geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Bohn <>
Subject Re: geronimo 1.0 - CSS vulnerabilities - response from Tomcat team
Date Wed, 18 Jan 2006 20:01:33 GMT

I agree that the application should code defensively for these types of 
attacks. However, I'm still wondering if this type of attack isn't 
something that the containers could assist with as well.

IIUC the attack is basically accomplished by appending some script to a 
valid URL.  If this URL is processed without challenge and returned in 
the response then attack is successful.

So my question (perhaps dumb question) is - "Is this a typical pattern 
used by an application?"  I can see where script is added to the URL on 
a response but it isn't obvious to me how script might be used on a 
request URL.  Could a container provide some additional protection 
(without breaking apps) by striping any script from incoming requests?


Paul McMahan wrote:
> Jeff, I believe it is the responsibility of the application to secure 
> itself against XSS attacks, and not the web container's. As you know, 
> the web container really has no way to differentiate between legitimate 
> and "tainted" content in the output stream.  The container could do 
> paranoid things such as replacing suspicous characters when it logs 
> request URIs.  But, as you say, that type of approach could be seen as 
> too heavy handed.
> Best wishes,
> Paul
> On 1/18/06, *Jeff Genender* < 
> <>> wrote:
>     Where I am going at with this a vulnerability caused by coding
>     the apps, or the containers themselves?
>     i.e., Will I have this problem with a perl app running on httpd? or
>     ASP/C# on IIS?  Is this type of vulnerability a facet of responsibility
>     that lies on the container, or the developer?
>     I am just trying to assess this as a true vulnerability from a web
>     container perspective.  I am assuming, that yes, the container could
>     change the < and > to lt&; and gt&;.  But, I am wondering where we
>     the line and wonder if that is too heavy handed.
>     If the other web servers provide protection from this, then I guess its
>     safe to assume we should follow the pack. OTOH, I surely would not want
>     to take away too much responsibility of the developer to ensure they
>     are
>     properly securing their own apps, while maintaining a bit of flexibility
>     for them.
>     Jeff
>     Kevan Miller wrote:
>      >
>      > On Jan 18, 2006, at 11:24 AM, Jeff Genender wrote:
>      >
>      >> So assuming this appears to be somewhat "examples" related, is this
>      >> truly a container problem, or just the jsp examples implementation?
>      >
>      > IANASE, but it seems that any vulnerabilities must be fixed in
>     the apps
>      > themselves -- certainly seems like the only course of action for G
>      > 1.0.1. I'm currently aware of problems with samples and the admin
>     console.
>      >
>      > Apps must insure they return appropriate content to clients. I
>     don't see
>      > how a container could provide general XSS protection... I'm sure
>     there
>      > are people who know much more than I on the topic...
>      >
>      > --kevan

Joe Bohn
joe.bohn at

"He is no fool who gives what he cannot keep, to gain what he cannot 
lose."   -- Jim Elliot

View raw message