Menu
  • HOME
  • TAGS

ESAPI Class Not Found Error on Glassfish

java,eclipse,glassfish,owasp,esapi

I have solved this by adding the esapi.properties file to the WEB-INF/classes folder. (I had to create this classes folder) The esapi.properties file can be found in the "configuration" folder of the esapi 1.4.4 installation directory. You need to restart your webserver, i think, and then it runs smoothly. Extremely...

Clarifications about OWASP documentation for user redirection by using parameters

ruby-on-rails,ruby,security,ruby-on-rails-4,owasp

Brakeman suggests two strategies to mitigate the risks: Using only_path as you did; Parsing the redirect URL to extract the path manually URI.parse(some_url).path In past projects I've rewrote that helper to be sure nobody would accidentally forget the extra param of #1. ...

What Response Should Be Sent Back a When Cross-Site Request Forgery (CSRF) is Detected

coldfusion,csrf,owasp

403 Forbidden as the user is technically authorized to access the site, it is just the specific action that is forbidden (HTTP POST without correct CSRF token). A web server may return a 403 Forbidden HTTP status code in response to a request from a client for a web page...

Axis2 - Information Leakage Prevention

java,web-services,glassfish,axis2,owasp

You can add a -Dproduct.name="". in your JVM Option for suppressing the X-Powered-By...

Restrict ZAP scanner

owasp,zap

In the latest version of ZAP (currently 2.4.0) open the Active Scan dialog and check the 'Show advance options' box. In the 'Input Vectors' tab add 'docid' to the list of parameters that will be ignored by the scanner. That should do the trick, but I'd test that on a...

Dummy web application for penetetration testing ethical hacking

web-applications,owasp,hacking

this link should provide what you're looking for: http://www.amanhardikar.com/mindmaps/Practice.html

ESAPI Doc and tutorial

owasp,esapi

ESAPI has good intentions, it is referenced de facto in OWASP Top 10 issues. However its main development is not really active. The library is provided as is. There are two Java libraries depending on the versions: OWASP Enterprise Security API for Java: version >= 3.x Maintained by one contributor...

Why does the ESAPI ClickjackFilter have to come after the SiteMesh filter?

java,owasp,sitemesh,esapi,clickjacking

In my opinion, I think it is because the ESAPI ClickjackFilter's doFilter() method is written incorrectly. It is implemented like this: public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { HttpServletResponse res = (HttpServletResponse)response; chain.doFilter(request, response); res.addHeader("X-FRAME-OPTIONS", mode ); } However, because it is an output filter,...