CWE22 - Path Traversal accetps a wrong answer

[jose-raul-barreras]

In CWE22 - Path Traversal, the attack http://127.0.0.1:8080/cwe22.jsp?file=../cwe22.jsp succeed, and shows [cwe22.jsp]'s content(https://github.com/trendmicro/SecureCodingDojo/blob/master/insecureinc/WebContent/cwe22.jsp)., because the answer "secret.password=12345678" is hardcoded.
When you click on the "Get your code' button, it goes to 'http://127.0.0.1:8080/%s' and returns a 400 error:

HTTP Status 400 – Bad Request
Type Status Report

Message Invalid URI: EOF

Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).

Apache Tomcat/8.5.40

In the other hand, the answer proposed in main#!/solution/cwe22, cwe22.jsp?file=../WEB-INF/web.xml, does not work, returning a ERR_CONNECTION_RESET error.
It works with cwe22.jsp?file=../WEB-INF/config.properties

[paul-ion]

Hi, this is not happening with the latest container image. Are you running it from Eclipse with a different Tomcat version perhaps?

[jose-raul-barreras]

Hi Paul!
My bad. I'm not running the app in a local environment. The URL is http://10.100.160.79:8080/cwe22.jsp?file=../cwe22.jsp

I believe that I'm using the latest version: I cloned the repo and called docker-compose.

[nagelfargithub]

Just encountered the same issue. cwe22.jsp?file=../WEB-INF/web.xml, does not work and instead returns a ERR_CONNECTION_RESET error. It works with cwe22.jsp?file=../WEB-INF/config.properties but there is no way for me to find out the name of the properties file as I can not include the web.xml first.