Several (tm) months back I did my talk on "From LOW to PWNED" at hashdays and BSides Atlanta.
The slides were published here and the video from hashdays is here, no video for BSides ATL.
I consistently violate presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.
Post  JBoss/Tomcat server-status
There have been some posts/exploits/modules on hitting up unprotected jboss and tomcat servers.
Sometimes even though the deployer functionality is password protected the sever-status may not be.
This can be useful to find:
- Lists of applications
- Recent URL's accessed
- sometimes with sessionids
- Find hidden services/apps
- Enabled servlets
- owned stuff :-)