the request.getParameter() is used that it is possible, even if
unintended, that user controlled data could enter into play.
Thanks!
Michael
On 9/16/10 11:33 AM, Christopher Schultz wrote:
Michael,
On 9/15/2010 6:33 PM, Michael Coates wrote:
On 9/15/10 2:46 PM, Christopher Schultz wrote:
I
.
Thanks!
Michael Coates
OWASP
On 9/15/10 12:52 PM, Mikolaj Rydzewski wrote:
Michael Coates wrote:
It seems to me that the method used to request parameters from an
included jsp file should not fail over to the URL if the jsp:include
does not provide the parameter.
IMO that's incorrect
Chris,
Thanks for your detailed response. It is very helpful. I've got some
responses inline below.
On 9/15/10 2:46 PM, Christopher Schultz wrote:
Michael,
On 9/15/2010 3:05 PM, Michael Coates wrote:
http://michael-coates.blogspot.com/2010/09/danger-of-jsp-includes-and-parameter.html