[jira] [Updated] (WW-3541) Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References

Wed, 24 Sep 2025 00:28:14 -0700 


     [ 
https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Lukasz Lenart updated WW-3541:
------------------------------
    Fix Version/s: 7.2.0
                       (was: 7.1.0)

> Request Parameter to Action Object Mapping Plugin for Insecure Direct Object 
> References
> ---------------------------------------------------------------------------------------
>
>                 Key: WW-3541
>                 URL: https://issues.apache.org/jira/browse/WW-3541
>             Project: Struts 2
>          Issue Type: New Feature
>          Components: Core Interceptors
>    Affects Versions: 2.2.1.1
>         Environment: All OS
>            Reporter: datta kudale
>            Priority: Major
>             Fix For: 7.2.0
>
>   Original Estimate: 96h
>  Remaining Estimate: 96h
>
> JSP Parameter to Action Object Mapping (Security) Plugin does this great 
> thing. Here is also a short overview of what it does and why a developer 
> would want to use it.
> Many applications expose their internal object references to users. Attackers 
> use parameter tampering to change references and violate the intended but 
> unenforced access control policy. Frequently, these references point to file 
> systems and databases, but any exposed application construct could be 
> vulnerable.
> The best protection is to avoid exposing direct object references to users by 
> using an index, indirect reference map, or other indirect method that is easy 
> to validate. If a direct object reference must be used, ensure that the user 
> is authorized before using it.
>     * Avoid exposing your private object references to users whenever 
> possible, such as primary keys or filenames
>     * Validate any private object references extensively with an "accept 
> known good" approach
>     * Verify authorization to all referenced objects
> So to avoid internal object implementation to end user, this plugin can be 
> used. 
> Please refer following link for Plugin
> https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to