[OWASP-ESAPI] New Blog Post - Why the InvokerServlet is Evil

Jeff Williams jeff.williams at owasp.org
Thu Dec 10 22:56:20 EST 2009


Nice post.  I first exploited the invoker back in 2001 or so.  I can't
believe it's still in there.  Does anything ever die anymore?

 

--Jeff

 

 

From: owasp-esapi-bounces at lists.owasp.org
[mailto:owasp-esapi-bounces at lists.owasp.org] On Behalf Of Chris Schmidt
Sent: Thursday, December 10, 2009 3:40 PM
To: ESAPI-Developers; owasp-esapi
Subject: [OWASP-ESAPI] New Blog Post - Why the InvokerServlet is Evil

 

I posted a new blog entry today on why the Tomcat InvokerServlet is evil, if
you are interested check it out and pass it on. I noted at the end of the
post that I am looking into adding a SecureInvokerServlet in ESAPI that
provides the same functionality as the InvokerServlet with all the security
controls that such a servlet should be performing built in.

 

http://yet-another-dev.blogspot.com/2009/12/this-post-is-especially-for-anyo
ne.html



-- 
-- Chris

OWASP ESAPI Developer
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Check out OWASP ESAPI for Java
http://code.google.com/p/owasp-esapi-java/

Coming soon OWASP ESAPI for JavaScript
http://code.google.com/p/owasp-esapi-js/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091210/1ce47a9a/attachment.html 


More information about the OWASP-ESAPI mailing list