Q: What is javafp?
A: This is a small web application with a big database, which can be used to retrieve version information from java stacktraces
Q: Why would you want to do this?
A: When performing penetration tests against java web applications, it is often possible to trigger a stacktrace. Knowing which exact software runs on the host one is currently testing helps to recreate the setup and check for vulnerabilities in the specific versions.
Q: How does it work?
A: In each line of the stacktrace, we get information about a function and a line number. By cross referencing this with a database generated from different versions of the software, we can build a list with all version where the function is in the matching line. Furthermore the stacktrace contains information, which function is called in that line, which can also be cross referenced to search the specific version. By taking all this information, it is possible to get very good matches in some cases, especially if the software changes a lot over the versions and the stacktrace contains multiple lines for the same class package.
Q: How often do you update the database?
A: I try to do so at least one a month.
Q: I dont get good results, what should I do?
A: Send me the stacktrace to firstname.lastname@example.org, and I'll take look
Q: Do you log the stacktraces send to the application?
A: No, I do not! I just keep basic apache logs. So if it breaks for you and you want me to have a look at it, send me your stacktrace.
Q: What software is included in the database?
A: Currently, there is: PsiProbe, Tomcat, Struts, Oracle JDK, JBoss, SpringFramework, WoodStox, Javamelody, Spring Security, JavaX Faces, Turbine, Url Rewrite Filter, UJAC, ACEGI Security, Jaspter Reports, Jetty, Apache Commons, Hibernate, Grizzly, Velocity, OpenSymphony, Xerces, Freemarker, Log4J, Axis2, Axis2 Rampart, Geronimo, Lucene, Jersey, Derby, Tapestry, Wicket, MyFaces, Jira
Q: Can you add software X?
A: Sure, drop me a mail to email@example.com.
Q: How do you fill the database?
A: I use the BCEL libraries to parse the class file, extract function names and line numbers and stuff it all in the database