Skip to main content

Decoding IBM WebShere Portlet URLs

October 31, 2014

Portlet based web applications built with the IBM Web Experience Factory, previously known as the WebSphere Portlet Factory, produce long URL's containing GZIP'd and base64-encoded data. Viewing and tampering with the data transmitted between the client browser and backing application server is quintessential to application penetration testing.

The IBM WebSphere application server 'Rich-URL' scheme:

scheme://host:port/ctx/!ut/p(/codec/compressed-state)

URL FragmentDescription

/ctxThe portal context, i.e. /wps/portal

/!ut/pIdentifier that denotes the start of the first codec

codecEncoding algorithm and the version of the state document

compressed-stategzipped and base64 encoded proprietary binary xml serialized data

 

The WebSphere application server provides a servlet that decodes the state information. The request structure to decode state information is shown below. If you make a request with the first URL, you get redirected to the second URL which presents the decoded data.

scheme://host:port/wps/poc?uri=state:<uri>
scheme://host:port/wps/mycontenthandler?uri=state:<full_url>

Example:

Ideally you get an XML response from the application server, the above decodes into something like this:

I wrote a BurpSuite plugin that displays the decoded XML state in a new tab when the request is viewed (https://github.com/AccuvantLABS/burp-ibm-websphere-portlet-decoder). Upon clicking the tab, the plugin makes a request against the endpoint on the application server that decodes the URL (shown above), formats the resulting XML and displays it in the tab.

Note: The plugin does not cache or temporarily save the decoded state data, it is requested every time the decoded state tab is viewed.


    Raffi Erganian

By: Raffi Erganian

Principal Consultant

See More

Related Blogs

October 26, 2017

Help Keep Your Children Safe Online

The Children’s Internet Usage Study conducted by the Center for Cyber Safety and Education discovered that 30 percent of children ages 8-14 use the in...

See Details

October 19, 2017

PCI Compliance Every Day – Requirement 11

The most widely known requirements in PCI DSS 3.2 section 11 with a timing implication are the quarterly external and internal vulnerability scans (11...

See Details

July 31, 2017

Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 20

Test the overall strength of an organization’s defenses (the technology, the process and the people) by simulating the objectives and actions of an at...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.