API7:2023 Security Misconfiguration - Misleading example #79
Labels
Comments
|
I tend to agree. We should find a different scenario. |
ErezYalon
added
the
pending community feedback
|
How about something CORS related? Already mentioned a couple of times in that entry too |
|
Are bad Keys Management based scenarios (for cloud services access for instance) in the scope ? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Scenario #1 - This category shows a JNDI injection issue.
I don't believe a JNDI injection is a good example of a "security misconfiguration" issue. sure, sometimes there might be an unnecessary JNDI feature within some specific functionality, and it's really better to turn it off. However, in many other cases, the JNDI functionality is required, and cannot be simply removed. In this case, the best mitigation should follow the line of "Input Sanitization", Usage of "Parameterized Queries", and so on.
This is a much better example for Injection use cases (which is partially described in API10:2023 - Unsafe Consumption of APIs)
The text was updated successfully, but these errors were encountered: