DefCon 18: WAS JSP

Version 1.0.0

slides online
View slides online in S5 format.
Mouse over lower right corner for slide controls.
Slides zipped into one file.
EAR for demo application.
When deploying, make sure to enable Deploy Web services or WS4JEE will not work.
Exploit for Apache Axis 1
Usage: java -jar exploit-1.0.0.jar ctx-root-url relative-path-to-axis1 command-to-run [command-arguments...]
Tool to display UTF-8 decoding for a JVM.
Usage: java -jar unicode-1.0.0.jar
You will want to run this through a pager (more) or redirect the output to a file.
Sources for demo application, exploit and unicode tool. You will need Maven and a JDK to build it.
WebSphere Application Server (WAS) Web Site
Time bombed trial available from here
WAS Fixes by version
Where to get updates for WAS