[OWASP-ESAPI] In FileBasedAuthenticator, main == back door?

Jeff Williams jeff.williams at owasp.org
Wed Aug 26 08:51:09 EDT 2009


Seriously?

 

In order for an attacker to misuse this method, they must be able to invoke
it.  That's no different than any other method available in ESAPI or the
JDK, such as Runtime.exec().  Do you consider those backdoors?

 

Also, you have to be able to create accounts with roles to set up the system
the first time.  And even if you removed this method, if the attacker can
invoke arbitrary API methods, then they could just invoke each of the
necessary methods one-by-one.

 

We've discussed moving some of the 'administrative' API calls into a
separate JAR file in the past, but have never been able to come up with a
scheme for splitting the baby.  One application may need to programmatically
add users, another might need to programmatically lock users, etc.?

 

--Jeff

 

 

From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Boberski, Michael
[USA]
Sent: Wednesday, August 26, 2009 8:36 AM
To: owasp-esapi
Subject: [OWASP-ESAPI] In FileBasedAuthenticator, main == back door?

 

Hi, a question about the main method in the Authenticator reference
implementation.

 

Why wouldn't that be considered a back door, i.e., malicious code?

 

Thanks in advance!

 

Mike B.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20090826/fa058150/attachment.html 


More information about the OWASP-ESAPI mailing list