[Esapi-user] help

Jeff Williams jeff.williams at aspectsecurity.com
Mon Aug 20 02:47:54 UTC 2012


>From Arshan...

 

The rule logic is faulty I think - if there's a <restrict-method-allow>,
anything that doesn't match that will be bounced by the WAF. It's a
whitelist. So the request is not a POST or TRACE, so it's being
correctly bounced.

 

Could she add another restrict-method-allow specifically for the
Login.jsp?

 

--Jeff

 

From: esapi-user-bounces at lists.owasp.org
[mailto:esapi-user-bounces at lists.owasp.org] On Behalf Of Nithya2 B
Sent: Thursday, August 16, 2012 2:16 AM
To: Kevin W. Wall
Cc: esapi-user at lists.owasp.org
Subject: Re: [Esapi-user] help

 

Hi, 

when I type my URL in the browser for
https://localhost:8080/MyApp/Login.jsp
<https://localhost:8080/MyApp/Login.jsp> , it is calling WAF filter
which is identifying this request as GET and throwing out of the app.. 
When I type in the userid and password and click submit, I'm sending
POST request in that.. 

Hope u got it now.. 



Nithya B
Tata Consultancy Services
Mailto: nithya2.b at tcs.com
Website: http://www.tcs.com <http://www.tcs.com/> 
____________________________________________
Experience certainty.        IT Services
                       Business Solutions
                       Outsourcing
____________________________________________ 



From: 

"Kevin W. Wall" <kevin.w.wall at gmail.com> 

To: 

Nithya2 B <nithya2.b at tcs.com> 

Cc: 

esapi-user at lists.owasp.org 

Date: 

08/16/2012 11:42 AM 

Subject: 

Re: [Esapi-user] help

 

________________________________




I'm confused...if you allow POSTs for everything else, you surely want
to allow a POST for Login.jsp. If you use GET for Login.jsp, then
passwords will end up in your server logs. 

-kevin
Sent from my Droid; please excuse typos. 

On Aug 16, 2012 2:00 AM, "Nithya2 B" <nithya2.b at tcs.com> wrote: 
Hi, 

I'm using ESAPI for some security related issues in one of my app.. 

I just have  a query on that.. 

We wanted to deny all http GET methods and allow only POST methods
except the Login.jsp.. 
pls let me know the configuration.. 

the following configuration is blocking the login screen from appearing
as it is GET requests.. 

<url-rules> 
  <restrict-extension deny=".jpg" /> 
  <restrict-method deny="GET" path=".*\/MyApp/.action$" />

  <restrict-method allow="(POST|TRACE)" />   
  
 <enforce-https path="/.*"> 
  <path-exception>/MyApp/</path-exception> 
  <path-exception>/MyApp/Login.jsp</path-exception> 
   <path-exception type="regex">/MyApp/images/.*</path-exception> 
  <path-exception type="regex">/MyApp/css/.*</path-exception> 
  <path-exception type="regex">/MyApp/js/.*</path-exception> 
  <path-exception type="regex">/help/.*</path-exception> 
  </enforce-https> 
  </url-rules> 

Thanks
Nithya B
Tata Consultancy Services
Mailto: nithya2.b at tcs.com <mailto:nithya2.b at tcs.com> 
Website: http://www.tcs.com <http://www.tcs.com/> 
____________________________________________
Experience certainty.        IT Services
                       Business Solutions
                       Outsourcing
____________________________________________ 
=====-----=====-----=====
Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you 

_______________________________________________
Esapi-user mailing list
Esapi-user at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/esapi-user



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/esapi-user/attachments/20120819/055cc9c7/attachment.html>


More information about the Esapi-user mailing list