Request Parameter to Action Object Mapping Plugin for Insecure Direct Object
References
---------------------------------------------------------------------------------------
Key: WW-3541
URL: https://issues.apache.org/jira/browse/WW-3541
Project: Struts 2
Issue Type: New Feature
Components: Core Interceptors
Affects Versions: 2.2.1.1
Environment: All OS
Reporter: datta kudale
JSP Parameter to Action Object Mapping (Security) Plugin does this great thing.
Here is also a short overview of what it does and why a developer would want to
use it.
Many applications expose their internal object references to users. Attackers
use parameter tampering to change references and violate the intended but
unenforced access control policy. Frequently, these references point to file
systems and databases, but any exposed application construct could be
vulnerable.
The best protection is to avoid exposing direct object references to users by
using an index, indirect reference map, or other indirect method that is easy
to validate. If a direct object reference must be used, ensure that the user is
authorized before using it.
* Avoid exposing your private object references to users whenever possible,
such as primary keys or filenames
* Validate any private object references extensively with an "accept known
good" approach
* Verify authorization to all referenced objects
So to avoid internal object implementation to end user, this plugin can be
used.
Please refer following link for Plugin
https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
