Versions Compared

Old Version 8

changes.mady.by.user Datta Kudale

Saved on

compared with

New Version 9

changes.mady.by.user Datta Kudale

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Name

JSP Parameter to Action Object Mapping (Security) Plugin

Publisher

Datta kudale

License

Open Source (ASL2)

Version

0.1-ALPHA

Compatibility

Struts 2.0.2+

Homepage

http://code.google.com/p/jspparameterobjectmappingplugin/

Download

http://code.google.com/p/jspparameterobjectmappingplugin/downloads/list

Wiki Markup
{rate:title=Rating|theme=dynamic|key=JspParameterObjectMappingPlugin}

Overview

JSP Parameter to Action Object Mapping (Security) Plugin

Excerpt

does this great thing

. Here is also a short overview of what it does and why a developer would want to use it.

...

Threat Agents

Attack Vectors

Security Weakness

Technical Impacts

Business Impacts

______

Exploitability EASY

Prevalence COMMON Detectability EASY

Impact MODERATE

______

Consider the types of users of your system. Do any users have only partial access to certain types of system data?

Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for. Is access granted?

Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws and code analysis quickly shows whether authorization is properly verified.

Such flaws can compromise all the data that can be referenced by the parameter. Unless the name space is sparse, it’s easy for an attacker to access all available data of that type.

Consider the business value of the exposed data. Also consider the business impact of public exposure of the vulnerability.

Features

  • Web Security constraint handled in this plugin for Direct Object reference attack
  • Single HTML request parameter can be set in Action Object in multiple sub class object

Usage

Instructions how to use your plugin.

Example

Code Block
This is a quick example of JSP Parameter to Action Object Mapping Plugin in action

You could also include screenshots by attaching the images to this page

Settings

The following settings can be customized. See the developer guide.

Setting

Description

Default

Possible Values

some.setting

A short description

true

true or false

Installation

This plugin can be installed by copying the plugin jar into your application's /WEB-INF/lib directory. No other files need to be copied or created.

...

  • Add interceptor on interceptor stack
    <interceptor-ref name="parameterToActionObjectMapping" />

Resources

  • Links to any other documentation or related products

http://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References

Version History

Version

Date

Author

Notes

1.0

Dec 20, 2006

Datta kudale

Initial release