
 
         out.flush();
         out.println("<br><hr> <br>");
         out.print("<p>Parameters");
         for(enum1 = request.getParameterNames(); enum1.hasMoreElements(); out.print("<br>" + item + "=" + request.getParameter(item)))
             item = (String)enum1.nextElement();
 
         out.println("<br><hr> <br>");
         out.flush();
       }
       catch (Throwable th) {
        out.print("<pre>");
        th.printStackTrace();
        th.printStackTrace(out);
        out.print("</pre>");
      }
      finally {
        out.println("</body></html>");
      }
        return;
    }

    public void init()
        throws ServletException
    {
    }

    
}




http://localhost:7001/SnoopServlet/MySnoopServlet?pippo=pluto

The servlet has received a GET. This is the reply.

Request
Principal = null
URL = http://192.168.56.1:7001/SnoopServlet/MySnoopServlet
AuthType = null
RemoteUser = null
ServerName = AdminServer
SessionID = MHcJQYLAVotakdRTZ2rAwUj_sRjWlQ3Bui-_d50iyOJwAwNJW6B2!837838669!1486213972672

Header
Host=192.168.56.1:7001
User-Agent=Mozilla/5.0 (Windows NT 10.0; WOW64; rv:51.0) Gecko/20100101 Firefox/51.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=en-US,en;q=0.5
Accept-Encoding=gzip, deflate
Cookie=JSESSIONID=MowJK_Z1Wj2l48jsHZqf21DItW3tklujnqPmzh6Uj9vnI9CEtDfX!-1767948456
Connection=keep-alive
Upgrade-Insecure-Requests=1

Attributes

Parameters
pippo=pluto

The JSP can be found in $WL_HOME/samples/server/examples/src/examples/security/sslclient/src/main/webapp/SnoopServlet.jsp

<!-- Copyright (c) 1999,2015, Oracle and/or its affiliates. All Rights Reserved.-->
<%@ page import="java.util.Enumeration,
      java.io.PrintWriter"%>

<%!
   /**
  * <p>This helper method can be used to help prevent Cross Site Scripting
  * vulnerabilities. Any Servlet or JSP which sends user input (eg.
  * query parameters in HTTP requests) to be rendered into a user's browser
  * needs to use this method to encode the user input.  This ensures that any
  * HTML in their input (either malicious or otherwise) is not executed by
  * the browser.  This is achieved by converting characters to their HTML
  * escaped form.  For example, '&' is converted to '&amp;amp;'.
  * <p>
  * A full description of Cross Site Scripting (XSS) vulnerabilities can
  * be found at
  * <a href="http://www.cert.org/tech_tips/malicious_code_mitigation.html">
  * http://www.cert.org/tech_tips/malicious_code_mitigation.html</a>.
  *
  * @param str
  */
  public String encodeXSS(String str) {
   return weblogic.servlet.security.Utils.encodeXSS(str);
  }
%>

<%
 try {
%>
   <p>
    This servlet returns information about the HTTP request
    itself. You can modify this servlet to take this information
    and store it elsewhere for your HTTP server records. This
    servlet is also useful for debugging.
      </p>
   <h3>
   Servlet Spec Version Implemented
   </h3>
   <pre>
   <%= getServletConfig().getServletContext().getMajorVersion() + "." + getServletConfig().getServletContext().getMinorVersion() %>
   </pre>
   <h3>
   Requested URL
   </h3>
   <pre>
   <%= request.getRequestURL().toString() %>
   </pre>
   <h3>
   Request parameters
   </h3>
   <pre>
<%

   Enumeration enum_ = request.getParameterNames();
   while(enum_.hasMoreElements()){
     String key = (String)enum_.nextElement();
     String[] paramValues = request.getParameterValues(key);
     for(int i=0;i < paramValues.length;i++){
         out.println(key + " : "  + encodeXSS(paramValues[i]));
     }
   }

%>
   </pre>
   <h3>
   Request information
   </h3>
   <pre>
   Request Method: <%= request.getMethod() %>
   Request URI: <%= request.getRequestURI() %>
   Request Protocol: <%= request.getProtocol() %>
   Servlet Path: <%= request.getServletPath() %>
   Path Info: <%= request.getPathInfo() %>
   Path Translated: <%= request.getPathTranslated() %>
   Query String: <%= encodeXSS(request.getQueryString()) %>
   Content Length: <%= request.getContentLength() %>
   Content Type: <%= request.getContentType() %>
   Server Name: <%= request.getServerName() %>
   Server Port: <%= request.getServerPort() %>
   Remote User: <%= request.getRemoteUser() %>
   Remote Address: <%= request.getRemoteAddr() %>
   Remote Host: <%= request.getRemoteHost() %>
   Authorization Scheme: <%= request.getAuthType() %>
   </pre>
   <h3>Certificate Information</h3>
   <pre>
<%
   java.security.cert.X509Certificate certs [];
   certs = (java.security.cert.X509Certificate [])
   request.getAttribute("javax.servlet.request.X509Certificate");
   if ((certs != null) && (certs.length > 0)) {
%>
    Subject Name : <%= certs[0].getSubjectDN().getName() %> <br>
    Issuer Name :<%= certs[0].getIssuerDN().getName() %> <br>
    Certificate Chain Length : <%= certs.length %> <br>
<%

      // List the Certificate chain
      for (int i=0; i<certs.length;i++) {
%>  Certificate[<%= i %>] : <%= certs[i].toString() %>

<%
    } // end of for loop

   }
   else // certs==null
    {
%>
    Not using SSL or client certificate not required.
<%
    } // end of else
%>
   </pre>
   <h3>
   Request headers
   </h3>
   <pre>
<%
   enum_ = request.getHeaderNames();
   while (enum_.hasMoreElements()) {
    String name = (String)enum_.nextElement();
    out.println(name + ": " +encodeXSS(request.getHeader(name)));
   }
%>
   </pre>
  </td>
 </tr>
<%
 }
 catch (Exception ex) {
  ex.printStackTrace(new PrintWriter(out));
 }
%>


http://localhost:7001/SnoopServlet/SnoopServlet.jsp



No comments: