#152 – Quick tips for Apache Tapestry

Hi everybody, this time, same treatment, I don’t think it deserves its own article so I just don’t categorize it, however it is a pentesting article. I had to test an application using Apache Tapestry today, which is a Java Web Framework, similar to faces or wicket.


The most obvious thing once you test a Tapestry app is that a lot of parameters seems to crash the application. The reason is that the app contains a safe charset on parameters, however you can “bypass” it easily by using unicode. The format is $<unicode number>. So for example, if you want to use a quote, you’ll use $0027, $003c for the start of a bracket and so on.

It means that all of your tests that you generally url-encode using % needs to be replaced by $00.


Error output

The application errors won’t be printed to the application body either, but rather you will find it inside a header made for Tapestry, so keep in mind that fact when testing your application.

Leave a Reply

Your email address will not be published.