THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
There are web oriented tools like Burp Suite Community Edition, OWASP Zed Attack, Beef or IBM Security AppScan. But most of the time they are too general, and totally parsing OFBiz can take a lot of time or be quite a challenge if done manually. You can find more penetration tools here.In December 2015, I ran a complete (100%) OWASP Zed Attack automated (Quick Start) penetration session against a locale instance of OFBiz backend (trunk head) running on localhost. It started with the same link used for backend demos. No major flaws were discovered.To work on security vulnerability reports I use Burp Suite Community Edition.
Another simpler but not to be negledted tool is the security option of Spotbug. I use it as an Eclipse plugin.
Tomcat 9 & AJP
Despite
| Jira | ||||||
|---|---|---|---|---|---|---|
|
| Jira | ||||||
|---|---|---|---|---|---|---|
|
OOTB the Tomcat default values are used as recommended by https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html#Introduction
This is in relation with https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.31
and https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Connectors
But OOTB secretRequired value must be false because secret value is empty. Else a notifying message appears in log saying that AJP is not available.
Long story short, with OOTB configuration only localhost works.
So if you want to use AJP you need to set the values depending on your configuration. Using
".*" to allowedRequestAttributesPattern put you at risk.