On 3/17/20 3:50 PM, Mark Thomas wrote:
The XXS might be valid. I assume the tool provided a sample URL you
could use to validate the finding. That should point you in the right
direction but feel free to ask here if more help is required.
Near as I can tell, it did but it didn't provide a sample URL.

Note that *all* I have is a PDF of the report, and I think the URL may have gotten mangled by spanning a page-break. I've posted a screenshot (with identifying information redacted) of what I'm looking at in the report:


As to DELETE and OPTIONS, you get no argument from me about whether a DELETE will actually *do* anything (I've got a query out to our web developer on that), and on restricting OPTIONS being a case of "Security by obscurity"; however, this is a case of "The Customer is Always Right."

I found a page on disabling HTTP methods with a security constraint:


But I'm not sure (1) how security constraints interact with other security constraints, and (2) whether they can go in the conf/web.xml as well as individual webapps' web.xml files.

As I said, I've got a query out to our web developers about *our* webapp, but does Manager make any use of DELETE or OPTIONS?


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to