Name | JSP Parameter to Action Object Mapping (Security) Plugin |
---|---|
Publisher | |
License | Apache Software Foundation (ASF) |
Version | 0.1-ALPHA |
Compatibility | Struts 2.0.2+ |
Homepage | http://code.google.com/p/request-parameter-plugin-for-insecure-direct-object-reference/ |
Download |
Wiki Markup |
---|
{html} |
HTML |
<script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-25371431-1']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>{html} |
Wiki Markup |
---|
{rate:title=Rating|theme=dynamic|key=JspParameterObjectMappingPlugin} |
...
Threat Agents | Attack Vectors | Security Weakness | Technical Impacts | Business Impacts |
---|---|---|---|---|
______ | Exploitability EASY | Prevalence COMMON Detectability EASY | Impact MODERATE | ______ |
Consider the types of users of your system. Do any users have only partial access to certain types of system data? | Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for. Is access granted? | Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws and code analysis quickly shows whether authorization is properly verified. | Such flaws can compromise all the data that can be referenced by the parameter. Unless the name space is sparse, it’s easy for an attacker to access all available data of that type. | Consider the business value of the exposed data. Also consider the business impact of public exposure of the vulnerability. |
...
- Add new xml file in current Action class with filename like
"<ActionName>-jspObjectMapping.xml"
- XML File format given below
Code Block *DTD format*
Code Block <?xml version="1.0" encoding="UTF-8"?> <\!DOCTYPE mapping \[ <\!ELEMENT mapping (requestParameter)> <\!ELEMENT requestParameter (objectMapping)> <\!ELEMENT objectMapping (property)> <\!ELEMENT property (#PCDATA)> \]>
Code Block *XML Format*
Code Block <?xml version="1.0" encoding="UTF-8"?> <mapping> <requestParameter name="userName"> <objectMapping> <property>user.userName</property> </objectMapping> </requestParameter> <requestParameter name="password"> <objectMapping> <property>user.password</property> </objectMapping> </requestParameter> </mapping>
- Extends package with name "jsp-parameter-object-mapping"
- Add interceptor on interceptor stack
<interceptor-ref name="parameterToActionObjectMapping" />
...