[OWASP-ESAPI] New Blog Post - Why the InvokerServlet is Evil

Jeff Williams jeff.williams at owasp.org
Thu Dec 10 22:56:20 EST 2009

Nice post.  I first exploited the invoker back in 2001 or so.  I can't
believe it's still in there.  Does anything ever die anymore?





From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Chris Schmidt
Sent: Thursday, December 10, 2009 3:40 PM
To: ESAPI-Developers; owasp-esapi
Subject: [OWASP-ESAPI] New Blog Post - Why the InvokerServlet is Evil


I posted a new blog entry today on why the Tomcat InvokerServlet is evil, if
you are interested check it out and pass it on. I noted at the end of the
post that I am looking into adding a SecureInvokerServlet in ESAPI that
provides the same functionality as the InvokerServlet with all the security
controls that such a servlet should be performing built in.



-- Chris


Check out OWASP ESAPI for Java

Coming soon OWASP ESAPI for JavaScript

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091210/1ce47a9a/attachment.html 

More information about the OWASP-ESAPI mailing list