There are around 25.8 ways to prevent this, some options are to block it in the params interceptor config, to configure the remove parameters interceptor, to implement ParameterNameAware and filter out evil parameters.
musachy On Tue, Jun 30, 2009 at 3:40 PM, smart acer<smarta...@gmail.com> wrote: > We need an object for example CustomerData in session. We have configured it > through struts2 xml, session scope. > > Base Action class has a getter and setter for this bean. getCustomerData(), > setCustomerData() > > Since it has a setter on action class (setter is needed to put it on session > thru struts2), we believe it is open to object setter attack through Form > Post. One can for example post with customerData.address and struts2 would > automatically set this data on the object. This attribute is suppose to be > READ ONLY or ONLY System can set it, not from UI. > > Any idea how we can prevent this issue? I am surprised this kind of security > issue is there with struts2, what are we missing? Is there a interceptor we > need to configure to prevent this? > > Thanks > -- "Hey you! Would you help me to carry the stone?" Pink Floyd --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
