Kingdom: Environment
This section includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.
J2EE Misconfiguration: Duplicate Servlet Mapping
Abstract
Multiple servlet mappings for the same URL pattern exist. Duplicate servlet mappings often indicate left over debug code or a typographical error.
Explanation
Duplicate servlet mappings serve no purpose since only the last entry will be applied when the same URL pattern is used in multiple servlet mappings.
Example 1: In the following example, the URL pattern
Example 1: In the following example, the URL pattern
/servletA/* is used in two different servlet mappings.
<servlet-mapping>
<servlet-name>ServletA</servlet-name>
<url-pattern>/servletA/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>ServletB</servlet-name>
<url-pattern>/servletA/*</url-pattern>
</servlet-mapping>
References
[1] Standards Mapping - Common Weakness Enumeration CWE ID 684
[2] Standards Mapping - OWASP API 2023 API8 Security Misconfiguration
[3] Standards Mapping - OWASP Top 10 2013 A5 Security Misconfiguration
[4] Standards Mapping - OWASP Top 10 2017 A6 Security Misconfiguration
[5] Standards Mapping - OWASP Top 10 2021 A05 Security Misconfiguration
[6] Standards Mapping - Web Application Security Consortium Version 2.00 Application Misconfiguration (WASC-15)
desc.config.java.j2ee_misconfiguration_duplicate_servlet_mapping