<aside> ℹ️
A classic path traversal attack (also known as directory traversal) allows an attacker to access files that are stored outside the web root folder.
</aside>
Path traversal issues in Java web applications are not so well understood because the attacker usually cannot access files from the root directory. There are exceptions to this, but in most cases I’ve encountered, the attacker can only access the files from the application context root.
The obvious start is to read the deployment descriptor file /WEB-INF/web.xml
However, in many cases, the deployment descriptor file /WEB-INF/web.xml ****doesn’t contain any sensitive information.
In the accompanying tool, there is a wordlist that contains a list of well-known Java files, compiled by searching github.com for Java web applications.