TL;DR

  • Check common Tomcat entry points: :8080, /manager/html, /host-manager/html.
  • Identify version from error pages, headers, or default pages.
  • Test default creds and auth bypasses only when explicitly allowed.
  • Validate risky methods and features: PUT, upload, CGI, directory listing.
  • Prioritize targets with admin UIs or visible version info.

Quick Checklist

1) Entry points

  • http://target:8080/
  • http://target:8080/manager/html
  • http://target:8080/host-manager/html
  • Random 404 to get version leak: /does-not-exist

2) Versioning and fingerprinting

  • Error pages often show Apache Tomcat/X.Y.Z.
  • Check response headers: Server, X-Powered-By.
  • Compare against known CVEs for that version.

3) Access control

  • Is the Manager UI accessible without auth?
  • If basic auth is used, check for weak/default creds (only if allowed).
  • Look for reverse proxy misconfig that bypasses auth.

4) High-risk features

  • File upload / WAR deploy:
    • Manager UI deploy or manager/text endpoints.
  • HTTP methods:
    • PUT, DELETE, OPTIONS on public paths.
  • CGI enabled on Windows (CVE-2019-0232).

5) Common misconfigurations

  • Directory listing enabled.
  • Source or config leaks under /WEB-INF/ or backup files.
  • Exposed /examples/ or /docs/ with sensitive data.

Attack Surface Notes

Manager and Host Manager

  • Primary target for RCE when upload is enabled.
  • If you can deploy a WAR, RCE is often immediate.
  • Check for mis-scoped roles: manager-gui, manager-script, manager-jmx.

Known CVE targets (examples)

  • CVE-2020-1938 (Ghostcat, AJP)
  • CVE-2017-12615 (PUT RCE)
  • CVE-2019-0232 (Windows CGI RCE)
  • Always validate the target version before testing.

Practical Testing Steps

Access check

  • Visit /manager/html and /host-manager/html.
  • Observe auth type and error behavior.
  • If blocked, test via different paths or headers only if in scope.

Version check

  • Compare version leak to CVE list.
  • If version hidden, try indirect signals (default pages, error format).

Method probing (safe)

curl -I http://target:8080/
curl -X OPTIONS http://target:8080/

WAR deploy (only with explicit permission)

curl -u tomcat:tomcat -T shell.war "http://target:8080/manager/text/deploy?path=/shell&update=true"

Tools

  • httpx for quick path checks
  • nuclei with Tomcat templates
  • gowitness for visual triage
  • ffuf or hydra only if brute force is allowed

Triage Tips

  • Prioritize targets with visible Manager UI or version info.
  • Publicly exposed Tomcat is often noisy; focus on unique versions or admin UIs.
  • Reverse proxies can cause false 403s; verify with alternate paths.

Tracking Template

URL Port Version Manager UI Default creds Upload possible Notes

Notes

  • Keep evidence (headers, screenshots) for reports.
  • Verify scope before any intrusive tests.