All Downloads are FREE. Search and download functionalities are using the official Maven repository.

io.codemodder.codemods.VerbTamperingCodemod.report.json Maven / Gradle / Ivy

There is a newer version: 0.97.3
Show newest version
{
  "summary" : "Introduced protections against verb tampering attacks (authN/authZ bypass)",
  "change" : "Removed  from the  definition which paradoxically remove the authentication from endpoints with any methods not listed",
  "reviewGuidanceJustification" : "This is an incredibly unintuitive situation and in our professional experience have never seen any time developers intended to grant access to \"all other\" HTTP methods by specifically listing others.",
  "references": ["https://dl.packetstormsecurity.net/papers/web/Bypassing_VBAAC_with_HTTP_Verb_Tampering.pdf","https://vulncat.fortify.com/en/detail?id=desc.config.java.http_verb_tampering", "https://capec.mitre.org/data/definitions/274.html"]
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy