[OWASP-ESAPI] [Esapi-dev] New Blog Post - Why the InvokerServlet is Evil

Jim Manico jim.manico at owasp.org
Thu Dec 10 23:11:43 EST 2009


> Does anything ever die anymore?

Old programmers never die. They just decompile.
Old programmers never die. They just lose their memory.
Old programmers never die. They just byte it.
Old programmers never die. They just get bugged with life.
Old programmers never die. They just go to bits.
Old programmers never die. They just branch to a new address.
Old programmers never die. They just can't C as well
Old programming wizards never die, they just recurse.
Old C programmers never die. They are just cast into void*
Old Java programmers never die. They are garbage collected.
Old programmers never die. They just terminate and stay resident.
Old programmers never die. They need to write the same exact software
package over and ever every few years with the latest technology.

:)

> Nice post.  I first exploited the invoker back in 2001 or so.  I can't
> believe it's still in there.  Does anything ever die anymore?
>
>  
>
> --Jeff
>
>  
>
>  
>
> *From:* owasp-esapi-bounces at lists.owasp.org
> [mailto:owasp-esapi-bounces at lists.owasp.org] *On Behalf Of *Chris Schmidt
> *Sent:* Thursday, December 10, 2009 3:40 PM
> *To:* ESAPI-Developers; owasp-esapi
> *Subject:* [OWASP-ESAPI] New Blog Post - Why the InvokerServlet is Evil
>
>  
>
> I posted a new blog entry today on why the Tomcat InvokerServlet is
> evil, if you are interested check it out and pass it on. I noted at
> the end of the post that I am looking into adding a
> SecureInvokerServlet in ESAPI that provides the same functionality as
> the InvokerServlet with all the security controls that such a servlet
> should be performing built in.
>
>  
>
> http://yet-another-dev.blogspot.com/2009/12/this-post-is-especially-for-anyone.html
>
>
>
> -- 
> -- Chris
>
> OWASP ESAPI Developer
> http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
>
> Check out OWASP ESAPI for Java
> http://code.google.com/p/owasp-esapi-java/
>
> Coming soon OWASP ESAPI for JavaScript
> http://code.google.com/p/owasp-esapi-js/
>
>
> _______________________________________________
> Esapi-dev mailing list
> Esapi-dev at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/esapi-dev
>   


-- 

- Jim Manico
OWASP ESAPI Project Manager
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

OWASP Podcast Host/Producer
http://www.owasp.org/index.php/OWASP_Podcast

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-esapi/attachments/20091210/1b4394b9/attachment.html 


More information about the OWASP-ESAPI mailing list