Re: WebObjects and HTML injection
Re: WebObjects and HTML injection
- Subject: Re: WebObjects and HTML injection
- From: Dov Rosenberg <email@hidden>
- Date: Thu, 22 Jul 2010 13:30:13 -0700
- Acceptlanguage: en-US
- Thread-topic: WebObjects and HTML injection
Check out
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
They have a very good Java based implementation of security code that you
can integrate with your java based project to help you sanitize your
user/externally provided data. It is not sufficient to check for <script>
tags in your incoming data. There is a lot of other things that can cause
cross site scripting, SQL injection, cross request forging, etc issues. The
best approach is to provide a white list validation of every incoming
parameter and check to see if the param matches expected range of values.
Anything else is considered dangerous. The ESAPI framework has a very good
white list param implementation. There are also methods for sanitizing XML,
DB calls, request headers, javascript, LDAP calls, etc.
The OWASP Top Ten list http://www.owasp.org/index.php/Top_Ten is a
recognized list of top vulnerabilities that various penetration testing
tools generate compliance reports against.
Good Luck
Dov Rosenberg
On 7/22/10 4:04 PM, "Lachlan Deck" <email@hidden> wrote:
> On 22/07/2010, at 9:28 PM, Patrick Middleton wrote:
>
>> Some of our customers are commissioning penetration testing reports, which
>> are flagging vulnerabilities in our WebObjects applications. The problem
>> reported is with URLs such as
>> .../wa/MyDirectAction?wosid=XYZ">