Download Netsparker

Server Side Source Code Disclosure on Tomcat Web Server

Netsparker identified that the target Tomcat web server discloses server side source code. An attacker might obtain server side source code of the web application which can contain sensitive data such as database connection strings, usernames and passwords, along with the technical and business logic of the application.


Depending on the nature of the source code disclosed, an attacker can mount one or more of the following types of attacks:

  • Access the database or other data resources. With the privileges of the account obtained, attempt to read, update or delete arbitrary data from the database.
  • Access password-protected administrative mechanisms such as "dashboard", "management console" and "admin panel", potentially progressing to gain full control of the application.
  • Develop further attacks by investigating the source code for input validation errors and logic vulnerabilities.

Actions to Take

  • Confirm exactly what aspects of the source code is actually disclosed. Due to limitations of these types of vulnerability, it may not be possible to confirm this in all instances. Confirm that this is not an intended functionality.
  • Ensure that the server has all the current security patches applied.
  • Set the allowLinking attribute to false on the Tomcat configuration for Windows systems.

Required Skills for Successful Exploitation

This is dependent on the information obtained from source code. Uncovering these forms of vulnerabilities does not require high levels of skills. However a highly skilled attacker could leverage this form of vulnerability to obtain account information for databases or administrative panels, ultimately leading to control of the application or even the host that the application resides on.

External References

Go back to the Complete list of Vulnerability Checks.