[Esapi-user] help

Nithya2 B nithya2.b at tcs.com
Thu Aug 16 06:16:05 UTC 2012


Hi,

when I type my URL in the browser for 
https://localhost:8080/MyApp/Login.jsp, it is calling WAF filter which is 
identifying this request as GET and throwing out of the app..
When I type in the userid and password and click submit, I'm sending POST 
request in that..

Hope u got it now..



Nithya B
Tata Consultancy Services
Mailto: nithya2.b at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.   IT Services
                        Business Solutions
                        Outsourcing
____________________________________________



From:
"Kevin W. Wall" <kevin.w.wall at gmail.com>
To:
Nithya2 B <nithya2.b at tcs.com>
Cc:
esapi-user at lists.owasp.org
Date:
08/16/2012 11:42 AM
Subject:
Re: [Esapi-user] help



I'm confused...if you allow POSTs for everything else, you surely want to 
allow a POST for Login.jsp. If you use GET for Login.jsp, then passwords 
will end up in your server logs.
-kevin
Sent from my Droid; please excuse typos.
On Aug 16, 2012 2:00 AM, "Nithya2 B" <nithya2.b at tcs.com> wrote:
Hi, 

I'm using ESAPI for some security related issues in one of my app.. 

I just have  a query on that.. 

We wanted to deny all http GET methods and allow only POST methods except 
the Login.jsp.. 
pls let me know the configuration.. 

the following configuration is blocking the login screen from appearing as 
it is GET requests.. 

<url-rules> 
  <restrict-extension deny=".jpg" /> 
  <restrict-method deny="GET" path=".*\/MyApp/.action$" />                 

  <restrict-method allow="(POST|TRACE)" />   
  
 <enforce-https path="/.*"> 
  <path-exception>/MyApp/</path-exception> 
  <path-exception>/MyApp/Login.jsp</path-exception> 
   <path-exception type="regex">/MyApp/images/.*</path-exception> 
  <path-exception type="regex">/MyApp/css/.*</path-exception> 
  <path-exception type="regex">/MyApp/js/.*</path-exception> 
  <path-exception type="regex">/help/.*</path-exception> 
  </enforce-https> 
  </url-rules> 

Thanks
Nithya B
Tata Consultancy Services
Mailto: nithya2.b at tcs.com
Website: http://www.tcs.com
____________________________________________
Experience certainty.        IT Services
                       Business Solutions
                       Outsourcing
____________________________________________
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you

_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120816/1832784e/attachment.html>


More information about the Esapi-user mailing list