Potential Local File Read Vulnerability In JVM Based Application
Detects potential local file read vulnerability in JVM based apps. If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
Sigma rule (View on GitHub)
1title: Potential Local File Read Vulnerability In JVM Based Application
2id: e032f5bc-4563-4096-ae3b-064bab588685
3status: test
4description: |
5 Detects potential local file read vulnerability in JVM based apps.
6 If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
7references:
8 - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
9author: Moti Harmats
10date: 2023-02-11
11tags:
12 - attack.initial-access
13 - attack.t1190
14logsource:
15 category: application
16 product: jvm
17 definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
18detection:
19 keywords_local_file_read:
20 '|all':
21 - 'FileNotFoundException'
22 - '/../../..'
23 condition: keywords_local_file_read
24falsepositives:
25 - Application bugs
26level: high
References
-
IntroductionWhen doing application security at scale, you have to make peace with the fact that some issues may as well find their way into production. While we work hard to make sure this almost never happens, we understand that it’s just a fact of life that sometimes some things can slip into production without proper security controls.Photo by Mahdi Bafande on UnsplashThat’s why in addition to constantly “shifting left” our efforts and trying to secure all frameworks “by design”, one of the c
Read More
Related rules
- ADSelfService Exploitation
- Apache Spark Shell Command Injection - ProcessCreation
- Apache Spark Shell Command Injection - Weblogs
- Apache Threading Error
- Arcadyan Router Exploitations