Re: Failed to Detect Insecure AllowDomin / AllowInsecureDomain Settings (133 Views)
Reply
Occasional Visitor
djtechnocrat
Posts: 1
Registered: ‎03-25-2009
Message 1 of 2 (133 Views)

Failed to Detect Insecure AllowDomin / AllowInsecureDomain Settings

Overall, the tool is pretty good. But it missed a couple of issues that were detected manually during a recent assessment.


1) External XML loading (via URL in configpath) - not sure this is detectable via static anaylsis?


2) Security.allowDomain() issues - Security.allowDomain(“*”) and Security.allowInsecureDomain(“*”)

Occasional Advisor
markpainter
Posts: 196
Registered: ‎10-06-2006
Message 2 of 2 (133 Views)

Re: Failed to Detect Insecure AllowDomin / AllowInsecureDomain Settings

That is a known bug. At this time, we do not have any plans on releasing an additional version (althought that might change). We are fixing these assessment issues in WebInpsect, though.

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.