Tomcat application server by default contains "/examples" directory which has many example servlets and JSPs.
We strongly recommend to disable public access to this directory by following security reasons:
Bypassing HttpOnly Cookies protection
CSRF cookies manipulation
Session manipulation
HttpOnly flag must protect user's cookies from client-side attacks such as XSS. There are two example servlets in Tomcat which shows all cookies in plain/text HTTP response:
/examples/servlets/servlet/RequestHeaderExample
/examples/servlets/servlet/CookieExample
Second servlet also provides CSRF-based cookie manipulations: set/redefine by GET and POST requests both.
Session manipulation is more interesting. Looks at /examples/servlets/servlet/SessionExample servlet.
It is simplest way to gain admin privileges in target webapps which hosted on same Tomcat with SessionExample servlet.
Session is global and this servlet provides you any manipulations with your session!
![“雲管邊端”協同的邊緣計算安全防護解決方案0 引 言1 5G 及邊緣計算2 邊緣計算面臨的風險3 “雲管邊端”安全防護技術4 “雲管邊端”安全防護實踐5 結 語[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)