tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: how to prevent user access to JSP pages?
Date Tue, 21 Aug 2018 16:39:58 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cris,

On 8/20/18 2:10 PM, Berneburg, Cris J. - US wrote:
> cs> So, while there isn't anything particularly "dangerous" about
> direct- cs> access to JSPs, there are a number of "best practices"
> that suggest cs> that hiding them is a good idea.
> 
> If some authenticated user can directly access a JSP page and
> manipulate the parameters, they can keep reloading the page while
> varying conjured arguments to find and exploit potential
> weaknesses.  Am I mistaken, but does vulnerability scanning
> software seem to feed on that sort of thing?

Most vulnerability scanners just try to detect your server's version
and look-up any publicly-reported vulnerabilities in e.g. NVD. They
are really stupid tools for the most part.

If you hired a real pen tester, they would probably run one of those
scanners first just to get some intel and then dive-into attacking
your application e.g. with request-parameter munging.

> Maybe it's just an illusion, but I feel like there is more security
> control if a user must access a servlet first.

It's an illusion from a purely technical perspective, but there are
*many* reasons why it's easier (and, therefore, better!) to handle
many of those sanity-checks, etc. in a non-JSP-based controller servlet.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlt8QF0ACgkQHPApP6U8
pFhFzRAAx1CVIGHgEk4+BT/RcWiWsRitdoYXrbsby2wULdwdUB421U/mirq5Rhq0
HZhkFYrAzV5nFKf5UWblLqtrrIHg3AfIsDCrj/3a2OLrFVWGNuLIasItmWQrrLKK
g3nEvyOUpxm5fuxqr/80q5FlI/tmxXnkK6lIIgOe+QM2HzCI1awuC9Epx85R/X3y
0eUt+mqlpkRQlIYRdUNDFWaZsX1WYv9hZqr29jGMte/mTLkt/P591YFgjwWICSDa
tgGBIhF53rRfUYdwmnj9UnUz1CAo1FqEkV9CD64IXQQ020dWOsQvEjNsGTBwK2xt
N9zSPX4V0ETABum+PgU3FyKGPRLrK+x523YDruvduPFZF7Kndk+Bw5hu/gm3jUA7
f628NqV/RhyhW5ObisftGr9jNU1pdOuui4zhmTmRSuWWmcq35Tfc4x4JNn14kIPt
YpH0rkSqbVS7bVqJjfjp1BAvBgdrVC18w+9CbKsm0oMTcRnT/r9HG33oQ060Rzel
JUEFCGmS1avzKaWdDR03i3KMAqFyPWp7YlZyd+iugUNgeh7gLJtvh6eyZaQ5dIKJ
xOpevejDgPJLy9CSXiY829rXi/NEVMO1XKJ12T9olzGFliFohWJwruk107FQhR3X
HkP1PzyuaXmCBl86t/Cj0J2iDVFrkTB532xZHNpF0FqZ+oyqECE=
=M1QB
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message