I've been getting more and more concerned about the possibility of parameter
manipulation attacks with Struts2. I've started doing strict whitelists using
the ParameterNameAware interface on all of my forms pages. However, today I
tried to code a "display-only" page that shows information about a particular
user. I thought that by simply creating a getter and no setter, it would be
impossible to inject parameters. For example, my action only contains the
following getter for a JPA model object:
public User getUser() {
return user;
}
However, by sending a simple query parameter, it is *still* possible to change
values in user. For example, you can send:
http://localhost:8080/MySite/userdisplay.action?user.email=newem...@address.com
... and it works. The email will become newem...@address.com
Is there any way to shut this down other than whitelisting every single action
in your site using ParameterNameAware? (Or simply never put model objects on
your stack?) This is getting frustrating!
-David
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
For additional commands, e-mail: user-h...@struts.apache.org
