Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: HttpOnly and J2EE containers

from [Pilon Mntry] Network Security [Permanent Link]
Subject: RE: HttpOnly and J2EE containers
Date: Sun, 19 Feb 2006 23:02:53 -0800 (PST) 
Hi Jeff,

At last, I used 

...
<property name="cookiePath" value="/mypath &quot;;
HttpOnly; Path=/mypath; bla=&quot;">
...

in sun-web.xml, which worked but not-good looking. I
was searching for smt. that I won't touch the code. I
think HttpOnly should be added to J2EE interface.

thanks for the reply.

-pilon

--- Jeff Williams <jeff.williams@aspectsecurity.com>
wrote:


The J2EE Cookie interface doesn't support HttpOnly. 
And there's no way to
do any kind of J2EE API injection, it validates the
cookie value too well.
The only way to do it is to set up the entire
Set-Cookie header by hand. Try
something like this...

    response.setHeader( "Set-Cookie","name1=value1;
HttpOnly" );
 
 
--Jeff



On 2/14/06, Pilon Mntry <pilonmntry@yahoo.com>
wrote: 
Lately, I needed to add HttpOnly cookie parameter to
Java System Application Server PE and had to use

...
<property name="cookiePath" value="/mypath;
HttpOnly;">
...

hack in sun-web.xml file. Well, Actually this didn't
work (obviously in IE, which uses v0 cookie parser
and
only one supporting HttpOnly) and I had to tweak the
above "a little bit".

Anyways, I searched about this on the net, but
couldn't find anything solid except that Resin and
some other AS has made this operation easy... 

Now, my question is do you guys know an easy way to
incorporate this cookie parameter in other J2EE
containers, such as OracleiAS or Websphere,
WebLogic,
etc. Maybe more a standard way than an easy way... 

-pilon



__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam
protection around
http://mail.yahoo.com 



-------------------------------------------------------------------------

This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application
Attack!"
Step-by-Step - SPI Dynamics White Paper 
Learn how to defend against Web Application Attacks
with real-world
examples of recent hacking methods such as: SQL
Injection, Cross Site
Scripting and Parameter Manipulation



https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl



--------------------------------------------------------------------------




-- 

--pl 





__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-------------------------------------------------------------------------
This List Sponsored by: SpiDynamics

ALERT: "How A Hacker Launches A Web Application Attack!" 
Step-by-Step - SPI Dynamics White Paper
Learn how to defend against Web Application Attacks with real-world 
examples of recent hacking methods such as: SQL Injection, Cross Site 
Scripting and Parameter Manipulation

https://download.spidynamics.com/1/ad/web.asp?Campaign_ID=701300000003gRl
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: RE: Tools comparison and evaluation question (AppScan), Gavin, Michael
Next by Date:  Re: Crawl And interpret Flash files redux, dp
Previous by Thread:  RE: HttpOnly and J2EE containers, Jeff Williams
Next by Thread:  web-based risk management tool in SDLC, test . future
Indexes:  [Date] [Thread] [Top] [All Lists]