Restrict ZAP scanner
In the latest version of ZAP (currently 2.4.0) open the Active Scan dialog and check the 'Show advance options' box. In the 'Input Vectors' tab add 'docid' to the list of parameters that will be ignored by the scanner. That should do the trick, but I'd test that on a...
ESAPI Class Not Found Error on Glassfish
java,eclipse,glassfish,owasp,esapi
I have solved this by adding the esapi.properties file to the WEB-INF/classes folder. (I had to create this classes folder) The esapi.properties file can be found in the "configuration" folder of the esapi 1.4.4 installation directory. You need to restart your webserver, i think, and then it runs smoothly. Extremely...
ESAPI Doc and tutorial
ESAPI has good intentions, it is referenced de facto in OWASP Top 10 issues. However its main development is not really active. The library is provided as is. There are two Java libraries depending on the versions: OWASP Enterprise Security API for Java: version >= 3.x Maintained by one contributor...
Clarifications about OWASP documentation for user redirection by using parameters
ruby-on-rails,ruby,security,ruby-on-rails-4,owasp
Brakeman suggests two strategies to mitigate the risks: Using only_path as you did; Parsing the redirect URL to extract the path manually URI.parse(some_url).path In past projects I've rewrote that helper to be sure nobody would accidentally forget the extra param of #1. ...
Dummy web application for penetetration testing ethical hacking
web-applications,owasp,hacking
this link should provide what you're looking for: http://www.amanhardikar.com/mindmaps/Practice.html
Axis2 - Information Leakage Prevention
java,web-services,glassfish,axis2,owasp
You can add a -Dproduct.name="". in your JVM Option for suppressing the X-Powered-By...
What Response Should Be Sent Back a When Cross-Site Request Forgery (CSRF) is Detected
403 Forbidden as the user is technically authorized to access the site, it is just the specific action that is forbidden (HTTP POST without correct CSRF token). A web server may return a 403 Forbidden HTTP status code in response to a request from a client for a web page...
Why does the ESAPI ClickjackFilter have to come after the SiteMesh filter?
java,owasp,sitemesh,esapi,clickjacking
In my opinion, I think it is because the ESAPI ClickjackFilter's doFilter() method is written incorrectly. It is implemented like this: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse res = (HttpServletResponse)response; chain.doFilter(request, response); res.addHeader("X-FRAME-OPTIONS", mode ); } However, because it is an output filter,...