bluemix-app-scan

问题 Orginal Post IBM AppScan We recently received result from IBM AppScan DAST and some of the result don't make much senses. Parameter: **javax.faces.source** Risk(s): It is possible to run remote commands on the web server. This usually means complete compromise of the server and its contents Fix: Set the "uri" attribute of the "domain" entity in the clientaccesspolicy.xml file to include specific domain names instead of any domain. The following changes were applied to the original request:

问题 Orginal Post IBM AppScan We recently received result from IBM AppScan DAST and some of the result don't make much senses. High -- Blind SQL Injection (Time Based) Parameter: form:propertyTree:0:j_idt126 Risk(s): It is possible to view, modify or delete database entries and tables Fix: Review possible solutions for hazardous character injection 2nd case for Blind SQL Injection (Time Based) URL: https://***/javax.faces.resource/components.js.xhtml Parameter: v Risk(s): It is possible to view,

问题 We recently received result from IBM AppScan DAST and some of the result don't make much senses. 2.Medium -- Cross-Site Request Forgery Risk(s): It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user Fix: Validate the value of the "Referer" header, and use a one-time-nonce for each submitted form The following changes were applied

问题 We recently received result from IBM AppScan DAST and some of the result don't make much senses. 2.Medium -- Cross-Site Request Forgery Risk(s): It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user Fix: Validate the value of the "Referer" header, and use a one-time-nonce for each submitted form The following changes were applied