[Esapi-user] Servlet spec and session fixation (was "Re: [OWASP-ESAPI] ESAPI Encryptor")
schallee at darkmist.net
Sat Jan 16 15:48:37 EST 2010
> 1) is there a version of the Servlet Spec that ONLY has the parts with
> security implications? (surely not all 230 pages are about features and
> requirements that have security implications)
As far as I know, the answer is no. It's also far worse than 230 pages
by the time you figure in JSP & JSTL. The problem is that there can be
security implications to just about any part of it.
> 2) is there a mapping or list with all these 'vulnerabilities by design'
> (like the one covered below)?
I am not aware of one but such a list would certainly be useful if
someone knows of one and it might be worth putting one together.
It's also worth noting that a lot of what I said is theoretical as I know
of no implementation that has some of the possible issues mentioned but
I also have not gone out and tested them.
Sorry I don't have better answers for you...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 198 bytes
Desc: Digital signature
Url : https://lists.owasp.org/pipermail/esapi-user/attachments/20100116/6c2b768c/attachment.bin
More information about the Esapi-user