struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Altenhof, David Aron" <>
Subject RE: Parameter manipulation
Date Fri, 17 Dec 2010 14:54:09 GMT
The model objects are initialized in prepare() ... other techniques just aren't as practical
for our application.

I'm just going to keep doing lots of whitelisting with ParameterNameAware...


-----Original Message-----
From: Steven Yang [] 
Sent: Friday, December 17, 2010 1:10 AM
To: Struts Users Mailing List
Subject: Re: Parameter manipulation

is your user object initialized when the param interceptor is run?

here i might be wrong, but what i know is if your object is initialized then Struts or OGNL
will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then
the second case should fail for you

again, i might be wrong on the behavior

On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron

> I've been getting more and more concerned about the possibility of 
> parameter manipulation attacks with Struts2. I've started doing strict 
> whitelists using the ParameterNameAware interface on all of my forms pages.
> However, today I tried to code a "display-only" page that shows 
> information about a particular user. I thought that by simply creating 
> a getter and no setter, it would be impossible to inject parameters. 
> For example, my action only contains the following getter for a JPA model object:
> public User getUser() {
>        return user;
> }
> However, by sending a simple query parameter, it is *still* possible 
> to change values in user. For example, you can send:
> http://localhost:8080/MySite/userdisplay.action?
> ... and it works. The email will become
> Is there any way to shut this down other than whitelisting every 
> single action in your site using ParameterNameAware? (Or simply never 
> put model objects on your stack?) This is getting frustrating!
> -David
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message