struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Altenhof, David Aron" <dalte...@iupui.edu>
Subject RE: Parameter manipulation
Date Fri, 17 Dec 2010 14:54:09 GMT
The model objects are initialized in prepare() ... other techniques just aren't as practical
for our application.

I'm just going to keep doing lots of whitelisting with ParameterNameAware...

-David 



-----Original Message-----
From: Steven Yang [mailto:kenshin520@gmail.com] 
Sent: Friday, December 17, 2010 1:10 AM
To: Struts Users Mailing List
Subject: Re: Parameter manipulation

is your user object initialized when the param interceptor is run?

here i might be wrong, but what i know is if your object is initialized then Struts or OGNL
will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then
the second case should fail for you

again, i might be wrong on the behavior

On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron
<daltenho@iupui.edu>wrote:

> I've been getting more and more concerned about the possibility of 
> parameter manipulation attacks with Struts2. I've started doing strict 
> whitelists using the ParameterNameAware interface on all of my forms pages.
> However, today I tried to code a "display-only" page that shows 
> information about a particular user. I thought that by simply creating 
> a getter and no setter, it would be impossible to inject parameters. 
> For example, my action only contains the following getter for a JPA model object:
>
> public User getUser() {
>        return user;
> }
>
> However, by sending a simple query parameter, it is *still* possible 
> to change values in user. For example, you can send:
>
>
> http://localhost:8080/MySite/userdisplay.action?user.email=newemail@ad
> dress.com
>
> ... and it works. The email will become newemail@address.com
>
> Is there any way to shut this down other than whitelisting every 
> single action in your site using ParameterNameAware? (Or simply never 
> put model objects on your stack?) This is getting frustrating!
>
> -David
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message