I am available all day Tuesday so what ever time is fine.
Thanks for your help Marc.
-Jay
On Mon, Oct 6, 2008 at 6:55 AM, Pete Muir <pmuir(a)redhat.com> wrote:
Marc,
Sounds great. I'm in the UK, so GMT+1 atm. Christian, will you join us to
discuss?
Best,
On 6 Oct 2008, at 11:13, Marc Schoenefeld wrote:
Hi Pete,
>
> that sounds like a good plan, let's schedule some initial planning for
> next week, because this week I am quite busy with after-PTO workload
> and SOA testing. How about next tuesday? BTW, which timezone are you
> in, maybe we can start with a phone chat?
>
> The first things that come into my mind are JSF view state injection,
> XSS in all different kinds, remoting misuse, insecure servlet mappings.
> During this week I will catch with the current Seam codebase by
> findbugs-ing through it, and maybe already stumble over the one or
> other place to start poking into.
>
> Cheers
> Marc
>
> Pete Muir wrote:
>
>> Hi Marc,
>>
>> Something that we've been discussing is the idea creating a security
>> audit checklist that will cover Seam and the ways it interacts with
>> the outside world; initially, we want to focus on JSF, Seam Remoting
>> (Ajax) and Servlet but we will also consider adding in WS including
>> JAX-RS, Wicket, GWT and perhaps others, though these are what I can
>> think off. This checklist would then be added to the Seam QA process
>> (which is run through at release time).
>>
>> We were wondering if you would be able to work with us on this? My
>> suggestion is, that as you (I hope ;-) have a good understanding of
>> the general approaches that could be used to exploit a Seam that you
>> would be to work with us both on an initial list of areas to focus on,
>> and then help us develop the checklist.
>>
>> Let us know :)
>>
>> Pete
>>
>
>
> --
> Marc Schoenefeld / Red Hat Security Response Team
>
>
_______________________________________________
seam-dev mailing list
seam-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/seam-dev