You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@struts.apache.org by smart acer <sm...@gmail.com> on 2009/07/01 00:40:03 UTC

Struts2 Bean Setter Attack

We need an object for example CustomerData in session. We have configured it
through struts2 xml, session scope.

Base Action class has a getter and setter for this bean. getCustomerData(),
setCustomerData()

Since it has a setter on action class (setter is needed to put it on session
thru struts2), we believe it is open to object setter attack through Form
Post. One can for example post with customerData.address and struts2 would
automatically set this data on the object. This attribute is suppose to be
READ ONLY or ONLY System can set it, not from UI.

Any idea how we can prevent this issue? I am surprised this kind of security
issue is there with struts2, what are we missing? Is there a interceptor we
need to configure to prevent this?

Thanks

Re: Struts2 Bean Setter Attack

Posted by Dave Newton <ne...@yahoo.com>.

Martin Gainty wrote:
> possibly excludeParams with (reg-exp) patterns to exclude
> 
> <interceptor-ref name="params">
>   <param name="excludeParams">
 >     <a href*>,^struts\..*
 >   </param>
> </interceptor-ref>

It's probably unusual to have variables named "<a href*>".

Dave

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

RE: Struts2 Bean Setter Attack

Posted by Martin Gainty <mg...@hotmail.com>.

possibly excludeParams with (reg-exp) patterns to exclude

                <interceptor-ref name="params">
                    <param name="excludeParams"><a href*>
,^struts\..*</param>
                </interceptor-ref>

would clean malicious anchor tags

http://struts.apache.org/2.0.14/struts2-core/apidocs/com/opensymphony/xwork2/interceptor/ParametersInterceptor.html

interested in hearing of ParameterNameAware solution

thanks,
Martin Gainty 
______________________________________________ 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité

Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni.

> Date: Tue, 30 Jun 2009 16:54:08 -0700
> Subject: Re: Struts2 Bean Setter Attack
> From: musachy@gmail.com
> To: user@struts.apache.org
> 
> There are around 25.8 ways to prevent this, some options are to block
> it in the params interceptor config, to configure the remove
> parameters interceptor, to implement ParameterNameAware and filter out
> evil parameters.
> 
> musachy
> 
> On Tue, Jun 30, 2009 at 3:40 PM, smart acer<sm...@gmail.com> wrote:
> > We need an object for example CustomerData in session. We have configured it
> > through struts2 xml, session scope.
> >
> > Base Action class has a getter and setter for this bean. getCustomerData(),
> > setCustomerData()
> >
> > Since it has a setter on action class (setter is needed to put it on session
> > thru struts2), we believe it is open to object setter attack through Form
> > Post. One can for example post with customerData.address and struts2 would
> > automatically set this data on the object. This attribute is suppose to be
> > READ ONLY or ONLY System can set it, not from UI.
> >
> > Any idea how we can prevent this issue? I am surprised this kind of security
> > issue is there with struts2, what are we missing? Is there a interceptor we
> > need to configure to prevent this?
> >
> > Thanks
> >
> 
> 
> 
> -- 
> "Hey you! Would you help me to carry the stone?" Pink Floyd
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
> 

_________________________________________________________________
Windows Live™: Keep your life in sync. 
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_BR_life_in_synch_062009

Re: Struts2 Bean Setter Attack

Posted by Musachy Barroso <mu...@gmail.com>.

There are around 25.8 ways to prevent this, some options are to block
it in the params interceptor config, to configure the remove
parameters interceptor, to implement ParameterNameAware and filter out
evil parameters.

musachy

On Tue, Jun 30, 2009 at 3:40 PM, smart acer<sm...@gmail.com> wrote:
> We need an object for example CustomerData in session. We have configured it
> through struts2 xml, session scope.
>
> Base Action class has a getter and setter for this bean. getCustomerData(),
> setCustomerData()
>
> Since it has a setter on action class (setter is needed to put it on session
> thru struts2), we believe it is open to object setter attack through Form
> Post. One can for example post with customerData.address and struts2 would
> automatically set this data on the object. This attribute is suppose to be
> READ ONLY or ONLY System can set it, not from UI.
>
> Any idea how we can prevent this issue? I am surprised this kind of security
> issue is there with struts2, what are we missing? Is there a interceptor we
> need to configure to prevent this?
>
> Thanks
>



-- 
"Hey you! Would you help me to carry the stone?" Pink Floyd

---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org

Re: Struts2 Bean Setter Attack

Posted by Jim Kiley <jh...@summa-tech.com>.

Why worry if an object at your view layer gets a value set on it?  Your real
processing should be occurring at a service layer underneath the view layer.
 Only copy data from the view down into your application if you really need
for it to be copied down.
jk

On Tue, Jun 30, 2009 at 6:40 PM, smart acer <sm...@gmail.com> wrote:

> We need an object for example CustomerData in session. We have configured
> it
> through struts2 xml, session scope.
>
> Base Action class has a getter and setter for this bean. getCustomerData(),
> setCustomerData()
>
> Since it has a setter on action class (setter is needed to put it on
> session
> thru struts2), we believe it is open to object setter attack through Form
> Post. One can for example post with customerData.address and struts2 would
> automatically set this data on the object. This attribute is suppose to be
> READ ONLY or ONLY System can set it, not from UI.
>
> Any idea how we can prevent this issue? I am surprised this kind of
> security
> issue is there with struts2, what are we missing? Is there a interceptor we
> need to configure to prevent this?
>
> Thanks
>



-- 
Jim Kiley
Senior Technical Consultant | Summa
[p] 412.258.3346
http://www.summa-tech.com