Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Apache Tomcat Version Detection via 406 Not Acceptable #164

Closed
adamcaudill opened this issue Apr 22, 2019 · 0 comments
Closed

Apache Tomcat Version Detection via 406 Not Acceptable #164

adamcaudill opened this issue Apr 22, 2019 · 0 comments
Assignees
Milestone

Comments

@adamcaudill
Copy link
Owner

@adamcaudill adamcaudill commented Apr 22, 2019

It's possible to get a 406 response from Tomcat that will expose the default error page, even when other errors have custom pages. This could provide another route to getting the version, when it's not otherwise available.

Request:

POST /login HTTP/1.1
User-Agent: [REDACTED]
Accept: ../../../../../../../../../../../../../e*c/h*s*s{{
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: [REDACTED]
content-type: application/json
Content-Length: [REDACTED]
Connection: close

{
  "[REDACTED]": "[REDACTED]"
} 

Response:

HTTP/1.1 406 406
Date: [REDACTED]
Server: [REDACTED]
Content-Language: en
Content-Length: 1171
Content-Type: text/html;charset=ISO-8859-1

<!doctype html><html lang="en"><head><title>HTTP Status 406 ? Not Acceptable</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 406 ? Not Acceptable</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Description</b> The target resource does not have a current representation that would be acceptable to the user agent, according to the proactive negotiation header fields received in the request, and the server is unwilling to supply a default representation.</p><hr class="line" /><h3>Apache Tomcat/9.0.12</h3></body></html> 

This will need to be tested against a live server to determine if there's a useful/consistent way to trigger this.

@adamcaudill adamcaudill added this to the v0.9 milestone Apr 22, 2019
@adamcaudill adamcaudill modified the milestones: v0.9, Future Aug 15, 2019
@adamcaudill adamcaudill self-assigned this Dec 26, 2019
@adamcaudill adamcaudill modified the milestones: Future, v0.11 Dec 26, 2019
@adamcaudill adamcaudill changed the title Trigger HTTP 406 in Tomcat to get version Apache Tomcat Version Detection via 406 Not Acceptable Dec 26, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.