struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "bphillips@ku.edu" <bphill...@ku.edu>
Subject Security Vulnerability When Using SessionAware and Best Practice For Mitigating It
Date Tue, 21 Feb 2012 14:09:51 GMT
I was researching the SessionAware interface as I'm planning on adding a
tutorial on how to use the HTTP Session object from within a Struts Action
class to the tutorials at:  
https://cwiki.apache.org/confluence/display/WW/Getting+Started
https://cwiki.apache.org/confluence/display/WW/Getting+Started .

I ran across this 
http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.html
blog post  and  https://issues.apache.org/jira/browse/WW-3631 Struts 2 JIRA
issue  that discuss a security vulnerability when using SessionAware.

I'd like to include in the tutorial the best practices for mitigating this
vulnerability.  Here is what I think programmers who use SessionAware in
their Action class should do to mitigate this vulnerability:

1.  Do not create a public Map<String, Object> getSession() method in the
Action class

2.  Also implement the ParameterNameAware interface and override its
acceptableParameterName method as follows:

      public boolean acceptableParameterName(String parameterName) {
		
		boolean allowedParameterName = true ;
		
		if ( parameterName.contains("session")  ||
parameterName.contains("request") ) {
		
			allowedParameterName = false ;
			
		} 
		
		return allowedParameterName;
	}

I'd certainly appreciate any feedback on best practices to follow when
implementing the SessionAware interface and how to mitigate the security
vulnerability.

Thank You,

Bruce Phillips

    

--
View this message in context: http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5502292.html
Sent from the Struts - User mailing list archive at Nabble.com.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message