ABSTRACT

A Servlet defined in web.xml cannot be accessed without a corresponding servlet mapping.

EXPLANATION

The absence of a valid servlet mapping prevents all access to the unmapped servlet.



Example 1: The following entry from web.xml defines ExampleServlet but fails to define a corresponding servlet mapping.


<web-app xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd"
version="2.4">

<servlet>
<servlet-name>ExampleServlet</servlet-name>
<servlet-class>com.class.ExampleServlet</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>

</web-app>

REFERENCES

[1] Standards Mapping - OWASP Top 10 2010 - (OWASP 2010) A6 Security Misconfiguration

[2] Standards Mapping - OWASP Top 10 2004 - (OWASP 2004) A9 Application Denial of Service

[3] Standards Mapping - Security Technical Implementation Guide Version 3 - (STIG 3) APP6080 CAT II

[4] Standards Mapping - Common Weakness Enumeration - (CWE) CWE ID 730

[5] Sun Microsystems, Inc. Java Servlet Specification 2.4

[6] Standards Mapping - Payment Card Industry Data Security Standard Version 1.1 - (PCI 1.1) Requirement 6.5.9