Name |
JSP Parameter to Action Object Mapping Plugin |
---|---|
Publisher |
|
License |
Open Source (ASL2) |
Version |
0.1-ALPHA |
Compatibility |
Struts 2.0.2+ |
Homepage |
|
Download |
http://code.google.com/p/jspparameterobjectmappingplugin/downloads/list |
Overview
JSP Parameter to Action Object Mapping Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it.
Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable.
The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it.
- Avoid exposing your private object references to users whenever possible, such as primary keys or filenames
- Validate any private object references extensively with an "accept known good" approach
- Verify authorization to all referenced objects
So to avoid internal object implementation to end user, this plugin can be used.
Threat Agents |
Attack Vectors |
Security Weakness |
Technical Impacts |
Business Impacts |
---|---|---|---|---|
______ |
Exploitability EASY |
Prevalence COMMON Detectability EASY |
Impact MODERATE |
______ |
Consider the types of users of your system. Do any users have only partial access to certain types of system data? |
Attacker, who is an authorized system user, simply changes a parameter value that directly refers to a system object to another object the user isn’t authorized for. Is access granted? |
Applications frequently use the actual name or key of an object when generating web pages. Applications don’t always verify the user is authorized for the target object. This results in an insecure direct object reference flaw. Testers can easily manipulate parameter values to detect such flaws and code analysis quickly shows whether authorization is properly verified. |
Such flaws can compromise all the data that can be referenced by the parameter. Unless the name space is sparse, it’s easy for an attacker to access all available data of that type. |
Consider the business value of the exposed data. Also consider the business impact of public exposure of the vulnerability. |
Features
- Web Security constraint handled in this plugin for Direct Object reference attack
- Single HTML request parameter can be set in Action Object in multiple sub class object
Usage
Instructions how to use your plugin.
Example
This is a quick example of JSP Parameter to Action Object Mapping Plugin in action
You could also include screenshots by attaching the images to this page
Settings
The following settings can be customized. See the developer guide.
Setting |
Description |
Default |
Possible Values |
---|---|---|---|
|
A short description |
|
|
Installation
This plugin can be installed by copying the plugin jar into your application's /WEB-INF/lib
directory. No other files need to be copied or created.
- Add new xml file in current Action class with filename like
"<ActionName>-jspObjectMapping.xml"
- XML File format given below
<?xml version="1.0" encoding="UTF-8"?> <\!DOCTYPE mapping \[ <\!ELEMENT mapping (requestParameter)> <\!ELEMENT requestParameter (objectMapping)> <\!ELEMENT objectMapping (property)> <\!ELEMENT property (#PCDATA)> \]> e.g. <?xml version="1.0" encoding="UTF-8"?> <mapping> <requestParameter name="userName"> <objectMapping> <property>user.userName</property> </objectMapping> </requestParameter> <requestParameter name="password"> <objectMapping> <property>user.password</property> </objectMapping> </requestParameter> </mapping>
- Extends package with name "jsp-parameter-object-mapping"
- Add interceptor on interceptor stack
<interceptor-ref name="parameterToActionObjectMapping" />
Resources
- Links to any other documentation or related products
http://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References
Version History
Version |
Date |
Author |
Notes |
---|---|---|---|
1.0 |
Dec 20, 2006 |
Initial release |