Marc,
Sounds great. I'm in the UK, so GMT+1 atm. Christian, will you join us
to discuss?
Best,
On 6 Oct 2008, at 11:13, Marc Schoenefeld wrote:
Hi Pete,
that sounds like a good plan, let's schedule some initial planning for
next week, because this week I am quite busy with after-PTO workload
and SOA testing. How about next tuesday? BTW, which timezone are you
in, maybe we can start with a phone chat?
The first things that come into my mind are JSF view state injection,
XSS in all different kinds, remoting misuse, insecure servlet
mappings.
During this week I will catch with the current Seam codebase by
findbugs-ing through it, and maybe already stumble over the one or
other place to start poking into.
Cheers
Marc
Pete Muir wrote:
> Hi Marc,
>
> Something that we've been discussing is the idea creating a security
> audit checklist that will cover Seam and the ways it interacts with
> the outside world; initially, we want to focus on JSF, Seam Remoting
> (Ajax) and Servlet but we will also consider adding in WS including
> JAX-RS, Wicket, GWT and perhaps others, though these are what I can
> think off. This checklist would then be added to the Seam QA process
> (which is run through at release time).
>
> We were wondering if you would be able to work with us on this? My
> suggestion is, that as you (I hope ;-) have a good understanding of
> the general approaches that could be used to exploit a Seam that you
> would be to work with us both on an initial list of areas to focus
> on,
> and then help us develop the checklist.
>
> Let us know :)
>
> Pete
--
Marc Schoenefeld / Red Hat Security Response Team