An interesting article that I found: http://websec.wordpress.com/2012/01/04/multiple-vulnerabilities-in-apache-struts2-and-property-oriented-programming-with-java/
In struts2 it is pretty easy to set attribute values of any bean field when a form is posted, even if the field is not in the form. For instance, in my struts2 jsp form I have fields such as: - mybean.id, hidden - mybean.field1, - mybean.field2 With Firebug, I can easily add a mybean.field3 and set it to any value when the form is posted. I've seen that Spring MVC has the concept of allowed fields to prevent data injection attack. How can this be done in Struts2? J.
