Solved

Tomcat access to app without app folder name

Posted on 2014-09-24
3
173 Views
Last Modified: 2014-10-04
Hi,

I wonder if is there a known method to access to tomcat app located into webapps folder without knowing it's adress? ( I mean leak or known method)

I mean if I put:
example.com:8080/XXX

Where XXX will be long 50 characets link.

Is that possible to run tomcat app without knowing it's name? (Only knowing example.com:8080)
If app will work as very long complicated name IMHO it's not possible. (Until someone has time to brute force and guess valid URL with app response)

I know it's security by obscurity and not real security anyway I need to know possible leaks of such solution.
0
Comment
Question by:Ian Simonv
  • 2
3 Comments
 
LVL 27

Expert Comment

by:rrz
Comment Utility
I know it's security by obscurity
Isn't that how passwords work?
The only leak would be the manager app that comes preinstalled in Tomcat. But, it is password protected.  You could just remove the manager app if you are not using it.
Another vulnerability would be your browser's history. If someone had access to your machine, then they could see your history.
0
 

Author Comment

by:Ian Simonv
Comment Utility
Ok thanks I needed only to know possible tomcat hidden functions or leaks.
Manager is not needed, history is not a problem looks like my idea with long link is not so bad.
0
 
LVL 27

Accepted Solution

by:
rrz earned 500 total points
Comment Utility
Tomcat has an API that the manager app uses to do its job.  It has the list method  which renders a list of the currently active Contexts.
http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/manager/ManagerServlet.html      
I don't know if it is possible for someone to misuse it.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
Introduction This article is the last of three articles that explain why and how the Experts Exchange QA Team does test automation for our web site. This article covers our test design approach and then goes through a simple test case example, how …
The viewer will learn how to implement Singleton Design Pattern in Java.
This tutorial explains how to use the VisualVM tool for the Java platform application. This video goes into detail on the Threads, Sampler, and Profiler tabs.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now