Jetty

Jetty Pentest

Send a GET request to / with a random value in the Host header, the response will contain a list of all applications

RCE via upload file

upload a JSP web shell to $JETTY_BASE/webapps/root/

XSS via file upload

Test with this two types of payload:

1. XML-based: <a:script xmlns:a="http://www.w3.org/1999/xhtml">alert('PTSWARM')</script>

2. HTML-based: <script>alert('PTSWARM')</script>

Resources

Jetty Features for Hacking Web AppsPT SWARM

Interesting Books

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

• The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
• Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
• Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.