I've been working with some web
vulnerability tools (see www.westpoint.ltd.uk).
They all address vulnerabilities in
cgi and asp. They don't seem to
cover servlets and jsp's.
The only things I could come up with
were:
default demo servlets still installed (eg finger, snoop etc), I'm
not aware of any that pose a real threat.
ability to run arbitrary servlets, even when they aren't
explicitly mapped. Eg
/servlets/net.ibm.servlets.Mytest
How many servlet engines support
the above form of invocation?
Do any support it without the
servlet needing to be mentioned
in a config file? ( this last raises
the prospect of invoking servlet
base classes, or the servlets that
underlie jsp's)
If I can come up with a useful set of
tests, I'll contribute them to
nessus- an open source vulnerability
scanner.
Tim
http://www.westhawk.co.uk/
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
