Hi JHHL > security audit on the Tomcat server we maintain
My condolences. :-) We're gone through several scans over the past couple years too. Yeah, it's a pain. If you can get the report details, it may provide enough info to pinpoint the exact problems. Checkmarx scanning software does, I think. Also, a strategy I found helpful was to reduce the "attack surface". Get rid of anything flagged that you don't use rather than trying to fix the issues. > First, it found a cross-site scripting vulnerability. For scans of our systems, the XSS vulnerabilities were poorly protected JSP expression language, uh, expressions. :-) Using standard tag libraries to wrap ${expressions} helped. Also, defining a custom sanitize function used in JSP pages like ${fn:escapeXml(param.xxx)} satisfied requirements in the negotiation process. Something we did not get around to was moving the JSP files to the WebContent\WEB-INF folder so they could not be called directly with injected malicious parameters. > Second, it found the HTTP DELETE method enabled. Do you need it? Can you disable it? > Fourth, it found the HTTP OPTIONS method enabled. Again, do you need it? Can you disable it? > the click-jacking vulnerability came up [...] just now set up > the filter and filter-mapping in conf/web.xml, so that is > hopefully taken care of in the next restart. +1 :-) -- Cris Berneburg CACI Lead Software Engineer -----Original Message----- From: James H. H. Lampert <jam...@touchtonecorp.com> Sent: Tuesday, March 17, 2020 6:05 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Security audit raises questions (Tomcat 7.0.93) Ladies and Gentlemen: One of our customers did a security audit on the Tomcat server we maintain on their system, and it found a few issues: First, it found a cross-site scripting vulnerability. Second, it found the HTTP DELETE method enabled. Third, it found a click-jacking vulnerability. Fourth, it found the HTTP OPTIONS method enabled. Back in October, the click-jacking vulnerability came up on another customer box; I've found the thread, and just now set up the filter and filter-mapping in conf/web.xml, so that is hopefully taken care of in the next restart. But I have no idea what to do about the cross-site scripting vulnerability, or the DELETE and OPTIONS methods, and I'm having trouble understanding the materials I've found. -- JHHL ________________________________ This electronic message contains information from CACI International Inc or subsidiary companies, which may be company sensitive, proprietary, privileged or otherwise protected from disclosure. The information is intended to be used solely by the recipient(s) named above. If you are not an intended recipient, be aware that any review, disclosure, copying, distribution or use of this transmission or its contents is prohibited. If you have received this transmission in error, please notify the sender immediately. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org