struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J. Garcia" <jogaco...@gmail.com>
Subject data injection attack
Date Wed, 04 Jul 2012 11:44:59 GMT
An interesting article that I found:

http://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/

In struts2 it is pretty easy to set attribute values of any bean field when
a form is posted, even if the field is not in the form.
For instance, in my struts2 jsp form I have fields such as:
 - mybean.id, hidden
 - mybean.field1,
 - mybean.field2

With Firebug, I can easily add a mybean.field3 and set it to any value when
the form is posted.

I've seen that Spring MVC has the concept of allowed fields to prevent data
injection attack. How can this be done in Struts2?

J.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message