Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IBM WebSphere Application Server Detection

🗓️ 06 Dec 2011 00:00:00Reported by TenableType 
nessus
 nessus🔗 www.tenable.com👁 158 Views

IBM WebSphere Application Server Detection. Detects the IBM WebSphere Application Server

Refs
Code
##
# (C) Tenable, Inc.
##

include("compat.inc");

if (description)
{
  script_id(57034);
  script_version("1.20");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/06/09");

  script_xref(name:"IAVT", value:"0001-T-0635");

  script_name(english:"IBM WebSphere Application Server Detection");
  script_summary(english:"Detects the IBM WebSphere Application Server.");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is running a web application server.");
  script_set_attribute(attribute:"description", value:
"IBM WebSphere Application Server, an application server for Java-based
web applications, is running on the remote host.");
  script_set_attribute(attribute:"see_also", value:"https://www.ibm.com/cloud/websphere-application-platform");
  script_set_attribute(attribute:"solution", value:"n/a");
  script_set_attribute(attribute:"risk_factor", value:"None");

  script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/06");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server");
  script_set_attribute(attribute:"asset_inventory", value:"True");
  script_set_attribute(attribute:"asset_inventory_category", value:"software_enumeration");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2011-2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("http_version.nasl");
  script_require_keys("www/WebSphere");
  script_require_ports("Services/www", 8880, 8881, 9100, 9043);

  exit(0);
}

include('dump.inc');
include("http.inc");
include("install_func.inc");
include("spad_log_func.inc");

var app_name = 'IBM WebSphere Application Server';
var port = get_http_port(default:8880, embedded:FALSE);
var server_name = http_server_header(port:port);

var version = NULL;
var extra = {};

##
# GIOP uses TCP as its transport protocol. GIOP can be identified by its 
# four byte magic string at the beginning of every PDU: GIOP in ASCII 
# encoding. This request will return the granular version information we 
# need for reliable version checks.
#
# 47 49 4f 50 01 00 00 00  00 00 00 e4 00 00 00 02   GIOP.... ........
# 00 00 00 06 00 00 00 a0  00 00 00 00 00 00 00 28   ........ .......(
# 49 44 4c 3a 6f 6d 67 2e  6f 72 67 2f 53 65 6e 64   IDL:omg. org/Send
# 69 6e 67 43 6f 6e 74 65  78 74 2f 43 6f 64 65 42   ingConte xt/CodeB
# 61 73 65 3a 31 2e 30 00  00 00 00 01 00 00 00 00   ase:1.0. ........
# 00 00 00 64 00 01 02 00  00 00 00 0e 31 39 32 2e   ...d.... ........
# 31 36 38 2e 30 2e 31 38  36 00 04 79 00 00 00 19   ........ ...y....
# 00 00 00 00 00 00 00 00  0a 00 00 00 00 00 00 01   ........ ........
# 00 00 00 01 00 00 00 20  00 00 00 00 00 01 00 01   .......  ........
# 00 00 00 02 05 01 00 01  00 01 00 20 00 01 01 09   ........ ... ....
# 00 00 00 01 00 01 01 00  4e 45 4f 00 00 00 00 02   ........ NEO.....
# 00 0a 00 00 00 00 00 05  01 00 00 00 00 00 00 04   ........ ........
# 49 4e 49 54 00 00 00 04  67 65 74 00 00 00 00 00   INIT.... get.....
# 00 00 00 0c 4e 61 6d 65  53 65 72 76 69 63 65 00   ....Name Service.
##

var wsas_init = raw_string
(
  0x47, 0x49, 0x4f, 0x50, 0x01, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0xe4, 0x00, 0x00, 0x00, 0x02,
  0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0xa0,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28,
  0x49, 0x44, 0x4c, 0x3a, 0x6f, 0x6d, 0x67, 0x2e,
  0x6f, 0x72, 0x67, 0x2f, 0x53, 0x65, 0x6e, 0x64,
  0x69, 0x6e, 0x67, 0x43, 0x6f, 0x6e, 0x74, 0x65,
  0x78, 0x74, 0x2f, 0x43, 0x6f, 0x64, 0x65, 0x42,
  0x61, 0x73, 0x65, 0x3a, 0x31, 0x2e, 0x30, 0x00,
  0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x64, 0x00, 0x01, 0x02, 0x00,
  0x00, 0x00, 0x00, 0x0e, 0x31, 0x39, 0x32, 0x2e,
  0x31, 0x36, 0x38, 0x2e, 0x30, 0x2e, 0x31, 0x38,
  0x36, 0x00, 0x04, 0x79, 0x00, 0x00, 0x00, 0x19,
  0xaf, 0xab, 0xcb, 0x00, 0x00, 0x00, 0x00, 0x02,
  0x93, 0xbe, 0x05, 0x06, 0x00, 0x00, 0x00, 0x08,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
  0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x20,
  0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01,
  0x00, 0x00, 0x00, 0x02, 0x05, 0x01, 0x00, 0x01,
  0x00, 0x01, 0x00, 0x20, 0x00, 0x01, 0x01, 0x09,
  0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00,
  0x4e, 0x45, 0x4f, 0x00, 0x00, 0x00, 0x00, 0x02,
  0x00, 0x0a, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05,
  0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
  0x49, 0x4e, 0x49, 0x54, 0x00, 0x00, 0x00, 0x04,
  0x67, 0x65, 0x74, 0x00, 0x00, 0x00, 0x00, 0x00,
  0x00, 0x00, 0x00, 0x0c, 0x4e, 0x61, 0x6d, 0x65,
  0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x00
);

var pattern, item, source;
if (!isnull(server_name))
{
  if ('WebSphere Application Server' >!< server_name)
    audit(AUDIT_WRONG_WEB_SERVER, port, 'IBM WebSphere Application Server');

  pattern = "^WebSphere Application Server/([0-9.]+)($|[^0-9.])";
  item = pregmatch(pattern:pattern, string:server_name);
  if (!isnull(item))
  {
    source = server_name;
    version = item[1];
  }
  
}

var res = http_get_cache(port:port, item:"/", exit_on_fail:TRUE);

var source2, line, matches;
if (':WASRemoteRuntimeVersion="' >< res)
{
  source2 = strstr(res, "<SOAP-ENV:Header");
  source2 = source2 - strstr(source2, "</SOAP-ENV:Header>");
  line = ereg_replace(pattern:"\n", replace:"", string:source2);

  matches = pregmatch(pattern:"^.*WASRemoteRuntimeVersion=.([0-9.]+).*$", string:line);
  if (!isnull(matches))
  {
    version = matches[1];
    source = source2;
  }
}

##
# This removes the WASRemoteRuntimeVersion from the SOAP-ENV Header. 
# If the header contains JMXMessageVersion and JMXVersion it is very 
# likely a WAS host
##
else if (':JMXMessageVersion' >< res && ':JMXVersion' >< res) {}
else if (isnull(server_name)) audit(AUDIT_WRONG_WEB_SERVER, port, 'IBM WebSphere Application Server');

# ##
# # If the http check above does not return a granular version, then it is 
# # not reliable, and should send a request to the GIOP service to obtain 
# # the granular version information from the GIOP service.
# ##
var s, data;
if (version !~ "^[0-9]+(\.[0-9]+){2,}")
{
  s = open_sock_tcp(9100);

  # only exit if we have no version info and cannot open socket
  if (!s && isnull(version)) audit(AUDIT_SOCK_FAIL, port);

  send(socket:s, data:wsas_init);
  data = recv(socket:s, length:4096);

  # exit if we cannot recieve data on opened socket, and the version is NULL
  if (isnull(data) && isnull(version)) 
  {
    audit(AUDIT_RESP_NOT, port);
  }
  
  dbg::detailed_log(
    lvl: 3,
    src:'recv()', 
    msg:'GIOP service returned data that should contain version:\n' + hexdump(ddata:data)
  );

  pattern = strcat(
    "IBM WebSphere Application Server[ -]*(Express|Network Deployment|ND)?",
    "[^\x20-\x7E]+", # Non-standard characters
    "([0-9]+\.[0-9.]+)"
  );

  item = pregmatch(pattern:pattern, string:data);
  if (!isnull(item))
  {
    source = 'GIOP service';
    version = item[2];
    # If the product name conatins either Express|Network Deployment|ND
    # set the name found to be used for extra['sw_edition']
    # If name does not contain either Express|Network Deployment|ND
    # Return the basic sw_edition of 'IBM WebSphere Application Server'
    if (!isnull(item[1]))
    {
      extra['sw_edition'] = item[1];
    }
    else
    {
      extra['sw_edition'] = item[0];
    }
  }
}

if (empty_or_null(version))
   audit(AUDIT_UNKNOWN_WEB_SERVER_VER, 'IBM WebSphere Application Server', port);
else if (version !~ "^[0-9]+\.[0-9]+")
   audit(AUDIT_UNKNOWN_WEB_SERVER_VER, 'IBM WebSphere Application Server', port);

set_kb_item(name:'www/WebSphere/' + port + '/installed', value:TRUE);

##
# Some versions of WSAS do not provide anything in the server_name
# field of the http response leaving the source null. Checking to 
# see if the source is empty or null and setting the source solves
# the issue and produces the expected output in the report.
##
if (empty_or_null(source))
  source = 'WebSphere Application Server/'+version;

set_kb_item(name:'www/WebSphere/'+port+'/source', value:source);
set_kb_item(name:'www/WebSphere/'+port+'/version', value:version);

extra['Source'] = source;

register_install(
  app_name:app_name,
  vendor : 'IBM',
  product : 'WebSphere Application Server',
  path:"/",
  port:port,
  version:version,
  cpe:"cpe:/a:ibm:websphere_application_server",
  webapp:TRUE,
  extra:extra
);

report_installs(app_name:app_name, port:port);

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Jun 2025 00:00Current
5.5Medium risk
Vulners AI Score5.5
ibmwebsphereapplication serverjava-basedweb applicationsvulnerabilityiavttenableinc.
158