[WEB SECURITY] Vulnerability Disclosure in University

Michele Orru' minchia.lusardu at gmail.com
Tue Jun 10 18:04:47 EDT 2008

Hi steve

about the defensive techniques I'm interested, I'm searching the best 
tool to prevent session management attacks, as a JEE servlet or as 
external products like mod_security.

if someone of you already work with mod_Security and his session 
management protection techniques, I would be pleased to share some thoughts.

all the best

> Hi Michelle,
> Do you have authorization to be performing a security assessment 
> against the university application? If not, then I would refrain from 
> doing anything invasive, and write about the issues in a more 
> "theoretical" manner by discussing the overall dangers, but leave out 
> the details of the app, such as who it belongs to, what it's used 
> for and who created it. Session management attacks and defenses can be 
> applied to any application, so unless you have authorization to be 
> performing the assessment and writing about it. I would recommend you 
> A) don't do anything that could get you into trouble and B) leave 
> out any "incriminating" details.
> For number two, can you be more specific about the defensive 
> techniques you are interested in?
> Regards,
> Steve J.

Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list