I've been getting more and more concerned about the possibility of parameter
manipulation attacks with Struts2. I've started doing strict whitelists using
the ParameterNameAware interface on all of my forms pages. However, today I
tried to code a "display-only" page that sho
cessed
through form parameters.
(*Chris*)
On Wed, Dec 15, 2010 at 8:39 AM, Altenhof, David Aron wrote:
> I've been getting more and more concerned about the possibility of
> parameter manipulation attacks with Struts2. I've started doing strict
> whitelists using the Para
, i might be wrong on the behavior
On Thu, Dec 16, 2010 at 12:39 AM, Altenhof, David Aron
wrote:
> I've been getting more and more concerned about the possibility of
> parameter manipulation attacks with Struts2. I've started doing strict
> whitelists using the ParameterNameAware
nt: Friday, December 17, 2010 1:10 AM
To: Struts Users Mailing List
Subject: Re: Parameter manipulation
is your user object initialized when the param interceptor is run?
here i might be wrong, but what i know is if your object is initialized then
Struts or OGNL will call getUser().setEmail(...)
ge-
> From: Steven Yang [mailto:kenshin...@gmail.com]
> Sent: Friday, December 17, 2010 1:10 AM
> To: Struts Users Mailing List
> Subject: Re: Parameter manipulation
>
> is your user object initialized when the param interceptor is run?
>
> here i might be wrong, but what i kn
> Sent: Friday, December 17, 2010 1:10 AM
> To: Struts Users Mailing List
> Subject: Re: Parameter manipulation
>
> is your user object initialized when the param interceptor is run?
>
> here i might be wrong, but what i know is if your object is initialized
> then Struts o
gt;
>
>
> -Original Message-
> From: Steven Yang [mailto:kenshin...@gmail.com]
> Sent: Friday, December 17, 2010 1:10 AM
> To: Struts Users Mailing List
> Subject: Re: Parameter manipulation
>
> is your user object initialized when the param interceptor is run?
>
> >
> >
> > -Original Message-
> > From: Steven Yang [mailto:kenshin...@gmail.com]
> > Sent: Friday, December 17, 2010 1:10 AM
> > To: Struts Users Mailing List
> > Subject: Re: Parameter manipulation
> >
> > is your user object initialized
gt;> aren't as practical for our application.
>> >
>> > I'm just going to keep doing lots of whitelisting with
>> ParameterNameAware...
>> >
>> > -David
>> >
>> >
>> >
>> > -Original Message-
>> > From:
f, David Aron :
> >> > The model objects are initialized in prepare() ... other techniques
> just
> >> aren't as practical for our application.
> >> >
> >> > I'm just going to keep doing lots of whitelisting with
> >> ParameterNameAware...
>
ts are initialized in prepare() ... other techniques
>> just
>> >> aren't as practical for our application.
>> >> >
>> >> > I'm just going to keep doing lots of whitelisting with
>> >> ParameterNameAware...
>> >
> >>
> > >> 2010/12/17 Altenhof, David Aron :
> > >> > The model objects are initialized in prepare() ... other techniques
> > just
> > >> aren't as practical for our application.
> > >> >
> > >> > I'm just going to keep do
you supposed (expose only field with
>> > >> write accessors).
>> > >>
>> > >>
>> > >>
>> > >>
>> > >> 2010/12/17 Altenhof, David Aron :
>> > >> > The model objects are initialized in
/17 Altenhof, David Aron :
> >> >> > The model objects are initialized in prepare() ... other techniques
> >> just
> >> >> aren't as practical for our application.
> >> >> >
> >> >> > I'm just going to keep doi
ctice of
validating all incoming data.
Now if I could only find a few spare cycles to work on it...
-David
-Original Message-
From: Chris Pratt [mailto:thechrispr...@gmail.com]
Sent: Friday, December 17, 2010 1:08 PM
To: Struts Users Mailing List
Subject: Re: Parameter manipulation
May
riday, December 17, 2010 1:08 PM
To: Struts Users Mailing List
Subject: Re: Parameter manipulation
Maybe if the OP moves the bean creation out of the prepare() method (so the
bean isn't available during parameter injection) and then retrieves it at the
start of validate() or execute() that m
tice of
>> validating all incoming data.
>>
>> Now if I could only find a few spare cycles to work on it...
>>
>> -David
>>
>> -Original Message-
>> From: Chris Pratt [mailto:thechrispr...@gmail.com]
>> Sent: Friday, December 17, 2010 1:08 P
fiddling 2) Mandating the wise
>> practice of validating all incoming data.
>>
>> Now if I could only find a few spare cycles to work on it...
>>
>> -David
>>
>> -Original Message-
>> From: Chris Pratt [mailto:thechrispr...@gmail.com]
>> S
gt;
> -David
>
> -Original Message-
> From: Paweł Wielgus [mailto:poulw...@gmail.com]
> Sent: Tuesday, December 21, 2010 5:09 AM
> To: Struts Users Mailing List
> Subject: Re: Parameter manipulation
>
> Hi All,
> adding just one note to what Marcus already said, will You
19 matches
Mail list logo
