Versions Compared

Old Version 47

changes.mady.by.user Jacques Le Roux

Saved on

compared with

New Version 48

changes.mady.by.user Jacques Le Roux

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Adds Tomcat 9 & AJP

...

There are web oriented tools like Burp Suite Community Edition, OWASP Zed Attack, Beef or IBM Security AppScan. But most of the time they are too general, and totally parsing OFBiz can take a lot of time or be quite a challenge if done manually. You can find more penetration tools here.In December 2015, I ran a complete (100%) OWASP Zed Attack automated (Quick Start) penetration session against a locale instance of OFBiz backend (trunk head) running on localhost. It started with the same link used for backend demos. No major flaws were discoveredTo work on security vulnerability reports I use Burp Suite Community Edition.

Another simpler but not to be negledted tool is the security option of Spotbug. I use it as an Eclipse plugin.

Tomcat 9 & AJP

Despite

Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-11407
, allowedRequestAttributesPattern is commented out because of
Jira
serverASF JIRA
serverId5aa69414-a9e9-3523-82ec-879b028fb15b
keyOFBIZ-12558

The Tomcat default values are used as recommended by  https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
This is in relation with  https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
and  https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors

But OOTB secretRequired value must be false because secret value is empty.  Else a notifying message appears in log saying that AJP is not available.
Long story short, with OOTB configuration only localhost works.  So if you want to use AJP you need to set the values depending on your configuration