TomcatExpert

Cross-site Scripting

Blog : Year in Review 2011

posted by Stacey Schneider on January 4, 2012 07:31 AM

2011 has been a great year for the Tomcat Expert community. After almost 2 years of operating, the Tomcat Expert has hit its stride, unloading an array of new information, as well as keeping you up to date with the newest releases for Apache Tomcat 6 and Apache Tomcat 7. With the addition of two new Tomcat Expert Contributors, (Channing Benson and Daniel Mikusa), the Tomcat Expert community continues to build on its reputation for being the leading source for fresh perspectives and new information on how to best leverage Apache Tomcat in the enterprise.

Read More

52 comments   |  

0
Rating
  |  

Developers, Executives | Cross-site Scripting, Java Development, Parallel Deployment

Blog : Cross-site Scripting (XSS) Prevention in Apache Tomcat 7

posted by mthomas on January 26, 2011 07:28 AM

Cross-site scripting (XSS) is the leading form of security vulnerabilities for web applications today. This vulnerability is found when attackers are able to inject client-side scripting into web pages by tricking the browser to trust scripts run from malicious hosts. These scripts usually access user and session information stored in cookies, and allow the hackers to forge trusted user behavior. The result can allow hijackers to control your user account, change your account settings, or redirect web traffic to malicious or false advertising sites. Recently, there has been an increase in high-profile cross-site scripting attacks on sites like Twitter and IBM's DeveloperWorks, which illustrate how common these vulnerabilities exist on web sites both large and small.

Because cross-site scripting is such a significant and universal threat (a few cross-site scripting issues have been fixed in Tomcat 7), an unofficial extension to the Cookie specifications - httpOnly cookies - has been introduced to combat it. Although it is unofficial, it is widely supported. This feature reduces the risk of these security vulnerabilities by preventing the browser from allowing scripts to access information stored in cookies.

Read More

80 comments   |  

0
Rating
  |  

Security | Cross-site Scripting, security, Tomcat 7

Syndicate content