This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

OWASP Insecure Web Components Project/Struts2

From OWASP
Revision as of 19:06, 9 September 2014 by Benjamin Watson (talk | contribs) (Created page with "== CookieInterceptor (S2-022) == === Overview === The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() did not cover other cases, allo...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

CookieInterceptor (S2-022)

Overview

The excluded parameter pattern introduced in version 2.3.16.2 to block access to getClass() did not cover other cases, allowing the state manipulation of session, request, when " * " is used to configure cookiesName param.

The CookieInterceptor is used to set values in the OGNL stack and action based on the cookie name and value. If an asterisk is present in cookiesName parameter, it will be assumed that all cookie name are to be injected into the OGNL stack and corresponding action. This applies to 'cookiesValue' as well.

Example:

<action ... > <interceptor-ref name="cookie"> <param name="cookiesName">cookie1, cookie2</param> <param name="cookiesValue">*</param> <interceptor-ref> ... </action>



References:

http://struts.apache.org/release/2.3.x/docs/s2-022.html http://securityintelligence.com/struts-vulnerabilities-analysis-parameters-cookie-interceptors-impact-exploitation/ http://codesecure.blogspot.ca/2011/12/struts-2-session-tampering-via.html

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Insecure_Web_Components_Project/Struts2&oldid=182056"