Skip to content
{ 2010 02 03 }

Scanning JBoss AS for open Invokers

Apparently, the guys at Acunetix were tired of examining their JBoss Application Servers manually for vulnerabilities. In their Web Vulnerability Scanner from Version 6.5 build 20091215 on, they integrated various checks for the stuff from our JBoss paper.

To give you a little reminder: Always check for

  • http://www.example.com/jmx-console
  • http://www.example.com/web-console
  • http://www.example.com/web-console/Invoker
  • http://www.example.com/invoker/JMXInvokerServlet

and any open JBoss Remoting / RMI ports. See the paper for details.

So, if you own a copy of Acunetix WVS, there are no excuses anymore that you accidentally missed an open JMX Invoker ;)

Posted by phof on Wednesday, February 3, 2010, at 11:36. Filed under Hacking, Paper. Tagged , , , , . Follow any responses to this post with its comments RSS feed. You can post a comment or trackback from your blog.

{ 1 } Comments

  1. Patrick Hof | 2010-Feb-03 at 11:48 | Permalink

    BTW: If anyone of you owns a JBoss Community account, the english JBoss Wiki page at

    http://community.jboss.org/wiki/SecureJboss

    still links the German and not the English version of the paper. The English paper is at

    http://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf

Post a Comment

Your email is never published nor shared.