Test case that checks for a Tomcat misconfiguration. If readonly
is set to false
on the Tomcat Default Servlet the creation and deletion of files is possible via PUT
and DELETE
.
This feature even leads to a Remote Code Execution (RCE) vulnerability in most released Tomcat versions. (See CVE-2017-12617 and CVE-2017-12615)
HTTP DELETE on /A_Not_Existing_File_trr.txt path.
Expected Status Code: 403 (Forbidden)
403 (Forbidden) is what Tomcat normally returns. Tomcat behind a web application firewall (WAF) might return another status code (e.g. 405 (Method Not Allowed)).
Attention: Test might lead to false positives when web application is behind a WAF or other frontend server.
See also: