Check out
http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API
They have a very good Java based implementation of security code that you
can integrate with your java based project to help you sanitize your
user/externally provided data. It is not sufficient to check for
On 22/07/2010, at 9:28 PM, Patrick Middleton wrote:
> Some of our customers are commissioning penetration testing reports, which
> are flagging vulnerabilities in our WebObjects applications. The problem
> reported is with URLs such as
> .../wa/MyDirectAction?wosid=XYZ%22%3E%3Cscript%3Ealert%2
I don't follow: *is* this an actual problem with the default coding style? IMO,
you wouldn't ever say "oh noez! your session $ID" is no longer valid! but I'll
use it anyway."
What *should* happen is that WO gives you a new page when the instance doesn't
find the existing session (SessionExpire
Wouldn't a simple check on hasSession do the trick? No session = no action =
pageWithName(OhNoYouDidNot)
-G
On Jul 22, 2010, at 9:40 AM, Patrick Middleton wrote:
>
> On 22 Jul 2010, at 12:49, Anjo Krank wrote:
>
>> Why would you "preserve" the session id when it's no longer valid?
>>
>> Ch
On 22 Jul 2010, at 12:49, Anjo Krank wrote:
Why would you "preserve" the session id when it's no longer valid?
Cheers, Anjo
Am 22.07.2010 um 13:28 schrieb Patrick Middleton:
in order to sanitize inputs -- mostly by removing anything
containing the likes of '
Preserve the session id whe
Why would you "preserve" the session id when it's no longer valid?
Cheers, Anjo
Am 22.07.2010 um 13:28 schrieb Patrick Middleton:
> in order to sanitize inputs -- mostly by removing anything containing the
> likes of 'http://lists.apple.com/mailman/options/webobjects-dev/archive%40mail-archiv
Hi folks!
Some of our customers are commissioning penetration testing reports,
which are flagging vulnerabilities in our WebObjects applications.
The problem reported is with URLs such as .../wa/MyDirectAction?
wosid=XYZ%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E , direct
actions that
