Pentest Tomcat
https://github.com/kh4sh3i/Apache-Tomcat-Pentesting
Default credentials
The most interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files (execute code). But this path is protected by basic HTTP auth, the most common credentials are:
Bruteforce
vulnerability
Example Scripts Information Leakage
The following example scripts that come with Apache Tomcat v4.x - v7.x and can be used by attackers to gain information about the system. These scripts are also known to be vulnerable to cross site scripting (XSS) injection.
Path Traversal (..;/)
Apache Tomcat Snoop Servlet Remote Information Disclosure
Apache Tomcat - Cross-Site Scripting
Apache Tomcat Remote Command Execution
tomcat scanning tools
refrences
Last updated