J2EEScan Burp Suite Plugin to Test J2EE Applications

J2EEScan is a plugin that you can add on Burp Suite security scanning tool. The goal of this plugin is to improve the test coverage during web application penetration tests on J2EE applications. The plugin is fully integrated into the Burp Suite Scanner; it adds some new test cases and new strategies to discover different kind of J2EE vulnerabilities.

The plugin will scan some general vulnerabilities including the following:

  • Expression Language Injection (CVE-2011-2730)
  • Local File include – /WEB-INF/web.xml Retrieved
  • Local File Include – Spring Application Context Retrieved
  • Local File Include – struts.xml Retrieved
  • Local File Include – weblogic.xml Retrieved
  • Local File Include – ibm-ws-bnd.xml Retrieved
  • Local File Include – ibm-web-ext.xmi Retrieved
  • Local File Include – ibm-web-ext.xml Retrieved
  • Local File Include – /etc/shadow Retrieved
  • Local File Include – /etc/passwd Retrieved

Also the plugin add the following specific server application vulnerabilities:

  • ¬†Apache Struts
  • Grails
  • Apache Wicket
  • Java Server Faces
  • JBoss SEAM
  • Incorrect Error Handling
  • XML Security
  • Information Disclosure Issues
  • Compliance Checks
  • JBoss
  • Tomcat
  • Weblogic
  • Oracle Application Server
  • Jetty
  • Apache Axis

J2EE SCANBurp interface with enabled J2EEScan plugin

Bupr Suite is an advanced web application scanner that allow to have several plugins to perform a web penetration testing. You can add the plugin from Burp interface or download the file over this link: https://github.com/ilmila/J2EEScan

Share