struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lukasz Lenart <lukaszlen...@apache.org>
Subject Re: data injection attack
Date Wed, 04 Jul 2012 12:57:41 GMT
By removing setter for it ?


Regards

-- 
Ɓukasz
+ 48 606 323 122 http://www.lenart.org.pl/


2012/7/4 J. Garcia <jogaco.en@gmail.com>:
> An interesting article that I found:
>
> http://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/
>
> In struts2 it is pretty easy to set attribute values of any bean field when
> a form is posted, even if the field is not in the form.
> For instance, in my struts2 jsp form I have fields such as:
>  - mybean.id, hidden
>  - mybean.field1,
>  - mybean.field2
>
> With Firebug, I can easily add a mybean.field3 and set it to any value when
> the form is posted.
>
> I've seen that Spring MVC has the concept of allowed fields to prevent data
> injection attack. How can this be done in Struts2?
>
> J.

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org


Mime
View raw message