[jira] [Updated] (WW-3541) Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart updated WW-3541: -- Fix Version/s: 7.0.0 (was: 6.1.0) > Request Parameter to Action Object Mapping Plugin for Insecure Direct Object > References > --- > > Key: WW-3541 > URL: https://issues.apache.org/jira/browse/WW-3541 > Project: Struts 2 > Issue Type: New Feature > Components: Core Interceptors >Affects Versions: 2.2.1.1 > Environment: All OS >Reporter: datta kudale >Priority: Major > Fix For: 7.0.0 > > Original Estimate: 96h > Remaining Estimate: 96h > > JSP Parameter to Action Object Mapping (Security) Plugin does this great > thing. Here is also a short overview of what it does and why a developer > would want to use it. > Many applications expose their internal object references to users. Attackers > use parameter tampering to change references and violate the intended but > unenforced access control policy. Frequently, these references point to file > systems and databases, but any exposed application construct could be > vulnerable. > The best protection is to avoid exposing direct object references to users by > using an index, indirect reference map, or other indirect method that is easy > to validate. If a direct object reference must be used, ensure that the user > is authorized before using it. > * Avoid exposing your private object references to users whenever > possible, such as primary keys or filenames > * Validate any private object references extensively with an "accept > known good" approach > * Verify authorization to all referenced objects > So to avoid internal object implementation to end user, this plugin can be > used. > Please refer following link for Plugin > https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (WW-3541) Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Lukasz Lenart updated WW-3541: -- Fix Version/s: Future Any progress ? Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References --- Key: WW-3541 URL: https://issues.apache.org/jira/browse/WW-3541 Project: Struts 2 Issue Type: New Feature Components: Core Interceptors Affects Versions: 2.2.1.1 Environment: All OS Reporter: datta kudale Fix For: Future Original Estimate: 96h Remaining Estimate: 96h JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it. Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable. The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it. * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames * Validate any private object references extensively with an accept known good approach * Verify authorization to all referenced objects So to avoid internal object implementation to end user, this plugin can be used. Please refer following link for Plugin https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] Updated: (WW-3541) Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References
[ https://issues.apache.org/jira/browse/WW-3541?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Dave Newton updated WW-3541: Flags: [Important] (was: [Important, Patch]) Request Parameter to Action Object Mapping Plugin for Insecure Direct Object References --- Key: WW-3541 URL: https://issues.apache.org/jira/browse/WW-3541 Project: Struts 2 Issue Type: New Feature Components: Core Interceptors Affects Versions: 2.2.1.1 Environment: All OS Reporter: datta kudale Original Estimate: 96h Remaining Estimate: 96h JSP Parameter to Action Object Mapping (Security) Plugin does this great thing. Here is also a short overview of what it does and why a developer would want to use it. Many applications expose their internal object references to users. Attackers use parameter tampering to change references and violate the intended but unenforced access control policy. Frequently, these references point to file systems and databases, but any exposed application construct could be vulnerable. The best protection is to avoid exposing direct object references to users by using an index, indirect reference map, or other indirect method that is easy to validate. If a direct object reference must be used, ensure that the user is authorized before using it. * Avoid exposing your private object references to users whenever possible, such as primary keys or filenames * Validate any private object references extensively with an accept known good approach * Verify authorization to all referenced objects So to avoid internal object implementation to end user, this plugin can be used. Please refer following link for Plugin https://cwiki.apache.org/confluence/display/S2PLUGINS/Request+Parameter+to+Action+Object+Mapping+Plugin+for+Insecure+Direct+Object+References -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.