No validating saxparser implementation available

This OS behavior can be used to bypass filename validation that looks at the end of the filename (e.g., endswith ".log") to make sure its a safe file to access.

To fix this, two things are recommended: If you know you are using a modern version of Java immune to NULL byte injection, you can probably disable this rule.

no validating saxparser implementation available-40

References WASC-28: Null Byte Injection CWE-158: Improper Neutralization of Null Byte or NUL Character Empty Trust Manager implementations are often used to connect easily to a host that is not signed by a root certificate authority.

As a consequence, this is vulnerable to Man-in-the-middle attacks since the client will trust any certificate.

If it does not, the user should be considered an unauthenticated user.

In addition, the session ID value should never be logged.

In general, no assumption should be made that the request came from a regular browser without modification by an attacker.

As such, it is recommended that you not trust this value in any security decisions you make with respect to a request.

Reference CWE-807: Untrusted Inputs in a Security Decision The header "User-Agent" can easily be spoofed by the client.

Adopting different behaviors based on the User-Agent (for crawler UA) is not recommended.

Generate strong random numbers CWE-330: Use of Insufficiently Random Values Predicting Struts CSRF Token (Example of real-life vulnerability and exploitation) The Servlet can read GET and POST parameters from various methods. You may need to validate or sanitize those values before passing them to sensitive APIs such as: The web container serving your application may redirect requests to your application by default.

This would allow a malicious user to place any value in the Host header.

See Http Session (Http Servlet Session()) Custom cookies can be used for information that needs to live longer than and is independent of a specific session.

Tags: , ,