You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by "J. Garcia" <jo...@gmail.com> on 2012/07/04 13:44:59 UTC
data injection attack
An interesting article that I found:
http://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/
In struts2 it is pretty easy to set attribute values of any bean field when
a form is posted, even if the field is not in the form.
For instance, in my struts2 jsp form I have fields such as:
- mybean.id, hidden
- mybean.field1,
- mybean.field2
With Firebug, I can easily add a mybean.field3 and set it to any value when
the form is posted.
I've seen that Spring MVC has the concept of allowed fields to prevent data
injection attack. How can this be done in Struts2?
J.
Type Conversion annotation
Posted by Shrinivas Parashar <Sh...@symantec.com>.
Hi,
Can we define @TypeConversion annotation of the nested property at the parent level.
For Example I have a bean
public class Bike {
private Name name;
public Name getName() {
return this.name;
}
public void setName(Name name) {
this.name = name;
}
}
I would like to specify the @TypeConversion annotation for Name property in the model like below
@Conversion
public class Person
{
Bike bike;
@TypeConversion(key = "bike.name", converter = "org.apache.struts.helloworld.model.MyConverter")
public Bike getBike() {
return this.bike;
}
public void setBike(Bike bike) {
this.bike = bike;
}
}
Is this possible?
Regards,
Shrinivas
Re: data injection attack
Posted by "J. Garcia" <jo...@gmail.com>.
Implementing the ParameterNameAware interface with white/black list seems
the best solution.
Thanks,
J.
On Wed, Jul 4, 2012 at 3:51 PM, Dave Newton <da...@gmail.com> wrote:
> Then whitelist/blacklist.
>
> Or don't expose sensitive data directly to the user.
>
> Dave
>
> (pardon brevity, typos, and top-quoting; on cell)
> On Jul 4, 2012 8:49 AM, "J. Garcia" <jo...@gmail.com> wrote:
>
> > My action would have:
> >
> > public void setMyBean( MyBean myBean) {...}
> >
> > and I would like to avoid an injection on myBean.field3. This field could
> > be the owner id for instance!
> >
> > On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart
> > <lu...@googlemail.com>wrote:
> >
> > > Another way is to use AnnotationParameterFilterIntereptor (name
> > > contains typo) and @Allowed and @Blocked annotations
> > >
> > >
> > > Regards
> > > --
> > > Łukasz
> > > mobile +48 606 323 122 http://www.lenart.org.pl/
> > > Warszawa JUG conference - Confitura http://confitura.pl/
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > > For additional commands, e-mail: user-help@struts.apache.org
> > >
> > >
> >
>
Re: data injection attack
Posted by Dave Newton <da...@gmail.com>.
Then whitelist/blacklist.
Or don't expose sensitive data directly to the user.
Dave
(pardon brevity, typos, and top-quoting; on cell)
On Jul 4, 2012 8:49 AM, "J. Garcia" <jo...@gmail.com> wrote:
> My action would have:
>
> public void setMyBean( MyBean myBean) {...}
>
> and I would like to avoid an injection on myBean.field3. This field could
> be the owner id for instance!
>
> On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart
> <lu...@googlemail.com>wrote:
>
> > Another way is to use AnnotationParameterFilterIntereptor (name
> > contains typo) and @Allowed and @Blocked annotations
> >
> >
> > Regards
> > --
> > Łukasz
> > mobile +48 606 323 122 http://www.lenart.org.pl/
> > Warszawa JUG conference - Confitura http://confitura.pl/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
Re: data injection attack
Posted by "J. Garcia" <jo...@gmail.com>.
Spring security allows to protect method calls via annotacions like
@Secured, @PreAuthorize, @PostFilter, but I was interested in something
lighter.
On Wed, Jul 4, 2012 at 4:29 PM, Marcus Bond <ma...@marcusbond.me.uk> wrote:
> You could implement a class that delegates to your bean but only exposes
> setters and getters that are appropriate, so in the case of the id then you
> could let the user view it (getter) but not allow the setter.
>
> A perhaps even better approach would be to devise a proxying mechanism
> (perhaps configured via annotations) and have a security layer be
> responsible for which methods can be called - this not only would prevent
> url parameters being set but also prevent restricted fields of any object
> being updated.
>
> Marcus.
>
>
>
> -----Original Message-----
> From: J. Garcia [mailto:jogaco.en@gmail.com]
> Sent: 04 July 2012 14:49
> To: Struts Users Mailing List; lukasz.lenart@gmail.com
> Subject: Re: data injection attack
>
> My action would have:
>
> public void setMyBean( MyBean myBean) {...}
>
> and I would like to avoid an injection on myBean.field3. This field could
> be the owner id for instance!
>
> On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart
> <lu...@googlemail.com>wrote:
>
> > Another way is to use AnnotationParameterFilterIntereptor (name
> > contains typo) and @Allowed and @Blocked annotations
> >
> >
> > Regards
> > --
> > Łukasz
> > mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG
> > conference - Confitura http://confitura.pl/
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> > For additional commands, e-mail: user-help@struts.apache.org
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
RE: data injection attack
Posted by Marcus Bond <ma...@marcusbond.me.uk>.
You could implement a class that delegates to your bean but only exposes setters and getters that are appropriate, so in the case of the id then you could let the user view it (getter) but not allow the setter.
A perhaps even better approach would be to devise a proxying mechanism (perhaps configured via annotations) and have a security layer be responsible for which methods can be called - this not only would prevent url parameters being set but also prevent restricted fields of any object being updated.
Marcus.
-----Original Message-----
From: J. Garcia [mailto:jogaco.en@gmail.com]
Sent: 04 July 2012 14:49
To: Struts Users Mailing List; lukasz.lenart@gmail.com
Subject: Re: data injection attack
My action would have:
public void setMyBean( MyBean myBean) {...}
and I would like to avoid an injection on myBean.field3. This field could be the owner id for instance!
On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart
<lu...@googlemail.com>wrote:
> Another way is to use AnnotationParameterFilterIntereptor (name
> contains typo) and @Allowed and @Blocked annotations
>
>
> Regards
> --
> Łukasz
> mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG
> conference - Confitura http://confitura.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: data injection attack
Posted by "J. Garcia" <jo...@gmail.com>.
My action would have:
public void setMyBean( MyBean myBean) {...}
and I would like to avoid an injection on myBean.field3. This field could
be the owner id for instance!
On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart
<lu...@googlemail.com>wrote:
> Another way is to use AnnotationParameterFilterIntereptor (name
> contains typo) and @Allowed and @Blocked annotations
>
>
> Regards
> --
> Łukasz
> mobile +48 606 323 122 http://www.lenart.org.pl/
> Warszawa JUG conference - Confitura http://confitura.pl/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
> For additional commands, e-mail: user-help@struts.apache.org
>
>
Re: data injection attack
Posted by Łukasz Lenart <lu...@googlemail.com>.
Another way is to use AnnotationParameterFilterIntereptor (name
contains typo) and @Allowed and @Blocked annotations
Regards
--
Łukasz
mobile +48 606 323 122 http://www.lenart.org.pl/
Warszawa JUG conference - Confitura http://confitura.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: data injection attack
Posted by Łukasz Lenart <lu...@googlemail.com>.
You can always implement ParameterNameAware interface and boolean
acceptableParameterName(String parameterName);
Regards
--
Łukasz
mobile +48 606 323 122 http://www.lenart.org.pl/
Warszawa JUG conference - Confitura http://confitura.pl/
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org
Re: data injection attack
Posted by Miguel Almeida <mi...@almeida.at>.
Lukas: that's not always viable though. You might need a setter for your
model object elsewhere, but don't want that action to set that property.
On Wed, 2012-07-04 at 14:57 +0200, Lukasz Lenart wrote:
> By removing setter for it ?
>
>
> Regards
>
Re: data injection attack
Posted by Lukasz Lenart <lu...@apache.org>.
By removing setter for it ?
Regards
--
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/
2012/7/4 J. Garcia <jo...@gmail.com>:
> An interesting article that I found:
>
> http://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/
>
> In struts2 it is pretty easy to set attribute values of any bean field when
> a form is posted, even if the field is not in the form.
> For instance, in my struts2 jsp form I have fields such as:
> - mybean.id, hidden
> - mybean.field1,
> - mybean.field2
>
> With Firebug, I can easily add a mybean.field3 and set it to any value when
> the form is posted.
>
> I've seen that Spring MVC has the concept of allowed fields to prevent data
> injection attack. How can this be done in Struts2?
>
> J.
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org