jeff.williams at owasp.org
Fri Dec 4 11:45:41 EST 2009
Making it configurable makes sense. Now that you've got me thinking about
it, we should probably also address the access-control bypass problem with
forwards as well. From the Java tutorial.
"Security constraints work only on the original request URI and not on calls
made throug a RequestDispatcher (which include <jsp:include> and
<jsp:forward>). Inside the application, it is assumed that the application
itself has complete access to all resources and would not forward a user
request unless it had decided that the requesting user also had access."
I've found open forwards in a number of apps over the years that allow
bypassing access control rules - including those in an external device like
a SiteMinder. Would be nice to find a way to fix this problem elegantly.
From: Chris Schmidt [mailto:chrisisbeef at gmail.com]
Sent: Thursday, December 03, 2009 10:49 AM
To: Jeff Williams
Subject: Re: [OWASP-ESAPI] SecurityRequestWrapper
I can see a lot of situations where this makes sense, but what to do if you
need to do a server side forward to someplace that is publicly accessable? I
know in our codebase at work, we very frequently need to do this, and a 301
is not acceptable for SEO reasons? It seems like at minimum, this behavior
should be configurable. Perhaps a configuration option for the
SecurityWrapper so that multiple filters could be setup which have different
On Thu, Dec 3, 2009 at 4:07 AM, Jeff Williams <jeff.williams at owasp.org>
This is intended to make sure that developers put resources inside web-inf
where they can't be force browsed to.
On Dec 3, 2009, at 1:46 AM, Chris Schmidt <chrisisbeef at gmail.com> wrote:
Is there a good reason that the getRequestDispatcher method in this
wrapper requires the path to begin with WEB-INF?
In my experience, this seems completely counter intuitive and actually
the opposite of what I would envision the overriden method to do.
I think this should instead be checking for traversal issues and
making sure the requested path does NOT start with WEB-INF but maybe I
am missing something?
Sent from my iPwn
OWASP-ESAPI mailing list
OWASP-ESAPI at lists.owasp.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI