Re: Security Vulnerability When Using SessionAware and Best Practice For Mitigating It

Mon, 27 Feb 2012 06:14:50 -0800 

A Best Practice for the Session is to only store Immutable object in the
session.  This would eliminate the SessionAware issue plus it can also be
important for clustered servers.


On Tue, Feb 21, 2012 at 9:09 AM, bphill...@ku.edu <bphill...@ku.edu> wrote:

> I was researching the SessionAware interface as I'm planning on adding a
> tutorial on how to use the HTTP Session object from within a Struts Action
> class to the tutorials at:
> https://cwiki.apache.org/confluence/display/WW/Getting+Started
> https://cwiki.apache.org/confluence/display/WW/Getting+Started .
>
> I ran across this
> http://codesecure.blogspot.com/2011/12/struts-2-session-tampering-via.html
> blog post  and  https://issues.apache.org/jira/browse/WW-3631 Struts 2
> JIRA
> issue  that discuss a security vulnerability when using SessionAware.
>
> I'd like to include in the tutorial the best practices for mitigating this
> vulnerability.  Here is what I think programmers who use SessionAware in
> their Action class should do to mitigate this vulnerability:
>
> 1.  Do not create a public Map<String, Object> getSession() method in the
> Action class
>
> 2.  Also implement the ParameterNameAware interface and override its
> acceptableParameterName method as follows:
>
>      public boolean acceptableParameterName(String parameterName) {
>
>                boolean allowedParameterName = true ;
>
>                if ( parameterName.contains("session")  ||
> parameterName.contains("request") ) {
>
>                        allowedParameterName = false ;
>
>                }
>
>                return allowedParameterName;
>        }
>
> I'd certainly appreciate any feedback on best practices to follow when
> implementing the SessionAware interface and how to mitigate the security
> vulnerability.
>
> Thank You,
>
> Bruce Phillips
>
>
>
> --
> View this message in context:
> http://struts.1045723.n5.nabble.com/Security-Vulnerability-When-Using-SessionAware-and-Best-Practice-For-Mitigating-It-tp5502292p5502292.html
> Sent from the Struts - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: user-unsubscr...@struts.apache.org
> For additional commands, e-mail: user-h...@struts.apache.org
>
>

Reply via email to