Tag Archives: struts2

Struts 2 insecure direct object reference – part 2 – ParameterNameAware

I discussed security issues in a previous post regarding malicious HTTP request parameters injecting data into a Struts 2 application. Jon pointed out an interface I had forgotten about, ParameterNameAware. How this works is quite simple. Your action class implements ParameterNameAware, and in the acceptableParameterName(String parameterName) method, you return true only if the client is […]

Struts 2 insecure direct object reference

There is a type of vulnerability which seems peculiar to Struts 2/WebWork applications and therefore may not be widely known. (It may exist in other frameworks as well, but I haven’t personally used any that have it.) The vulnerability is not part of Struts 2, but it enables it in the same sense that a […]