Highest Voted 'tomcat' Questions - IT Security Stack Exchange

16

votes

5 answers

How To Protect Tomcat 7 Against Slowloris Attack

I'm using Apache Tomcat 7 to run my webapp on Linux. I scanned it by Acunetix and it's telling me that my webapp is vulnerable to "Slow HTTP Denial of Service Attack". How can I protect it? Acunetix is reffering me to here, but it's about securing…

attacks denial-of-service tomcat

asked Sep 18 '13 at 15:07

Amin Sh

263
1
2
7

14

votes

4 answers

Using the openssl command, how can I tell if it's using TLS 1.0?

Due to a security scan, I was told to not use TLS1.0. I found a link that gave me commands to use to check if a specific protocol is used/enabled. The command I ran (with output is) (Output from TLS1.0 disabled) $ openssl s_client -connect…

tls openssl tomcat

asked Sep 18 '17 at 22:44

Classified

243
1
3
7

9

votes

3 answers

Does the recommended course of action for preventing Logjam on Tomcat servers really eliminate all risks of weak DH keys?

Can anyone verify this fix secures against the Logjam vulnerability for Apache Tomcat? I'm sceptical about it's effectiveness, since it doesn't mention how to implement the user defined 2048 bit DH parameter file in Tomcat, but its cipher list does…

tls apache vulnerability tomcat logjam

asked May 21 '15 at 10:35

Casper

93
1
6

5

votes

1 answer

Does TrustManager PKIX (or RFC 3280/X.509) really check the expiration date of a client's certificate?

It was noticed that the default java implementation of TrustManagerFactory for PKIX trust manager algorithm (X509ExtendedTrustManager) doesn't really check the expiration date of a client's certificate during SSL authentication. This could be easily…

tls authentication java x.509 tomcat

asked Nov 16 '15 at 11:00

Andremoniy

153
6

3

votes

0 answers

Path normalization issue with semicolon in Tomcat

I have observed a path normalization issue in the tomcat when i was passing "..;" in the URL. I tested this out with Nginx and Apache-tomcat-10.0.0-M4. I was able to access file directories which are not allowed in the Nginx. Please find the below…

tomcat

asked May 11 '20 at 16:37

surethiv

31
2

3

votes

1 answer

Is Tomcat vulnerable to "Ghostcat" (CVE-2020-1938) via mod_proxy_ajp?

Is it possible to exploit the "Ghostcat" vulnerability (CNVD-2020-10487/CVE-2020-1938) indirectly over mod_proxy_ajp? I was able to successfully test the proof-of-concept exploit (https://www.exploit-db.com/exploits/48143) when targeting my…

tomcat

asked Mar 10 '20 at 20:50

ansichart

777
4
12

3

votes

1 answer

Should I regenerate SSL certificates after upgrading Openssl

As you may already know old Openssl versions were vulnerable(OpenSSL 1.0.1 through 1.0.1f (inclusive)) by the HeartBleed vulnerability. Currently our server is running Tomcat7 which is built in a vulnerable Openssl, so we upgraded into Tomcat8 but…

tls openssl heartbleed tomcat

asked Nov 12 '19 at 10:41

Sadmi

153
6

3

votes

2 answers

Security Benefits of Reverse Proxying Java / Tomcat WebApps Locally

Conventional wisdom seems to dictate that java applications should always be reverse proxied. It's what I have always done and so has everywhere I have worked at. I have read multiple times that reverse proxying is recommended without much…

web-application java proxy tomcat

asked Apr 27 '19 at 08:55

ZZ9

273
1
7

3

votes

1 answer

Does the CA have to be same for mutual authentication?

I'm trying to establish mutual authentication between my Tomcat server and my customer's firewall. The server certificate we have is from Digicert (Root CA) and RapidSSL (intermediate). The certificate chain in the ServerHello block is from…

tls authentication certificates tomcat mutual

asked Dec 03 '18 at 05:24

Hrishikesh Choudhari

133
5

3

votes

1 answer

Creating an TLS certificate using keytool with SHA-256

I want to create a TLS certificate for my personal tomcat8 webserver on a Debian ARM server. I've done this before, using the following command: /usr/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore /opt/keystore/keystore_tomcat I have the…

tls sha sha256 tomcat

asked Sep 12 '15 at 13:59

SPRBRN

7,379
6
33
37

2

votes

1 answer

Is Tomcat protecting against CSRF correctly?

If I read this correctly the way Tomcat protects against CSRF leaves it vulnerable to the situation where the CSRF token is duplicated in the cookie and request parameters which allows the attacker to simply invent a token (as detailed here under…

csrf tomcat

asked Feb 25 '20 at 09:29

Johnny

123
3

2

votes

1 answer

Tomcat AJP vulnerability CVE-2020-1938 aka Ghostcat

I have a question about Tomcat vulnerability CVE-2020-1938 aka Ghostcat. The security researcher who discovered the vulnerability created a write up here: https://www.chaitin.cn/en/ghostcat and a PoC here:…

vulnerability tomcat

asked Feb 24 '20 at 15:47

Matt

123
3

2

votes

1 answer

JBoss Web vulnerabilities

In my organization I found servers running JBoss Web/7.0.13.Final and JBoss Web/7.0.12.Final. I could not find security vulnerabilities for this server's versions, but they seem old to me. How can I find JBoss Web security vulnerabilities (CVEs,…

apache vulnerability-management tomcat

asked Jun 13 '18 at 16:55

Gari BN

485
1
6
14

2

votes

1 answer

Why is CVE-2017-12617 considered a vulnerability?

CVE-2017-12617 is a remote code execution vulnerability via JSP upload. It requires the HTTP PUT method to be enabled on a vulnerable tomcat instance. Why is this considered a vulnerability and CVE worthy? Doesn't enabling HTTP PUT on web servers…

exploit http tomcat

asked Nov 17 '17 at 12:24

Onderbetaald

141
2

2

votes

1 answer

Sanitize 3rd party XSS post in Java API

We have some RESTful API services that we have been using for several years. Recently we have started considering surfacing these to 3rd party clients so they can write their own UIs and we can work on building up this service layer. Unfortunately…

xss java apache tomcat

asked Aug 24 '16 at 21:00

MTP Daily

21
2

Questions tagged [tomcat]