[Q] Use of DispatchAction with security concerns

[Rick Reumann <r...@reumann.net>]

Someone e-mailed me privately the following question about security and
the use of DispatchAction and a hidden variable. I'd appreciate any
comments....

<pertinent question>
  
When using the dispatch action, you make use of a hidden variable to
determine which method with be called.  What happens if this hidden
variable is changed to a method which does not exist?  Is an error
thrown (the user can change hidden variables to be malicious).
Also, if the user changes the hidden variable from update to insert,
will it duplicate the entry of the employee or would you check that
the employee already existed.  I know for the sake of the tutorial
you probably left this out, but this is a common assumption that
people make which leads to security holes.
 
</end pertinent question>
 
Would the following help?

Keep JSP's under WEB-INF
Use LookupDispatchAction instead of DispatchAction
Make sure to use token to avoid duplicate inserts

Thanks for any Struts user comments on the issue.
 
-- 
Rick Reumann

---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org

Re: [Q] Use of DispatchAction with security concerns

[Phil Steitz <ph...@steitz.com>]

Rick Reumann wrote:
> Someone e-mailed me privately the following question about security and
> the use of DispatchAction and a hidden variable. I'd appreciate any
> comments....
> 
> <pertinent question>
>   
> When using the dispatch action, you make use of a hidden variable to
> determine which method with be called.  What happens if this hidden
> variable is changed to a method which does not exist?  Is an error
> thrown (the user can change hidden variables to be malicious).

According to the docs for DispatchAction, this should result in either 
dispatch to the overridden "unspecified" method, or an HTTP "Bad 
Request" response sent if this has not been overridden.

> Also, if the user changes the hidden variable from update to insert,
> will it duplicate the entry of the employee or would you check that
> the employee already existed.  I know for the sake of the tutorial
> you probably left this out, but this is a common assumption that
> people make which leads to security holes.

Using hidden fields for control information can open security holes. 
Here are a couple of ways to deal with this exposure:

1. Authorize all actions that can affect the model: i.e., use some form 
of "Action Protection" either what struts + Container-Managed Security 
provides or application-based security to verify that the user is 
authorized to perform the requested action *with the posted data* (i.e., 
at the account or "row" level).

2. If the hidden fields contain sensitive data or you want to be *extra* 
paranoid about manipulation, you can encrypt the hidden fields.

>  
> </end pertinent question>
>  
> Would the following help?
> 
> Keep JSP's under WEB-INF
> Use LookupDispatchAction instead of DispatchAction
> Make sure to use token to avoid duplicate inserts
> 
> Thanks for any Struts user comments on the issue.
>  




---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org