Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Tomcat access to app without app folder name

Posted on 2014-09-24
3
Medium Priority
?
234 Views
Last Modified: 2014-10-04
Hi,

I wonder if is there a known method to access to tomcat app located into webapps folder without knowing it's adress? ( I mean leak or known method)

I mean if I put:
example.com:8080/XXX

Where XXX will be long 50 characets link.

Is that possible to run tomcat app without knowing it's name? (Only knowing example.com:8080)
If app will work as very long complicated name IMHO it's not possible. (Until someone has time to brute force and guess valid URL with app response)

I know it's security by obscurity and not real security anyway I need to know possible leaks of such solution.
0
Comment
Question by:Ian Simonv
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 28

Expert Comment

by:rrz
ID: 40342932
I know it's security by obscurity
Isn't that how passwords work?
The only leak would be the manager app that comes preinstalled in Tomcat. But, it is password protected.  You could just remove the manager app if you are not using it.
Another vulnerability would be your browser's history. If someone had access to your machine, then they could see your history.
0
 

Author Comment

by:Ian Simonv
ID: 40344226
Ok thanks I needed only to know possible tomcat hidden functions or leaks.
Manager is not needed, history is not a problem looks like my idea with long link is not so bad.
0
 
LVL 28

Accepted Solution

by:
rrz earned 1500 total points
ID: 40344420
Tomcat has an API that the manager app uses to do its job.  It has the list method  which renders a list of the currently active Contexts.
http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/manager/ManagerServlet.html       
I don't know if it is possible for someone to misuse it.
0

Featured Post

Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Introduction This article is the first of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article explains our test automation goals. Then rationale is given for the tools we use to a…
This theoretical tutorial explains exceptions, reasons for exceptions, different categories of exception and exception hierarchy.
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question