-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cris,
On 8/22/18 11:22 AM, Berneburg, Cris J. - US wrote: > Chris > > [combining messages] > > cjb> Am I mistaken, but does vulnerability scanning software cjb> > seem to feed on that sort of thing? > > cs> Most vulnerability scanners just try to detect your server's > cs> version and look-up any publicly-reported vulnerabilities in > cs> e.g. NVD. They are really stupid tools for the most part. > > cs> If you hired a real pen tester, they would probably run one cs> > of those scanners first just to get some intel and then cs> > dive-into attacking your application e.g. with request- cs> > parameter munging. > > I failed to mention that a vulnerability scanner being used > actually follows paths in the source code. I inferred that a > clever hacker could figure out how to discover and exploit the > vulnerabilities, that the scanner revealed, by reloading pages and > varying parameters. You mean the source-code of the web page, right? Yeah, these used to be called "web spiders". They are still really dumb. What happens when it hits a login page? Can it authenticate and scan the application internally? > cs> One of the ways I have kept my code as maintainable as > possible cs> is by not using JSPs :) > > OK, I'll bite. What do you use instead of JSP? > > [Chris S. replies, "Yes, folks - hook, line, AND sinker!"] :-) $ find web -type f | sed -e "s/.*\.//" | sort | uniq -c | sort -nr 413 vm 182 png 65 jpg 63 xsl 37 gif 25 css 22 js 21 jsp 6 svg 6 html 3 xml 2 htc 1 zip 1 woff 1 txt 1 ttf 1 php (umm...) 1 dtd Velocity WTF - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlt9yvAACgkQHPApP6U8 pFiTUBAAr3v9St0NSBfJJQgJOZ/XsP0LjZBj5LWmRzv8ZEdEFqQH1AnIpSLsMCa6 Vy32tTJL5baY9aEZB3ahjt+8ifmhG8PEVs4ci+l0ATNLZXSSpg2ptuy1CrVfIm3c tuszDxGo4aQ/h+O6DLGKEuBDX97uQ6cOzKZIaIRI8a7Ze2GCght7CuU4e3qe5RhU vrv2sqCLAsFrzT1oic+4VZIux5xy3MV85LKLf34GSgbnakDJGn1Cr+8oLZ3ypXJp rPfoyNbaqVskwzUITqfBQl+16bSkvu3WNTo8HhcP3Q5lChM5yHkPmlFGqCD90kqK O6/8L9m9mUxQEvtOXR9N83pndpCNMNiziauz2WY9DaV348lM604ISvU+Lb84ptul 1akBmVEZitMBJkddyECte1c/0shhEYS/Gd49PvP1TzjkuChz6Vif7/wRaSariGKL BOdlpnsDOJarqkFaeb2GH/zHzcHgPICjnOCGJ/JuC3YwLZu0uEIj5FIKmlGjMarb OnqbyKv8sx1rbYq2/sVS0LfKj1JMlCGM6hzBld+qDf2ve831qIuA68sxS/tPFSas Sq7+9NME1ZngzgaxlE+4U2rgvQ4mLUnzzzTY2bY4jJtdggYqcekdGVQ2jmPw7euO KEmWrLZE3bsVRrOyMdhuNlq4sc++J30fvGFxLj/d39a3zkDxsP8= =bHED -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org