• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 274
  • Last Modified:

Tomcat access to app without app folder name

Hi,

I wonder if is there a known method to access to tomcat app located into webapps folder without knowing it's adress? ( I mean leak or known method)

I mean if I put:
example.com:8080/XXX

Where XXX will be long 50 characets link.

Is that possible to run tomcat app without knowing it's name? (Only knowing example.com:8080)
If app will work as very long complicated name IMHO it's not possible. (Until someone has time to brute force and guess valid URL with app response)

I know it's security by obscurity and not real security anyway I need to know possible leaks of such solution.
0
Ian Simonv
Asked:
Ian Simonv
  • 2
1 Solution
 
rrzCommented:
I know it's security by obscurity
Isn't that how passwords work?
The only leak would be the manager app that comes preinstalled in Tomcat. But, it is password protected.  You could just remove the manager app if you are not using it.
Another vulnerability would be your browser's history. If someone had access to your machine, then they could see your history.
0
 
Ian SimonvAuthor Commented:
Ok thanks I needed only to know possible tomcat hidden functions or leaks.
Manager is not needed, history is not a problem looks like my idea with long link is not so bad.
0
 
rrzCommented:
Tomcat has an API that the manager app uses to do its job.  It has the list method  which renders a list of the currently active Contexts.
http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/manager/ManagerServlet.html       
I don't know if it is possible for someone to misuse it.
0

Featured Post

The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now