ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S3369/java/rule.adoc
Egon Okerman d1417e82f8
Modify CWE and OWASP Top 10 links to follow standard link format (APPSEC-1134) (#3529) 
* Fix all CWE references

* Fix all OWASP references

* Fix missing CWE prefixes
2024-01-15 17:15:56 +01:00

39 lines
984 B
Plaintext
Raw Blame History

== Why is this an issue?
Websphere, Tomcat, and JBoss web servers allow the definition of role-based access to servlets. It may not be granular enough for your purposes, but it's a start, and should be used at least as a base.
This rule raises an issue when a _web.xml_ file has no ``++<security-constraint>++`` elements.
== Resources
* OWASP - https://owasp.org/www-project-top-ten/2017/A5_2017-Broken_Access_Control[Top 10 2017 Category A5 - Broken Access Control]
* CWE - https://cwe.mitre.org/data/definitions/284[CWE-284 - Improper Access Control]
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
=== Message
Add "security-constraint" elements to this descriptor.
=== Highlighting
top-level element
'''
== Comments And Links
(visible only on this page)
=== on 19 Mar 2018, 11:01:13 Sébastien GIORIA - AppSecFR wrote:
Could tagged A6:2017 too. This is a configuration element
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink