data injection attack

2012-07-04 Thread J. Garcia 
An interesting article that I found:

http://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/

In struts2 it is pretty easy to set attribute values of any bean field when
a form is posted, even if the field is not in the form.
For instance, in my struts2 jsp form I have fields such as:
 - mybean.id, hidden
 - mybean.field1,
 - mybean.field2

With Firebug, I can easily add a mybean.field3 and set it to any value when
the form is posted.

I've seen that Spring MVC has the concept of allowed fields to prevent data
injection attack. How can this be done in Struts2?

J.

Re: data injection attack

2012-07-04 Thread Lukasz Lenart 
By removing setter for it ?


Regards

-- 
Łukasz
+ 48 606 323 122 http://www.lenart.org.pl/


2012/7/4 J. Garcia jogaco...@gmail.com:
 An interesting article that I found:

 http://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/

 In struts2 it is pretty easy to set attribute values of any bean field when
 a form is posted, even if the field is not in the form.
 For instance, in my struts2 jsp form I have fields such as:
  - mybean.id, hidden
  - mybean.field1,
  - mybean.field2

 With Firebug, I can easily add a mybean.field3 and set it to any value when
 the form is posted.

 I've seen that Spring MVC has the concept of allowed fields to prevent data
 injection attack. How can this be done in Struts2?

 J.

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: data injection attack

2012-07-04 Thread Miguel Almeida 
Lukas: that's not always viable though. You might need a setter for your
model object elsewhere, but don't want that action to set that property.



On Wed, 2012-07-04 at 14:57 +0200, Lukasz Lenart wrote:

 By removing setter for it ?
 
 
 Regards

Re: data injection attack

2012-07-04 Thread Łukasz Lenart 
You can always implement ParameterNameAware interface and boolean
acceptableParameterName(String parameterName);


Regards
-- 
Łukasz
mobile +48 606 323 122 http://www.lenart.org.pl/
Warszawa JUG conference - Confitura http://confitura.pl/

-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: data injection attack

2012-07-04 Thread Dave Newton 
Then whitelist/blacklist.

Or don't expose sensitive data directly to the user.

Dave

(pardon brevity, typos, and top-quoting; on cell)
On Jul 4, 2012 8:49 AM, J. Garcia jogaco...@gmail.com wrote:

 My action would have:

 public void setMyBean( MyBean myBean) {...}

 and I would like to avoid an injection on myBean.field3. This field could
 be the owner id for instance!

 On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart
 lukasz.len...@googlemail.comwrote:

  Another way is to use AnnotationParameterFilterIntereptor (name
  contains typo) and @Allowed and @Blocked annotations
 
 
  Regards
  --
  Łukasz
  mobile +48 606 323 122 http://www.lenart.org.pl/
  Warszawa JUG conference - Confitura http://confitura.pl/
 
  -
  To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
  For additional commands, e-mail: user-h...@struts.apache.org

Re: data injection attack

2012-07-04 Thread J. Garcia 
Implementing the ParameterNameAware interface with white/black list seems
the best solution.
Thanks,
J.

On Wed, Jul 4, 2012 at 3:51 PM, Dave Newton davelnew...@gmail.com wrote:

 Then whitelist/blacklist.

 Or don't expose sensitive data directly to the user.

 Dave

 (pardon brevity, typos, and top-quoting; on cell)
 On Jul 4, 2012 8:49 AM, J. Garcia jogaco...@gmail.com wrote:

  My action would have:
 
  public void setMyBean( MyBean myBean) {...}
 
  and I would like to avoid an injection on myBean.field3. This field could
  be the owner id for instance!
 
  On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart
  lukasz.len...@googlemail.comwrote:
 
   Another way is to use AnnotationParameterFilterIntereptor (name
   contains typo) and @Allowed and @Blocked annotations
  
  
   Regards
   --
   Łukasz
   mobile +48 606 323 122 http://www.lenart.org.pl/
   Warszawa JUG conference - Confitura http://confitura.pl/
  
   -
   To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
   For additional commands, e-mail: user-h...@struts.apache.org

RE: data injection attack

2012-07-04 Thread Marcus Bond 
You could implement a class that delegates to your bean but only exposes 
setters and getters that are appropriate, so in the case of the id then you 
could let the user view it (getter) but not allow the setter.

A perhaps even better approach would be to devise a proxying mechanism (perhaps 
configured via annotations) and have a security layer be responsible for which 
methods can be called - this not only would prevent url parameters being set 
but also prevent restricted fields of any object being updated.

Marcus.



-Original Message-
From: J. Garcia [mailto:jogaco...@gmail.com] 
Sent: 04 July 2012 14:49
To: Struts Users Mailing List; lukasz.len...@gmail.com
Subject: Re: data injection attack

My action would have:

public void setMyBean( MyBean myBean) {...}

and I would like to avoid an injection on myBean.field3. This field could be 
the owner id for instance!

On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart
lukasz.len...@googlemail.comwrote:

 Another way is to use AnnotationParameterFilterIntereptor (name 
 contains typo) and @Allowed and @Blocked annotations


 Regards
 --
 Łukasz
 mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG 
 conference - Confitura http://confitura.pl/

 -
 To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
 For additional commands, e-mail: user-h...@struts.apache.org




-
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org

Re: data injection attack

2012-07-04 Thread J. Garcia 
Spring security allows to protect method calls via annotacions like
@Secured, @PreAuthorize, @PostFilter, but I was interested in something
lighter.

On Wed, Jul 4, 2012 at 4:29 PM, Marcus Bond mar...@marcusbond.me.uk wrote:

 You could implement a class that delegates to your bean but only exposes
 setters and getters that are appropriate, so in the case of the id then you
 could let the user view it (getter) but not allow the setter.

 A perhaps even better approach would be to devise a proxying mechanism
 (perhaps configured via annotations) and have a security layer be
 responsible for which methods can be called - this not only would prevent
 url parameters being set but also prevent restricted fields of any object
 being updated.

 Marcus.



 -Original Message-
 From: J. Garcia [mailto:jogaco...@gmail.com]
 Sent: 04 July 2012 14:49
 To: Struts Users Mailing List; lukasz.len...@gmail.com
 Subject: Re: data injection attack

 My action would have:

 public void setMyBean( MyBean myBean) {...}

 and I would like to avoid an injection on myBean.field3. This field could
 be the owner id for instance!

 On Wed, Jul 4, 2012 at 3:34 PM, Łukasz Lenart
 lukasz.len...@googlemail.comwrote:

  Another way is to use AnnotationParameterFilterIntereptor (name
  contains typo) and @Allowed and @Blocked annotations
 
 
  Regards
  --
  Łukasz
  mobile +48 606 323 122 http://www.lenart.org.pl/ Warszawa JUG
  conference - Confitura http://confitura.pl/
 
  -
  To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
  For additional commands, e-mail: user-h...@struts.apache.org
 
 


 -
 To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
 For additional commands, e-mail: user-h...@struts.apache.org