struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From smart acer <>
Subject Struts2 Bean Setter Attack
Date Tue, 30 Jun 2009 22:40:03 GMT
We need an object for example CustomerData in session. We have configured it
through struts2 xml, session scope.

Base Action class has a getter and setter for this bean. getCustomerData(),

Since it has a setter on action class (setter is needed to put it on session
thru struts2), we believe it is open to object setter attack through Form
Post. One can for example post with customerData.address and struts2 would
automatically set this data on the object. This attribute is suppose to be
READ ONLY or ONLY System can set it, not from UI.

Any idea how we can prevent this issue? I am surprised this kind of security
issue is there with struts2, what are we missing? Is there a interceptor we
need to configure to prevent this?


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message