struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "datta kudale (JIRA)" <j...@apache.org>
Subject [jira] Created: (WW-3541) Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
Date Thu, 09 Dec 2010 09:32:02 GMT
Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
---------------------------------------------------------------------------------------

                 Key: WW-3541
                 URL: https://issues.apache.org/jira/browse/WW-3541
             Project: Struts 2
          Issue Type: New Feature
          Components: Core Interceptors
    Affects Versions: 2.2.1.1
         Environment: All OS
            Reporter: datta kudale


JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also
a short overview of what it does and why a developer would want to use it.

Many applications expose their internal object references to users. Attackers use parameter
tampering to change references and violate the intended but unenforced access control policy.
Frequently, these references point to file systems and databases, but any exposed application
construct could be vulnerable.

The best protection is to avoid exposing direct object references to users by using an index,
indirect reference map, or other indirect method that is easy to validate. If a direct object
reference must be used, ensure that the user is authorized before using it.

    * Avoid exposing your private object references to users whenever possible, such as primary
keys or filenames
    * Validate any private object references extensively with an "accept known good" approach
    * Verify authorization to all referenced objects

So to avoid internal object implementation to end user, this plugin can be used. 

Please refer following link for Plugin

https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message