Tomcat Default Installation File

/docs/index.html

/html/

Tomcat Web Application Manager

The endpoint may provide server information and more. Additionally, msfvenom can be used to create an RCE infused .WAR file and upload it to the webserver.

/manager/html

Tomcat Web Application Manager Sample Image

Tomcat Examples Directory

Link Apache Tomcat's default installation contains the /examples directory which has many example servlets and JSP files. Some of these examples are a security risk and should not be deployed on a production server. The sessions example servlet, allows session manipulation. Because the session is global this servlet poses a big security risk as an attacker can potentially become an administrator by manipulating the session.

Session Manipulation:

Researchers keep mentioning that the session can be manipulated at this endpoint. I have not succeeded with anything alike and only managed to create POST and GET test requests that reflects in the response.

/examples/servlets/servlet/SessionExample

Request Information

Usually an Internal IP address exposed within the X-Forwarded-For header.

/examples/servlets/servlet/RequestHeaderExample

RequestHeaderExample Sample

This will create a cookie for the client user. Do note that it also does not have the HttpOnly or Secure flag set on the created cookie.

/examples/servlets/servlet/CookieExample

CookieExample1 Sample

Note the server header exclaims NginX. This tells me that either the application spoof the header value or had Apache Tomcat at some point before switching over to NginX. In the end, the files could be a rest from switching to a different server and/or have not been removed/restricted. CookieExample2 Sample