This is certainly not Struts specific, but it may be useful... http://www.owasp.org/
Joe ----- Original Message ----- From: "Jing Zhou" <[EMAIL PROTECTED]> To: "Struts Users Mailing List" <[EMAIL PROTECTED]> Sent: Friday, June 20, 2003 3:59 PM Subject: Re: [FRIDAY] Got A Security Hole? > Does anyone know a published web site or book that covers > potential security issues for Struts developers in general? > > Jing > > ----- Original Message ----- > From: "Hookom, Jacob" <[EMAIL PROTECTED]> > To: "'Struts Users Mailing List'" <[EMAIL PROTECTED]> > Sent: Friday, June 20, 2003 2:25 PM > Subject: RE: [FRIDAY] Got A Security Hole? > > > > One of the most interesting security holes that MANY applications have are > > the use of wild cards in dynamic sql queries.... > > > > login: admin > > password: '+%+' > > > > or those likes... try it sometime > > > > -------- > > Jacob Hookom > > Senior Programmer/Analyst > > McKesson Medical Surgical > > Golden Valley, MN > > > > > > -----Original Message----- > > From: Jing Zhou [mailto:[EMAIL PROTECTED] > > Sent: Friday, June 20, 2003 2:29 PM > > To: Struts Users Mailing List > > Subject: [FRIDAY] Got A Security Hole? > > > > > > It's Friday. Let us talk about some light issues like security problems > ... > > > > The Struts framework has a transaction token mechanism. It seems > > to be able to protect developers. But in some cases, it does not if > > session scoped form beans are used. > > > > See the detail description of the potential security issues at > > http://www.netspread.com/tips2.html#security > > More interesting, some very very experienced developers > > would think they are absolutely safe if they use request scoped > > form beans. It may not be the case as they think. Some > > mistakes are possible, in open source projects, in samples of > > published books, if the authors are not aware of them. > > > > > > Jing > > Netspread Carrier at http://www.netspread.com > > "Making Simple Things Crazily Simpler." > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
