[OWASP-ESAPI] New Blog Post - Why the InvokerServlet is Evil
jeff.williams at owasp.org
Thu Dec 10 22:56:20 EST 2009
Nice post. I first exploited the invoker back in 2001 or so. I can't
believe it's still in there. Does anything ever die anymore?
From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Chris Schmidt
Sent: Thursday, December 10, 2009 3:40 PM
To: ESAPI-Developers; owasp-esapi
Subject: [OWASP-ESAPI] New Blog Post - Why the InvokerServlet is Evil
I posted a new blog entry today on why the Tomcat InvokerServlet is evil, if
you are interested check it out and pass it on. I noted at the end of the
post that I am looking into adding a SecureInvokerServlet in ESAPI that
provides the same functionality as the InvokerServlet with all the security
controls that such a servlet should be performing built in.
OWASP ESAPI Developer
Check out OWASP ESAPI for Java
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-ESAPI