java,eclipse,glassfish,owasp,esapi
I have solved this by adding the esapi.properties file to the WEB-INF/classes folder. (I had to create this classes folder) The esapi.properties file can be found in the "configuration" folder of the esapi 1.4.4 installation directory. You need to restart your webserver, i think, and then it runs smoothly. Extremely...
ruby-on-rails,ruby,security,ruby-on-rails-4,owasp
Brakeman suggests two strategies to mitigate the risks: Using only_path as you did; Parsing the redirect URL to extract the path manually URI.parse(some_url).path In past projects I've rewrote that helper to be sure nobody would accidentally forget the extra param of #1. ...
403 Forbidden as the user is technically authorized to access the site, it is just the specific action that is forbidden (HTTP POST without correct CSRF token). A web server may return a 403 Forbidden HTTP status code in response to a request from a client for a web page...
java,web-services,glassfish,axis2,owasp
You can add a -Dproduct.name="". in your JVM Option for suppressing the X-Powered-By...
In the latest version of ZAP (currently 2.4.0) open the Active Scan dialog and check the 'Show advance options' box. In the 'Input Vectors' tab add 'docid' to the list of parameters that will be ignored by the scanner. That should do the trick, but I'd test that on a...
web-applications,owasp,hacking
this link should provide what you're looking for: http://www.amanhardikar.com/mindmaps/Practice.html
ESAPI has good intentions, it is referenced de facto in OWASP Top 10 issues. However its main development is not really active. The library is provided as is. There are two Java libraries depending on the versions: OWASP Enterprise Security API for Java: version >= 3.x Maintained by one contributor...
java,owasp,sitemesh,esapi,clickjacking
In my opinion, I think it is because the ESAPI ClickjackFilter's doFilter() method is written incorrectly. It is implemented like this: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse res = (HttpServletResponse)response; chain.doFilter(request, response); res.addHeader("X-FRAME-OPTIONS", mode ); } However, because it is an output filter,...