Re: Parameter manipulation
Hi All, adding just one note to what Marcus already said, will You be able to update your whitelist every time User class (or any other viewable) gains new field? And again *ViewAction is for view only - it should be technically impossible to change viewed object state. One simple way to do it is loading this object in execute method. Best greetings, Paweł Wielgus. 2010/12/18 Marcus Bond mar...@marcusbond.me.uk: David, didn't your original post say that this is an action that loads an object to display it rather than to modify it? In which case I'm not sure why you even need to use Preparable (as I'm guessing it's during prepare that the instance is initialised which makes it available for struts to populate during the second params setting). At a guess you're setting an id in the initial params phase which then is used to load the instance? Why not just load it during execute (or whatever other method is being called by the action mapping) so it isn't there for any params to be applied earlier? Regards, Marcus On 17/12/2010 20:02, Altenhof, David Aron wrote: One approach I've through of is to create an interceptor that would parse through your -validation.xml (assuming one uses them) and then only allow parameters that have an associated validator. This would actually serve two goals: 1) Preventing parameter fiddling 2) Mandating the wise practice of validating all incoming data. Now if I could only find a few spare cycles to work on it... -David -Original Message- From: Chris Pratt [mailto:thechrispr...@gmail.com] Sent: Friday, December 17, 2010 1:08 PM To: Struts Users Mailing List Subject: Re: Parameter manipulation Maybe if the OP moves the bean creation out of the prepare() method (so the bean isn't available during parameter injection) and then retrieves it at the start of validate() or execute() that might solve the problem. (*Chris*) On Fri, Dec 17, 2010 at 10:05 AM, Chris Prattthechrispr...@gmail.comwrote: If the bean already exists, struts doesn't have to set it. It just has to modify the retrieved bean. (*Chris*) On Fri, Dec 17, 2010 at 9:48 AM,stanl...@gmail.com wrote: I agree S2 will create the bean (if null) but it can't set a property that is private and has no accessible setter method. P.S. What am I missing here? Scott On Fri, Dec 17, 2010 at 11:45 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: This happens because bean is null, otherwise struts will populate. 2010/12/17stanl...@gmail.com: Guys -- If the action has no setter and the property is private, S2 will not populate it. Scott On Fri, Dec 17, 2010 at 11:10 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: David, I get your point. Scott is right, you could overwrite PI or maybe write your custom interceptor (though I think you should consider to file an issue on JIRA). Maybe it would use java annotations to hide/expose fields, or alternately it could behave as you supposed (expose only field with write accessors). 2010/12/17 Altenhof, David Arondalte...@iupui.edu: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newemail @ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting
RE: Parameter manipulation
Yes ... loading in execute is exactly what I needed. Thanks! Is ViewAction a pattern, or is there an implementation? -David -Original Message- From: Paweł Wielgus [mailto:poulw...@gmail.com] Sent: Tuesday, December 21, 2010 5:09 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation Hi All, adding just one note to what Marcus already said, will You be able to update your whitelist every time User class (or any other viewable) gains new field? And again *ViewAction is for view only - it should be technically impossible to change viewed object state. One simple way to do it is loading this object in execute method. Best greetings, Paweł Wielgus. 2010/12/18 Marcus Bond mar...@marcusbond.me.uk: David, didn't your original post say that this is an action that loads an object to display it rather than to modify it? In which case I'm not sure why you even need to use Preparable (as I'm guessing it's during prepare that the instance is initialised which makes it available for struts to populate during the second params setting). At a guess you're setting an id in the initial params phase which then is used to load the instance? Why not just load it during execute (or whatever other method is being called by the action mapping) so it isn't there for any params to be applied earlier? Regards, Marcus On 17/12/2010 20:02, Altenhof, David Aron wrote: One approach I've through of is to create an interceptor that would parse through your -validation.xml (assuming one uses them) and then only allow parameters that have an associated validator. This would actually serve two goals: 1) Preventing parameter fiddling 2) Mandating the wise practice of validating all incoming data. Now if I could only find a few spare cycles to work on it... -David -Original Message- From: Chris Pratt [mailto:thechrispr...@gmail.com] Sent: Friday, December 17, 2010 1:08 PM To: Struts Users Mailing List Subject: Re: Parameter manipulation Maybe if the OP moves the bean creation out of the prepare() method (so the bean isn't available during parameter injection) and then retrieves it at the start of validate() or execute() that might solve the problem. (*Chris*) On Fri, Dec 17, 2010 at 10:05 AM, Chris Prattthechrispr...@gmail.comwrote: If the bean already exists, struts doesn't have to set it. It just has to modify the retrieved bean. (*Chris*) On Fri, Dec 17, 2010 at 9:48 AM,stanl...@gmail.com wrote: I agree S2 will create the bean (if null) but it can't set a property that is private and has no accessible setter method. P.S. What am I missing here? Scott On Fri, Dec 17, 2010 at 11:45 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: This happens because bean is null, otherwise struts will populate. 2010/12/17stanl...@gmail.com: Guys -- If the action has no setter and the property is private, S2 will not populate it. Scott On Fri, Dec 17, 2010 at 11:10 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: David, I get your point. Scott is right, you could overwrite PI or maybe write your custom interceptor (though I think you should consider to file an issue on JIRA). Maybe it would use java annotations to hide/expose fields, or alternately it could behave as you supposed (expose only field with write accessors). 2010/12/17 Altenhof, David Arondalte...@iupui.edu: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send
Re: Parameter manipulation
I think that Paweł meant action where you must show only data, without any user interaction (edit, delete and so on). 2010/12/21 Altenhof, David Aron dalte...@iupui.edu: Yes ... loading in execute is exactly what I needed. Thanks! Is ViewAction a pattern, or is there an implementation? -David -Original Message- From: Paweł Wielgus [mailto:poulw...@gmail.com] Sent: Tuesday, December 21, 2010 5:09 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation Hi All, adding just one note to what Marcus already said, will You be able to update your whitelist every time User class (or any other viewable) gains new field? And again *ViewAction is for view only - it should be technically impossible to change viewed object state. One simple way to do it is loading this object in execute method. Best greetings, Paweł Wielgus. 2010/12/18 Marcus Bond mar...@marcusbond.me.uk: David, didn't your original post say that this is an action that loads an object to display it rather than to modify it? In which case I'm not sure why you even need to use Preparable (as I'm guessing it's during prepare that the instance is initialised which makes it available for struts to populate during the second params setting). At a guess you're setting an id in the initial params phase which then is used to load the instance? Why not just load it during execute (or whatever other method is being called by the action mapping) so it isn't there for any params to be applied earlier? Regards, Marcus On 17/12/2010 20:02, Altenhof, David Aron wrote: One approach I've through of is to create an interceptor that would parse through your -validation.xml (assuming one uses them) and then only allow parameters that have an associated validator. This would actually serve two goals: 1) Preventing parameter fiddling 2) Mandating the wise practice of validating all incoming data. Now if I could only find a few spare cycles to work on it... -David -Original Message- From: Chris Pratt [mailto:thechrispr...@gmail.com] Sent: Friday, December 17, 2010 1:08 PM To: Struts Users Mailing List Subject: Re: Parameter manipulation Maybe if the OP moves the bean creation out of the prepare() method (so the bean isn't available during parameter injection) and then retrieves it at the start of validate() or execute() that might solve the problem. (*Chris*) On Fri, Dec 17, 2010 at 10:05 AM, Chris Prattthechrispr...@gmail.comwrote: If the bean already exists, struts doesn't have to set it. It just has to modify the retrieved bean. (*Chris*) On Fri, Dec 17, 2010 at 9:48 AM,stanl...@gmail.com wrote: I agree S2 will create the bean (if null) but it can't set a property that is private and has no accessible setter method. P.S. What am I missing here? Scott On Fri, Dec 17, 2010 at 11:45 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: This happens because bean is null, otherwise struts will populate. 2010/12/17stanl...@gmail.com: Guys -- If the action has no setter and the property is private, S2 will not populate it. Scott On Fri, Dec 17, 2010 at 11:10 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: David, I get your point. Scott is right, you could overwrite PI or maybe write your custom interceptor (though I think you should consider to file an issue on JIRA). Maybe it would use java annotations to hide/expose fields, or alternately it could behave as you supposed (expose only field with write accessors). 2010/12/17 Altenhof, David Arondalte...@iupui.edu: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User
RE: Parameter manipulation
The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Parameter manipulation
You should be able to initialize the objects in the interceptor instead, you could even retrieve them from the request or some other method in the action. Probably a more comprehensive fix than trying to white-list everything by hand. (*Chris*) On Fri, Dec 17, 2010 at 6:54 AM, Altenhof, David Aron dalte...@iupui.eduwrote: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Parameter manipulation
David -- You could override the ParametersInterceptor with your own that validates requester role/parms/url. I have used this approach to throw away not-authorized parms altogether. Scott On Fri, Dec 17, 2010 at 8:54 AM, Altenhof, David Aron dalte...@iupui.eduwrote: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Parameter manipulation
David, I get your point. Scott is right, you could overwrite PI or maybe write your custom interceptor (though I think you should consider to file an issue on JIRA). Maybe it would use java annotations to hide/expose fields, or alternately it could behave as you supposed (expose only field with write accessors). 2010/12/17 Altenhof, David Aron dalte...@iupui.edu: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Parameter manipulation
Guys -- If the action has no setter and the property is private, S2 will not populate it. Scott On Fri, Dec 17, 2010 at 11:10 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: David, I get your point. Scott is right, you could overwrite PI or maybe write your custom interceptor (though I think you should consider to file an issue on JIRA). Maybe it would use java annotations to hide/expose fields, or alternately it could behave as you supposed (expose only field with write accessors). 2010/12/17 Altenhof, David Aron dalte...@iupui.edu: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Parameter manipulation
This happens because bean is null, otherwise struts will populate. 2010/12/17 stanl...@gmail.com: Guys -- If the action has no setter and the property is private, S2 will not populate it. Scott On Fri, Dec 17, 2010 at 11:10 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: David, I get your point. Scott is right, you could overwrite PI or maybe write your custom interceptor (though I think you should consider to file an issue on JIRA). Maybe it would use java annotations to hide/expose fields, or alternately it could behave as you supposed (expose only field with write accessors). 2010/12/17 Altenhof, David Aron dalte...@iupui.edu: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Parameter manipulation
I agree S2 will create the bean (if null) but it can't set a property that is private and has no accessible setter method. P.S. What am I missing here? Scott On Fri, Dec 17, 2010 at 11:45 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: This happens because bean is null, otherwise struts will populate. 2010/12/17 stanl...@gmail.com: Guys -- If the action has no setter and the property is private, S2 will not populate it. Scott On Fri, Dec 17, 2010 at 11:10 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: David, I get your point. Scott is right, you could overwrite PI or maybe write your custom interceptor (though I think you should consider to file an issue on JIRA). Maybe it would use java annotations to hide/expose fields, or alternately it could behave as you supposed (expose only field with write accessors). 2010/12/17 Altenhof, David Aron dalte...@iupui.edu: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Parameter manipulation
So, in case of the OP, are you suggesting to remove setter method from User's email? 2010/12/17 stanl...@gmail.com: I agree S2 will create the bean (if null) but it can't set a property that is private and has no accessible setter method. P.S. What am I missing here? Scott On Fri, Dec 17, 2010 at 11:45 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: This happens because bean is null, otherwise struts will populate. 2010/12/17 stanl...@gmail.com: Guys -- If the action has no setter and the property is private, S2 will not populate it. Scott On Fri, Dec 17, 2010 at 11:10 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: David, I get your point. Scott is right, you could overwrite PI or maybe write your custom interceptor (though I think you should consider to file an issue on JIRA). Maybe it would use java annotations to hide/expose fields, or alternately it could behave as you supposed (expose only field with write accessors). 2010/12/17 Altenhof, David Aron dalte...@iupui.edu: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Parameter manipulation
If the bean already exists, struts doesn't have to set it. It just has to modify the retrieved bean. (*Chris*) On Fri, Dec 17, 2010 at 9:48 AM, stanl...@gmail.com wrote: I agree S2 will create the bean (if null) but it can't set a property that is private and has no accessible setter method. P.S. What am I missing here? Scott On Fri, Dec 17, 2010 at 11:45 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: This happens because bean is null, otherwise struts will populate. 2010/12/17 stanl...@gmail.com: Guys -- If the action has no setter and the property is private, S2 will not populate it. Scott On Fri, Dec 17, 2010 at 11:10 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: David, I get your point. Scott is right, you could overwrite PI or maybe write your custom interceptor (though I think you should consider to file an issue on JIRA). Maybe it would use java annotations to hide/expose fields, or alternately it could behave as you supposed (expose only field with write accessors). 2010/12/17 Altenhof, David Aron dalte...@iupui.edu: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Parameter manipulation
Maybe if the OP moves the bean creation out of the prepare() method (so the bean isn't available during parameter injection) and then retrieves it at the start of validate() or execute() that might solve the problem. (*Chris*) On Fri, Dec 17, 2010 at 10:05 AM, Chris Pratt thechrispr...@gmail.comwrote: If the bean already exists, struts doesn't have to set it. It just has to modify the retrieved bean. (*Chris*) On Fri, Dec 17, 2010 at 9:48 AM, stanl...@gmail.com wrote: I agree S2 will create the bean (if null) but it can't set a property that is private and has no accessible setter method. P.S. What am I missing here? Scott On Fri, Dec 17, 2010 at 11:45 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: This happens because bean is null, otherwise struts will populate. 2010/12/17 stanl...@gmail.com: Guys -- If the action has no setter and the property is private, S2 will not populate it. Scott On Fri, Dec 17, 2010 at 11:10 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: David, I get your point. Scott is right, you could overwrite PI or maybe write your custom interceptor (though I think you should consider to file an issue on JIRA). Maybe it would use java annotations to hide/expose fields, or alternately it could behave as you supposed (expose only field with write accessors). 2010/12/17 Altenhof, David Aron dalte...@iupui.edu: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Parameter manipulation
That would certainly eliminate the email being set! :) Sorry about that. What I have done is combine a security system based on user/role/url/valid-parameter list with the ParametersInterceptor and throw away any unauthorized parameters. This was quite an undertaking and my company is not willing to allow me to contribute it back on account of all the hooks and hinges. Looking back, it was not really that difficult. You could have a hierarchical structure keyed on URL that is combed for user permissions. I would hate to see what your white lists are starting to look like. Good luck and holler if I can offer any tips. Peace, Scott On Fri, Dec 17, 2010 at 12:04 PM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: So, in case of the OP, are you suggesting to remove setter method from User's email? 2010/12/17 stanl...@gmail.com: I agree S2 will create the bean (if null) but it can't set a property that is private and has no accessible setter method. P.S. What am I missing here? Scott On Fri, Dec 17, 2010 at 11:45 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: This happens because bean is null, otherwise struts will populate. 2010/12/17 stanl...@gmail.com: Guys -- If the action has no setter and the property is private, S2 will not populate it. Scott On Fri, Dec 17, 2010 at 11:10 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: David, I get your point. Scott is right, you could overwrite PI or maybe write your custom interceptor (though I think you should consider to file an issue on JIRA). Maybe it would use java annotations to hide/expose fields, or alternately it could behave as you supposed (expose only field with write accessors). 2010/12/17 Altenhof, David Aron dalte...@iupui.edu: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e
RE: Parameter manipulation
One approach I've through of is to create an interceptor that would parse through your -validation.xml (assuming one uses them) and then only allow parameters that have an associated validator. This would actually serve two goals: 1) Preventing parameter fiddling 2) Mandating the wise practice of validating all incoming data. Now if I could only find a few spare cycles to work on it... -David -Original Message- From: Chris Pratt [mailto:thechrispr...@gmail.com] Sent: Friday, December 17, 2010 1:08 PM To: Struts Users Mailing List Subject: Re: Parameter manipulation Maybe if the OP moves the bean creation out of the prepare() method (so the bean isn't available during parameter injection) and then retrieves it at the start of validate() or execute() that might solve the problem. (*Chris*) On Fri, Dec 17, 2010 at 10:05 AM, Chris Pratt thechrispr...@gmail.comwrote: If the bean already exists, struts doesn't have to set it. It just has to modify the retrieved bean. (*Chris*) On Fri, Dec 17, 2010 at 9:48 AM, stanl...@gmail.com wrote: I agree S2 will create the bean (if null) but it can't set a property that is private and has no accessible setter method. P.S. What am I missing here? Scott On Fri, Dec 17, 2010 at 11:45 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: This happens because bean is null, otherwise struts will populate. 2010/12/17 stanl...@gmail.com: Guys -- If the action has no setter and the property is private, S2 will not populate it. Scott On Fri, Dec 17, 2010 at 11:10 AM, Maurizio Cucchiara maurizio.cucchi...@gmail.com wrote: David, I get your point. Scott is right, you could overwrite PI or maybe write your custom interceptor (though I think you should consider to file an issue on JIRA). Maybe it would use java annotations to hide/expose fields, or alternately it could behave as you supposed (expose only field with write accessors). 2010/12/17 Altenhof, David Aron dalte...@iupui.edu: The model objects are initialized in prepare() ... other techniques just aren't as practical for our application. I'm just going to keep doing lots of whitelisting with ParameterNameAware... -David -Original Message- From: Steven Yang [mailto:kenshin...@gmail.com] Sent: Friday, December 17, 2010 1:10 AM To: Struts Users Mailing List Subject: Re: Parameter manipulation is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newemail @ad dress.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org -- Maurizio Cucchiara --- -- To unsubscribe, e-mail: user-unsubscr
Re: Parameter manipulation
is your user object initialized when the param interceptor is run? here i might be wrong, but what i know is if your object is initialized then Struts or OGNL will call getUser().setEmail(...) otherwise create a new User then setEmail then setUser then the second case should fail for you again, i might be wrong on the behavior On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@address.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org
Re: Parameter manipulation
I don't think it would be a global fix for all forms, but one way to fix the problem would be to use an interceptor that would make your user object available to your view using a context parameter rather than an action attribute. I.e. something like: public class UserInterceptor extends AbstractInterceptor { /** * Intercept the Action and Inject the User if it's available * * @param invocation The Action Invocation * @return The Action Result name */ @Override public String intercept (ActionInvocation invocation) throws Exception { User user = (User)ses.get(user); if(user != null) { invocation.getStack().getContext().put(user,user); } return invocation.invoke(); } //intercept } //*UserInterceptor this makes the user available to your JSP (or freemarker or velocity) as s:property value=%{#user.email}/ but prevents it from being accessed through form parameters. (*Chris*) On Wed, Dec 15, 2010 at 8:39 AM, Altenhof, David Aron dalte...@iupui.eduwrote: I've been getting more and more concerned about the possibility of parameter manipulation attacks with Struts2. I've started doing strict whitelists using the ParameterNameAware interface on all of my forms pages. However, today I tried to code a display-only page that shows information about a particular user. I thought that by simply creating a getter and no setter, it would be impossible to inject parameters. For example, my action only contains the following getter for a JPA model object: public User getUser() { return user; } However, by sending a simple query parameter, it is *still* possible to change values in user. For example, you can send: http://localhost:8080/MySite/userdisplay.action?user.email=newem...@address.com ... and it works. The email will become newem...@address.com Is there any way to shut this down other than whitelisting every single action in your site using ParameterNameAware? (Or simply never put model objects on your stack?) This is getting frustrating! -David - To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org