Latest Metasploit Vulnerability Testing Framework Release Includes New Tomcat Exploits
May 19, 2010 - Metasploit 3.4.0, the latest version of the popular vulnerability testing framework, was released today, and includes some new tricks to throw at your Tomcat servers. Testing with these modules will help you eliminate common security holes you may have overlooked when configuring your Tomcats.
In response to the increasing number of users relying on Tomcat as their application server of choice, Rapid7, who develop the software, have added several modules which specifically target Tomcat and other Java application servers, and expanded others with Tomcat-specific tasks to speed up the testing process.
While Metasploit has been able to run dictionary attacks against unsecured Tomcat Manager applications since the beginning of the year, the new modules added in version 3.4.0 include tasks that attempt to gain sessions, run bruteforce and dictionary attacks, and generate JSP and WAR payloads that can be deployed to successfully breached Tomcat servers.
Users can safeguard their servers against the kinds of techniques that Metasploit uses by following security best practices when configuring their Tomcat servers, and writing secure application code. For more information, visit our guide to Tomcat Security.