The Apache Tomcat software is an open source web server that is designed to run Java-based web applications. Some of the features of the current version of Tomcat include the following:
-
Support for Java Servlet 3.1
-
JSP 2.3
-
Java Unified Expression Language (EL) 3.0
-
Java WebSocket 1.0
Tomcat is developed and handled by a number of developers under the auspices of the Apache program platform, released under the Apache Certification 2.0 certificate, and is an open source application. Tomcat can be used as either a standalone product with its own internal web server or in conjunction with other web servers, including Apache and the Microsoft Internet Information Server (IIS).
Given that Apache Tomcat is used by many organizations, the security aspect of this platform should be considered wisely. At the time of writing this book, Shodan has identified an excess of 93,000 Tomcat instances (both standalone and those integrated within JBoss instances) around the world, shown in the following screenshot:
Vulnerabilities within the Apache Tomcat server can allow threat actors to exploit the application that is running on the server, and they can even go beyond generic application exploitation and end up getting access to an organization's internal network.