> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/authentication-bypass/http-headers/trick-0237.md).

# Bypass Tomcat Manager Auth Header

***

When valid credentials fail to authenticate, the application might require a specific HTTP header that is missing from the request. Using an intercepting proxy (like Burp Suite) to analyze the traffic can reveal this requirement.

For example, accessing Tomcat Manager (`/manager/html`) might fail without the `Authorization: Basic` header, even with correct username/password. Manually add the header to the request before forwarding:

```
Authorization: Basic dG9tY2F0OnMzY3JldA==
```

The value `dG9tY2F0OnMzY3JldA==` is the Base64 encoding of `tomcat:s3cret`.

Command-line tools and programming libraries often handle the Base64 encoding and header formatting automatically when provided with a username and password for basic authentication. For instance, a simple bash script using `curl` can perform this:

```bash
#!/bin/bash

# Basic authentication script for Tomcat Manager
# Usage: ./tomcat_login.sh <target_url> <username> <password>

TARGET_URL="$1"
USERNAME="$2"
PASSWORD="$3"

# Base64 encode credentials (curl -u handles this automatically)
# CREDENTIALS=$(echo -n "${USERNAME}:${PASSWORD}" | base64)

# Send request with Authorization header
curl -v -u "${USERNAME}:${PASSWORD}" "${TARGET_URL}/manager/html"
```

This script takes the target URL, username, and password as arguments, and `curl -u` handles the necessary encoding and header construction.

Similarly, using a library like Python's `requests` simplifies the process programmatically:

```python
import requests

r = requests.get('http://localhost:8080/manager/text/', auth=('tomcat', 's3cret'))
print(r.text)
```

Using the `auth` parameter with a tuple `(username, password)` tells `requests` to use HTTP Basic Authentication, automatically adding the correct `Authorization: Basic` header with the Base64 encoded credentials.
