I encountered one of oc4j vulnerability and want to share this experience. Container_tabs.jsp is reachable and vulnerable for Cross Site Scripting that is not part of my ear file when you type url like http://domain/webapp/jsp/container_tabs.jsp. This jsp is located under home/j2ee/applications/webapp/jsp folder and this page could be exploited by attackers to execute arbitrary scripting code. The solution is enable securty_mod if it isn’t or you need to remove this page. The last option is waiting for a patch from Oracle but as we know Oracle tend to support Weblogic instead Oc4j.
For further reading
http://hungred.com/web-development/solutions-crosssite-scripting-xss-attack/
