Duplicate servlet mappings serve no purpose since only the last entry will be applied when the same URL pattern is used in multiple servlet mappings.

Example 1: In the following example, the URL pattern /servletA/* is used in two different servlet mappings.

<servlet-mapping>
    <servlet-name>ServletA</servlet-name>
    <url-pattern>/servletA/*</url-pattern>
</servlet-mapping>
<servlet-mapping>
    <servlet-name>ServletB</servlet-name>
    <url-pattern>/servletA/*</url-pattern>
</servlet-mapping>

Struts uses form-bean entries to map HTML forms to actions. If a form-bean does not have a type, it cannot be mapped to an action.
Example 1: The following form-bean has an empty type attribute.

<form-beans>
  <form-bean name="loginForm" type="">
    <form-property name="name" type="java.lang.String" />
    <form-property name="password" type="java.lang.String" />
  </form-bean>
</form-beans>

Struts requires <form-property> tags to include a type attribute. Struts will throw an exception when processing a form that defines a form-property with no type.

Example 1: The following configuration omits a type for the name property.

<form-bean name="loginForm" type="org.apache.struts.validator.DynaValidatorForm">
  <form-property name="name" />
  <form-property name="password" type="java.lang.String" />
</form-bean>

Struts uses the path attribute to locate the resource necessary to handle a request. Since the path is a module-relative location, it is an error if it does not begin with a "/" character.

Example 1: The following configuration contains an empty path.

<global-exceptions>
  <exception key="global.error.invalidLogin" path="" scope="request" type="InvalidLoginException" />
</global-exceptions>

Example 2: The following configuration uses a path that does not start with a "/" character.

<global-forwards>
  <forward name="login" path="Login.jsp" />
</global-forwards>

A <forward> tag must have name and path attributes. It is an error to omit a path or to specify a blank path. Furthermore, all paths must start with the "/" character.

Example 1: The following <forward> tag has a missing path attribute.

    <forward name="success" />

When safe_mode is enabled, the safe_mode_exec_dir option restricts PHP to executing commands from only the specified directories. Although the absence of a safe_mode_exec_dir entry does not represent a security vulnerability itself, this added leniency can be exploited by attackers in conjunction with other vulnerabilities to make exploits more dangerous.

In ASP.NET, the view state is a mechanism to persist state in web forms across postbacks. Data stored in the view state is not trustworthy because there is no mechanism for preventing replay attacks. Trusting the view state is particularly dangerous when the view state message authentication check is disabled. Disabling this check allows attackers to make arbitrary changes to the data stored in the view state and can open the door for attacks against code that trusts the view state. Attackers might use this kind of error to defeat authentication checks or alter item pricing.
Example 1: The following code disables view state message authentication checks.

Page.EnableViewStateMac = false;

The <exception> tag requires that an exception type be defined. A missing or empty type attribute is indicative of either a superfluous exception handler or an accidental omission. If a developer intended to handle an exception, but forgot to define the exception type, then the application might leak sensitive information about the system.
Example 1: The following configuration omits the type from the <exception> tag.

  <global-exceptions>
    <exception
      key="error.key"
      handler="com.mybank.ExceptionHandler"/>
  </global-exceptions>

The struts specification requires an input attribute whenever a named action returns validation errors[2]. The input attribute specifies the page used to display error messages when validation errors occur.
Example 1: The following configuration defines a named validating action, but does not specify an input attribute.

<action-mappings>
  <action   path="/Login"
            type="com.LoginAction"
            name="LoginForm"
            scope="request"
            validate="true" />
</action-mappings>

When a Secure Shell (SSH) service is running within a container, it is difficult to manage access policies, keys, passwords, and security upgrades.

Struts uses the form-bean name to map HTML forms to actions. If a form-bean does not have a name, it cannot be mapped to an action and indicates either a superfluous definition or an accidentally omitted bean.
Here is a proper form-bean example:
Example 1: The following form-bean has an empty name attribute.

<form-beans>
  <form-bean name="" type="org.apache.struts.validator.DynaValidatorForm">
    <form-property name="name" type="java.lang.String" />
    <form-property name="password" type="java.lang.String" />
  </form-bean>
</form-beans>

Kubernetes namespaces divide a cluster into manageable chunks. Namespaces provide a scope for names and facilitate the specification of various policies to a subsection of a cluster. By default, Kubernetes allocates a resource to a default namespace. Using a different namespace than the default reduces the impact of mistakes or malicious activities.

Example 1: The following configuration sets the namespace of a resource to default.

...
kind: ...
metadata:
...
namespace: default
spec:
...

Dockerfile with USER instruction that is set to root, has an overly permissive privilege to make changes inside the container. It violates the principle of running images with least privileges. In usual cases, root permissions might be required to install packages and create folders. After the installation is done, it is good practice to add a user with restricted privileges.

By default, Docker allows binding privileged ports to a container and if a port is not declared by the user then Docker maps the container port to one available in the 49153-65535 range. In many cases, certain ports need to be opened for running services and over time, the number of open ports may increase. Open ports increases the attack surface, particularly for services running with higher privileges. Make sure that you only open ports that are required for that specific service. When services do not require higher privileges, run them on port outside the privileged port range.

The Kubernetes controller manager monitors the state of a cluster and if required, can make changes in any resources the cluster manages. By default, a controller manager accepts requests from external connections. From an external connection, an attacker can gain access to security sensitive but insufficiently protected APIs.

Example 1: The following configuration starts a Kubernetes controller manager without a bind address.

...
spec:
  containers:
  - command:
    - kube-controller-manager
    - --authentication-kubeconfig=/etc/kubernetes/controller-manager.conf
    - --authorization-kubeconfig=/etc/kubernetes/controller-manager.conf
    image: example.domain/kube-controller-manager:v1.9.7
    imagePullPolicy: IfNotPresent
    ...

Kubernetes Scheduler determines where Pods run. By default, a scheduler accepts requests from external connections. From an external connection, an attacker can access insufficiently protected and security sensitive APIs.

Example 1: The following configuration starts a Kubernetes Scheduler without a bind address.

...
spec:
  containers:
    - command:
      - kube-scheduler
    image: example.domain/kube-scheduler:v1.5.2
    imagePullPolicy: IfNotPresent
    ...

When enabled, the register_globals option causes PHP to register all EGPCS (Environment, GET, POST, Cookie, and Server) variables globally, where they can be accessed in any scope in any PHP program. This option encourages programmers to write programs that are more-or-less unaware of the origin of values they rely on, which can lead to unexpected behavior in benign environments and leaves the door open to attackers in malicious environments. In recognition the dangerous security implications of register_globals, the option was disabled by default in PHP 4.2.0 and was deprecated and removed in PHP 6.

Example 1: The following code is vulnerable to cross-site scripting. The programmer assumes the value of $username originates from the server-controlled session, but an attacker may supply a malicious value for $username as a request parameter instead. With register_globals enabled, this code will include a malicious value submitted by an attacker in the dynamic HTML content it generates.

<?php
if (isset($username)) {
    echo "Hello <b>$username</b>";
} else {
    echo "Hello <b>Guest</b><br />";
    echo "Would you like to login?";

}
?>

Billable computational resources include but are not limited to CPU usage, memory, persistent storage, and network connections. In the absence of resource usage limits, attackers could cause a denial of service that consumes all available resources or incur exorbitant bills.

Multiple URL patterns that map to a single Servlet could be a sign that the Servlet performs too many functions.

Example 1: The following example maps five URL patterns to a single Servlet.

<servlet>
    <servlet-class>com.class.MyServlet</servlet-class>
    <load-on-startup>1</load-on-startup>
</servlet>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/myservlet</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/helloworld*</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/servlet*</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/mservlet*</url-pattern>
</servlet-mapping>

<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/*</url-pattern>
</servlet-mapping>

Duplicate form-bean names serve no purpose since only the last entry will be registered when the same name is used in multiple <form-bean> tags.

Example 1: The following configuration has two form-bean entries with the same name.

<form-beans>
  <form-bean name="loginForm" type="org.apache.struts.validator.DynaValidatorForm">
    <form-property name="name" type="java.lang.String" />
    <form-property name="password" type="java.lang.String" />
  </form-bean>
  <form-bean name="loginForm" type="org.apache.struts.validator.DynaActionForm">
    <form-property name="favoriteColor" type="java.lang.String" />
  </form-bean>
</form-beans>