[Esapi-user] Servlet spec and session fixation (was "Re: [OWASP-ESAPI] ESAPI Encryptor")

Ed Schaller schallee at darkmist.net
Sat Jan 16 15:48:37 EST 2010


> 1) is there a version of the Servlet Spec that ONLY has the parts with
> security implications? (surely not all 230 pages are about features and
> requirements that have security implications)

As far as I know, the answer is no. It's also far worse than 230 pages
by the time you figure in JSP & JSTL. The problem is that there can be
security implications to just about any part of it. 

> 2) is there a mapping or list with all these 'vulnerabilities by design'
> (like the one covered below)?

I am not aware of one but such a list would certainly be useful if
someone knows of one and it might be worth putting one together.

It's also worth noting that a lot of what I said is theoretical as I know
of no implementation that has some of the possible issues mentioned but
I also have not gone out and tested them.

Sorry I don't have better answers for you...

>>>------>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
Url : https://lists.owasp.org/pipermail/esapi-user/attachments/20100116/6c2b768c/attachment.bin 


More information about the Esapi-user mailing list