InfoCenter Home >
4: Developing applications >
4.2: Building Web applications >
4.2.1: Developing servlets >
4.2.1.2: Servlet support and environment in WebSphere >
4.2.1.2.3b: Security risk example of invoking servlets by class name

4.2.1.2.3b: Security risk example of invoking servlets by class name

Anyone enabling the "serve files by class name" function in WebSphere Application Server, should take steps to avoid potential security risks. The administrator should remain aware of each and every servlet class placed in the classpath of an application, even if the servlets are to be invoked by their classnames.

Warning regarding malicious HTML tags embedded in client requests A Web site may inadvertently include malicious HTML tags or scripts in a dynamically generated page based on unvalidated input from untrustworthy sources. By accessing a malicious URL and then accessing an application server, a user may unknowingly execute script code on his machine that has full access to the data and resources on that machine. The browser executes the script on the user machine without the knowledge of the user.

The malicious tags that can be embedded in this way are <SCRIPT> and </SCRIPT>.

This problem can be prevented if the server generated pages are encoded to prevent the scripts from executing. Developers generating responses containing client data, based on servlet or JSP requests, can encode the response data using the following method:

com.ibm.websphere.servlet.response.ResponseUtils.encodeDataString(String)
Visit the Cert advisories Web site for more information.

Go to previous article: Avoiding the security risks of invoking servlets by class name Go to next article: Servlet content, examples, and samples

 

 
Go to previous article: Avoiding the security risks of invoking servlets by class name Go to next article: Servlet content, examples, and samples