Thank you for this amazing tool. We were able to scan 4 of our /24 networks pretty easily using this tool. I'm going to be including a PR soon for easily scanning a range of IPs instead of having to include a list of IPs individually.
One issue we encountered (and wasted about 4 hours on...) was a CGI script that respected the X-Wap-Profile header. You can find some information about the header below:
Basically, if you provide a URL or XML file to X-Wap-Profile, the server will fetch that file and parse it based on the above specs.
It is weird that our program respected the jndi:ldap:// as a valid URL and ran an HTTP GET request against everything after the :// (a bug in the program we patched quickly). I'm not sure if others will have this same weird edge case that we did, but wanted to at least open a ticket here in case others are searching for why this header is "vulnerable" to JNDI even when java is nowhere to be found in an environment.
Greetings!
Thank you for this amazing tool. We were able to scan 4 of our /24 networks pretty easily using this tool. I'm going to be including a PR soon for easily scanning a range of IPs instead of having to include a list of IPs individually.
One issue we encountered (and wasted about 4 hours on...) was a CGI script that respected the X-Wap-Profile header. You can find some information about the header below:
https://www.developershome.com/wap/detection/detection.asp?page=profileHeader https://en.wikipedia.org/wiki/UAProf https://udger.com/resources/http-request-headers-detail?header=X-Wap-Profile
Basically, if you provide a URL or XML file to X-Wap-Profile, the server will fetch that file and parse it based on the above specs.
It is weird that our program respected the
jndi:ldap://as a valid URL and ran an HTTP GET request against everything after the://(a bug in the program we patched quickly). I'm not sure if others will have this same weird edge case that we did, but wanted to at least open a ticket here in case others are searching for why this header is "vulnerable" to JNDI even when java is nowhere to be found in an environment.