quick primer on how to exploit path traversals in Java web apps (i.e. you can read WEB-INF/web.xml)

## exploit_path_traversals_in_Java_webapps.txt
so, you can read WEB-INF/web.xml. how can you escalate this issue?

[step 1]. try to read other common Java files such as WEB-INF/web-jetty.xml.

use a specialized wordlist such as the following (from 	Sergey Bobrov/BlackFan):
https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf.txt
with time you can build your own wordlist adding files you've discovered over time.
use Burp Intruder for this, it's perfect for this job.
sort Intruder results by status code so you can see instantly which files were found.

[step 2]. take a look at WEB-INF/web.xml and try to understand what framework was used.
most Java web applications nowadays are using Spring (https://spring.io/).

if you see in WEB-INF/web.xml some class name with org.springframework (usually DispatcherServlet), it means it's Spring.

for example:
    <servlet>
        <servlet-name>example</servlet-name>
        <servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

if it's Spring, look for the servlet-mapping (servlet-name) section.
for example:

    <servlet-mapping>
        <servlet-name>golfing</servlet-name>
        <url-pattern>/golfing/*</url-pattern>
    </servlet-mapping>

in this case, the name of the servlet is "golfing".
according to Spring convention, you will need to have a file called WEB-INF/golfing-servlet.xml in your application.
this file will contain all of your Spring Web MVC-specific components (beans).
try to read this file.

for Spring, also look for WEB-INF/applicationContext.xml

if it's not Spring, it could be Struts (https://struts.apache.org/).

look for something like this

<filter>
      <filter-name>struts2</filter-name>
      <filter-class>
         org.apache.struts2.dispatcher.FilterDispatcher
      </filter-class>
   </filter>

if it's Struts, look for something like try to read these files
WEB-INF/classes/struts.xml
WEB-INF/classes/default.properties
or
WEB-INF/struts-config.xml

more info here: https://struts.apache.org/core-developers/configuration-files.html

if it's not Spring and not Struts try to read attentively the web.xml file to figure out what framework they could be using and read its docs.

[step 3]. classpath:bla in web.xml

If you find in web.xml a file referenced using classpath:filename such as the following example:
<context-param>
   <param-name>contextConfigLocation</param-name>
   <param-value>classpath:my-main-spring.xml</param-value>
</context-param>

it means the file is located in class path. class path is usually located in WEB-INF/classes/ or WEB-INF/lib/
this means that you can read the file referenced there (my-main-spring.xml) by reading:

WEB-INF/classes/my-main-spring.xml or
WEB-INF/lib/my-main-spring.xml

[step 4]. look for class names in web.xml and try to read the .class files

in WEB-INF/web.xml and/or the other files you were able to read following steps 1-3 you will find a lot of class names.

class names are referenced like this:

<bean class="com.company.bla.bla.className"> or like this
<filter-class>com.company.bla.bla.className</filter-class>

in any case, the name of the class is "com.company.bla.bla.className"
in Java, this class is stored in this folder + file:
com/company/bla/bla/className.class

classes are usually stored in either WEB-INF/classes/ or WEB-INF/lib/
therefore, you should try to read the class file by reading

WEB-INF/classes/com/company/bla/bla/className.class
or
WEB-INF/lib/com/company/bla/bla/className.class

to download the class files I usually use curl like this:

curl -O --path-as-is https://example.com/path-traversal/../WEB-INF/lib/com/company/bla/bla/className.class

if it works, this will save a file className.class in the current directory.

Sergey Bobrov/BlackFan wrote a tool that helps with this:
https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf-dumper.php

if you are able to download the className.class you need to decompile it so you can take a look at Java source code

i use the following 2 tools:
http://java-decompiler.github.io/
https://github.com/skylot/jadx

when you decompile it you get access to more class names (from imports) and then download more source code and so on.
somebody should write a tool to automate this so it will decompile classes, read imports, download more classes, decompile, ...
have fun!

harisec
	so, you can read WEB-INF/web.xml. how can you escalate this issue?

	[step 1]. try to read other common Java files such as WEB-INF/web-jetty.xml.

	use a specialized wordlist such as the following (from Sergey Bobrov/BlackFan):
	https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf.txt
	with time you can build your own wordlist adding files you've discovered over time.
	use Burp Intruder for this, it's perfect for this job.
	sort Intruder results by status code so you can see instantly which files were found.

	[step 2]. take a look at WEB-INF/web.xml and try to understand what framework was used.
	most Java web applications nowadays are using Spring (https://spring.io/).

	if you see in WEB-INF/web.xml some class name with org.springframework (usually DispatcherServlet), it means it's Spring.

	for example:
	<servlet>
	<servlet-name>example</servlet-name>
	<servlet-class>org.springframework.web.servlet.DispatcherServlet</servlet-class>

	if it's Spring, look for the servlet-mapping (servlet-name) section.
	for example:

	<servlet-mapping>
	<servlet-name>golfing</servlet-name>
	<url-pattern>/golfing/*</url-pattern>
	</servlet-mapping>

	in this case, the name of the servlet is "golfing".
	according to Spring convention, you will need to have a file called WEB-INF/golfing-servlet.xml in your application.
	this file will contain all of your Spring Web MVC-specific components (beans).
	try to read this file.

	for Spring, also look for WEB-INF/applicationContext.xml

	if it's not Spring, it could be Struts (https://struts.apache.org/).

	look for something like this

	<filter>
	<filter-name>struts2</filter-name>
	<filter-class>
	org.apache.struts2.dispatcher.FilterDispatcher
	</filter-class>
	</filter>

	if it's Struts, look for something like try to read these files
	WEB-INF/classes/struts.xml
	WEB-INF/classes/default.properties
	or
	WEB-INF/struts-config.xml

	more info here: https://struts.apache.org/core-developers/configuration-files.html

	if it's not Spring and not Struts try to read attentively the web.xml file to figure out what framework they could be using and read its docs.

	[step 3]. classpath:bla in web.xml

	If you find in web.xml a file referenced using classpath:filename such as the following example:
	<context-param>
	<param-name>contextConfigLocation</param-name>
	<param-value>classpath:my-main-spring.xml</param-value>
	</context-param>

	it means the file is located in class path. class path is usually located in WEB-INF/classes/ or WEB-INF/lib/
	this means that you can read the file referenced there (my-main-spring.xml) by reading:

	WEB-INF/classes/my-main-spring.xml or
	WEB-INF/lib/my-main-spring.xml

	[step 4]. look for class names in web.xml and try to read the .class files

	in WEB-INF/web.xml and/or the other files you were able to read following steps 1-3 you will find a lot of class names.

	class names are referenced like this:

	<bean class="com.company.bla.bla.className"> or like this
	<filter-class>com.company.bla.bla.className</filter-class>

	in any case, the name of the class is "com.company.bla.bla.className"
	in Java, this class is stored in this folder + file:
	com/company/bla/bla/className.class

	classes are usually stored in either WEB-INF/classes/ or WEB-INF/lib/
	therefore, you should try to read the class file by reading

	WEB-INF/classes/com/company/bla/bla/className.class
	or
	WEB-INF/lib/com/company/bla/bla/className.class

	to download the class files I usually use curl like this:

	curl -O --path-as-is https://example.com/path-traversal/../WEB-INF/lib/com/company/bla/bla/className.class

	if it works, this will save a file className.class in the current directory.

	Sergey Bobrov/BlackFan wrote a tool that helps with this:
	https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf-dumper.php

	if you are able to download the className.class you need to decompile it so you can take a look at Java source code

	i use the following 2 tools:
	http://java-decompiler.github.io/
	https://github.com/skylot/jadx

	when you decompile it you get access to more class names (from imports) and then download more source code and so on.
	somebody should write a tool to automate this so it will decompile classes, read imports, download more classes, decompile, ...
	have fun!

	harisec