Hi JHHL
> security audit on the Tomcat server we maintain
My condolences. :-) We're gone through several scans over the past couple
years too. Yeah, it's a pain.
If you can get the report details, it may provide enough info to pinpoint the
exact problems. Checkmarx scanning software does, I think.
Also, a strategy I found helpful was to reduce the "attack surface". Get rid
of anything flagged that you don't use rather than trying to fix the issues.
> First, it found a cross-site scripting vulnerability.
For scans of our systems, the XSS vulnerabilities were poorly protected JSP
expression language, uh, expressions. :-) Using standard tag libraries to
wrap ${expressions} helped. Also, defining a custom sanitize function used in
JSP pages like ${fn:escapeXml(param.xxx)} satisfied requirements in the
negotiation process.
Something we did not get around to was moving the JSP files to the
WebContent\WEB-INF folder so they could not be called directly with injected
malicious parameters.
> Second, it found the HTTP DELETE method enabled.
Do you need it? Can you disable it?
> Fourth, it found the HTTP OPTIONS method enabled.
Again, do you need it? Can you disable it?
> the click-jacking vulnerability came up [...] just now set up
> the filter and filter-mapping in conf/web.xml, so that is
> hopefully taken care of in the next restart.
+1 :-)
--
Cris Berneburg
CACI Lead Software Engineer
-----Original Message-----
From: James H. H. Lampert <[email protected]>
Sent: Tuesday, March 17, 2020 6:05 PM
To: Tomcat Users List <[email protected]>
Subject: Security audit raises questions (Tomcat 7.0.93)
Ladies and Gentlemen:
One of our customers did a security audit on the Tomcat server we maintain on
their system, and it found a few issues:
First, it found a cross-site scripting vulnerability.
Second, it found the HTTP DELETE method enabled.
Third, it found a click-jacking vulnerability.
Fourth, it found the HTTP OPTIONS method enabled.
Back in October, the click-jacking vulnerability came up on another customer
box; I've found the thread, and just now set up the filter and filter-mapping
in conf/web.xml, so that is hopefully taken care of in the next restart.
But I have no idea what to do about the cross-site scripting vulnerability, or
the DELETE and OPTIONS methods, and I'm having trouble understanding the
materials I've found.
--
JHHL
________________________________
This electronic message contains information from CACI International Inc or
subsidiary companies, which may be company sensitive, proprietary, privileged
or otherwise protected from disclosure. The information is intended to be used
solely by the recipient(s) named above. If you are not an intended recipient,
be aware that any review, disclosure, copying, distribution or use of this
transmission or its contents is prohibited. If you have received this
transmission in error, please notify the sender immediately.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
