Solved

Tomcat access to app without app folder name

Posted on 2014-09-24
3
203 Views
Last Modified: 2014-10-04
Hi,

I wonder if is there a known method to access to tomcat app located into webapps folder without knowing it's adress? ( I mean leak or known method)

I mean if I put:
example.com:8080/XXX

Where XXX will be long 50 characets link.

Is that possible to run tomcat app without knowing it's name? (Only knowing example.com:8080)
If app will work as very long complicated name IMHO it's not possible. (Until someone has time to brute force and guess valid URL with app response)

I know it's security by obscurity and not real security anyway I need to know possible leaks of such solution.
0
Comment
Question by:Ian Simonv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 27

Expert Comment

by:rrz
ID: 40342932
I know it's security by obscurity
Isn't that how passwords work?
The only leak would be the manager app that comes preinstalled in Tomcat. But, it is password protected.  You could just remove the manager app if you are not using it.
Another vulnerability would be your browser's history. If someone had access to your machine, then they could see your history.
0
 

Author Comment

by:Ian Simonv
ID: 40344226
Ok thanks I needed only to know possible tomcat hidden functions or leaks.
Manager is not needed, history is not a problem looks like my idea with long link is not so bad.
0
 
LVL 27

Accepted Solution

by:
rrz earned 500 total points
ID: 40344420
Tomcat has an API that the manager app uses to do its job.  It has the list method  which renders a list of the currently active Contexts.
http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/manager/ManagerServlet.html       
I don't know if it is possible for someone to misuse it.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
add projects t working set in maven 2 41
Linux MD5 Hash 7 63
American Express @Work site and Java 4 64
What is the use of Forwarding Class in java 1 34
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Introduction This article is the first of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article explains our test automation goals. Then rationale is given for the tools we use to a…
Viewers will learn one way to get user input in Java. Introduce the Scanner object: Declare the variable that stores the user input: An example prompting the user for input: Methods you need to invoke in order to properly get  user input:
This tutorial covers a practical example of lazy loading technique and early loading technique in a Singleton Design Pattern.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question