Overview
AltoroJ, also known as Altoro Mutual and Testfire, is an open source sample banking J2EE web application maintained by HCL Software.
It is a traditional app created in 2008 and is not updated very often.
Potential Pitfalls
This is an online app which may be unavailable or broken at any point. Running a local version will give more consistent results.
Authentication
Known users (username / password):
admin/adminjsmith/demo1234
Browser Based Authentication
ZAP can successfully authenticate to this app using Browser Based Authentication and will successfully identify the session handling and verification.
Client Script Authentication
ZAP can successfully authenticate to this app using Client Script Authentication and will successfully identify the session handling and verification.
A suitable Zest script is available here: testfire.zst
Recommended Environment
env:
contexts:
- name: testfire
urls:
- http://testfire.net
includePaths:
- http://testfire.net.*
excludePaths:
- http://testfire.net/logout.jsp
- http://testfire.net/doLogin
authentication:
method: browser
parameters:
loginPageUrl: http://testfire.net/login.jsp
loginPageWait: 2
browserId: firefox
verification:
method: poll
loggedInRegex: \Q 200 OK\E
loggedOutRegex: \Q 302 Found\E
pollFrequency: 60
pollUnits: requests
pollUrl: http://testfire.net/bank/main.jsp
pollPostData: ""
sessionManagement:
method: headers
users:
- name: admin
credentials:
password: admin
username: admin
Crawling
Any of the ZAP Spiders can be used to crawl AltoroJ.
For the Traditional Spider to be able to crawl the app you need to exclude the login and logout URLs from the context as above.
For the AJAX Spider you need to exclude the logout link:
- type: spiderAjax
parameters:
context: testfire
user: admin
browserId: firefox-headless
excludedElements:
- description: Logout
element: a
text: Sign Off
Scanning
We are not aware of a definitive list of the vulnerabilities in AltoroJ.