Hi Pete,
that sounds like a good plan, let's schedule some initial planning for
next week, because this week I am quite busy with after-PTO workload
and SOA testing. How about next tuesday? BTW, which timezone are you
in, maybe we can start with a phone chat?
The first things that come into my mind are JSF view state injection,
XSS in all different kinds, remoting misuse, insecure servlet mappings.
During this week I will catch with the current Seam codebase by
findbugs-ing through it, and maybe already stumble over the one or
other place to start poking into.
Cheers
Marc
Pete Muir wrote:
Hi Marc,
Something that we've been discussing is the idea creating a security
audit checklist that will cover Seam and the ways it interacts with
the outside world; initially, we want to focus on JSF, Seam Remoting
(Ajax) and Servlet but we will also consider adding in WS including
JAX-RS, Wicket, GWT and perhaps others, though these are what I can
think off. This checklist would then be added to the Seam QA process
(which is run through at release time).
We were wondering if you would be able to work with us on this? My
suggestion is, that as you (I hope ;-) have a good understanding of
the general approaches that could be used to exploit a Seam that you
would be to work with us both on an initial list of areas to focus on,
and then help us develop the checklist.
Let us know :)
Pete
--
Marc Schoenefeld / Red Hat Security Response Team