-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Cris,
On 8/20/18 2:10 PM, Berneburg, Cris J. - US wrote: > cs> So, while there isn't anything particularly "dangerous" about > direct- cs> access to JSPs, there are a number of "best practices" > that suggest cs> that hiding them is a good idea. > > If some authenticated user can directly access a JSP page and > manipulate the parameters, they can keep reloading the page while > varying conjured arguments to find and exploit potential > weaknesses. Am I mistaken, but does vulnerability scanning > software seem to feed on that sort of thing? Most vulnerability scanners just try to detect your server's version and look-up any publicly-reported vulnerabilities in e.g. NVD. They are really stupid tools for the most part. If you hired a real pen tester, they would probably run one of those scanners first just to get some intel and then dive-into attacking your application e.g. with request-parameter munging. > Maybe it's just an illusion, but I feel like there is more security > control if a user must access a servlet first. It's an illusion from a purely technical perspective, but there are *many* reasons why it's easier (and, therefore, better!) to handle many of those sanity-checks, etc. in a non-JSP-based controller servlet. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlt8QF0ACgkQHPApP6U8 pFhFzRAAx1CVIGHgEk4+BT/RcWiWsRitdoYXrbsby2wULdwdUB421U/mirq5Rhq0 HZhkFYrAzV5nFKf5UWblLqtrrIHg3AfIsDCrj/3a2OLrFVWGNuLIasItmWQrrLKK g3nEvyOUpxm5fuxqr/80q5FlI/tmxXnkK6lIIgOe+QM2HzCI1awuC9Epx85R/X3y 0eUt+mqlpkRQlIYRdUNDFWaZsX1WYv9hZqr29jGMte/mTLkt/P591YFgjwWICSDa tgGBIhF53rRfUYdwmnj9UnUz1CAo1FqEkV9CD64IXQQ020dWOsQvEjNsGTBwK2xt N9zSPX4V0ETABum+PgU3FyKGPRLrK+x523YDruvduPFZF7Kndk+Bw5hu/gm3jUA7 f628NqV/RhyhW5ObisftGr9jNU1pdOuui4zhmTmRSuWWmcq35Tfc4x4JNn14kIPt YpH0rkSqbVS7bVqJjfjp1BAvBgdrVC18w+9CbKsm0oMTcRnT/r9HG33oQ060Rzel JUEFCGmS1avzKaWdDR03i3KMAqFyPWp7YlZyd+iugUNgeh7gLJtvh6eyZaQ5dIKJ xOpevejDgPJLy9CSXiY829rXi/NEVMO1XKJ12T9olzGFliFohWJwruk107FQhR3X HkP1PzyuaXmCBl86t/Cj0J2iDVFrkTB532xZHNpF0FqZ+oyqECE= =M1QB -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
