data injection attack
An interesting article that I found: http://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/ In struts2 it is pretty easy to set attribute values of any bean field when a form is posted, even if the field is not in the form. For instance, in my struts2 jsp form I have fields such as: - mybean.id, hidden - mybean.field1, - mybean.field2 With Firebug, I can easily add a mybean.field3 and set it to any value when the form is posted. I've seen that Spring MVC has the concept of allowed fields to prevent data injection attack. How can this be done in Struts2? J.
Re: data injection attack
By removing setter for it ? Regards -- Łukasz + 48 606 323 122 http://www.lenart.org.pl/ 2012/7/4 J. Garcia jogaco...@gmail.com: An interesting article that I found: http://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/ In struts2 it is pretty easy to set attribute values of any bean field when a form is posted, even if the field is not in the form. For instance, in my struts2 jsp form I have fields such as: - mybean.id, hidden - mybean.field1, - mybean.field2 With Firebug, I can easily add a mybean.field3 and set it to any value when the form is posted. I've seen that Spring MVC has the concept of allowed fields to prevent data injection attack. How can this be done in Struts2? J. - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: data injection attack
Lukas: that's not always viable though. You might need a setter for your model object elsewhere, but don't want that action to set that property. On Wed, 2012-07-04 at 14:57 +0200, Lukasz Lenart wrote: By removing setter for it ? Regards
Re: data injection attack
You can always implement ParameterNameAware interface and boolean acceptableParameterName(String parameterName); Regards -- Łukasz mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: data injection attack
Then whitelist/blacklist. Or don't expose sensitive data directly to the user. Dave (pardon brevity, typos, and top-quoting; on cell) On Jul 4, 2012 8:49 AM, J. Garcia jogaco...@gmail.com wrote: My action would have: public void setMyBean( MyBean myBean) {...} and I would like to avoid an injection on myBean.field3. This field could be the owner id for instance! On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart lukasz.len...@googlemail.comwrote: Another way is to use AnnotationParameterFilterIntereptor (name contains typo) and @Allowed and @Blocked annotations Regards -- Łukasz mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: data injection attack
Implementing the ParameterNameAware interface with white/black list seems the best solution. Thanks, J. On Wed, Jul 4, 2012 at 3:51 PM, Dave Newton davelnew...@gmail.com wrote: Then whitelist/blacklist. Or don't expose sensitive data directly to the user. Dave (pardon brevity, typos, and top-quoting; on cell) On Jul 4, 2012 8:49 AM, J. Garcia jogaco...@gmail.com wrote: My action would have: public void setMyBean( MyBean myBean) {...} and I would like to avoid an injection on myBean.field3. This field could be the owner id for instance! On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart lukasz.len...@googlemail.comwrote: Another way is to use AnnotationParameterFilterIntereptor (name contains typo) and @Allowed and @Blocked annotations Regards -- Łukasz mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
RE: data injection attack
You could implement a class that delegates to your bean but only exposes setters and getters that are appropriate, so in the case of the id then you could let the user view it (getter) but not allow the setter. A perhaps even better approach would be to devise a proxying mechanism (perhaps configured via annotations) and have a security layer be responsible for which methods can be called - this not only would prevent url parameters being set but also prevent restricted fields of any object being updated. Marcus. -Original Message- From: J. Garcia [mailto:jogaco...@gmail.com] Sent: 04 July 2012 14:49 To: Struts Users Mailing List; lukasz.len...@gmail.com Subject: Re: data injection attack My action would have: public void setMyBean( MyBean myBean) {...} and I would like to avoid an injection on myBean.field3. This field could be the owner id for instance! On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart lukasz.len...@googlemail.comwrote: Another way is to use AnnotationParameterFilterIntereptor (name contains typo) and @Allowed and @Blocked annotations Regards -- Łukasz mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: data injection attack
Spring security allows to protect method calls via annotacions like @Secured, @PreAuthorize, @PostFilter, but I was interested in something lighter. On Wed, Jul 4, 2012 at 4:29 PM, Marcus Bond mar...@marcusbond.me.uk wrote: You could implement a class that delegates to your bean but only exposes setters and getters that are appropriate, so in the case of the id then you could let the user view it (getter) but not allow the setter. A perhaps even better approach would be to devise a proxying mechanism (perhaps configured via annotations) and have a security layer be responsible for which methods can be called - this not only would prevent url parameters being set but also prevent restricted fields of any object being updated. Marcus. -Original Message- From: J. Garcia [mailto:jogaco...@gmail.com] Sent: 04 July 2012 14:49 To: Struts Users Mailing List; lukasz.len...@gmail.com Subject: Re: data injection attack My action would have: public void setMyBean( MyBean myBean) {...} and I would like to avoid an injection on myBean.field3. This field could be the owner id for instance! On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart lukasz.len...@googlemail.comwrote: Another way is to use AnnotationParameterFilterIntereptor (name contains typo) and @Allowed and @Blocked annotations Regards -- Łukasz mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG conference - Confitura http://confitura.pl/ - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org