Kingdom: Input Validation and Representation
Input validation and representation problems ares caused by metacharacters, alternate encodings and numeric representations. Security problems result from trusting input. The issues include: "Buffer Overflows," "Cross-Site Scripting" attacks, "SQL Injection," and many others.
Bean Manipulation
Abstract
An attacker may set arbitrary bean properties that can compromise system integrity.
Explanation
Bean property names and values need to be validated before populating any bean. Bean population functions let developers to set a bean property or a nested property. Attackers can leverage this functionality to access special bean properties such as
Example: The following code sets a user-controlled bean property without proper validation of the property name or value:
class.classLoader
that enable them to override system properties and potentially execute arbitrary code.Example: The following code sets a user-controlled bean property without proper validation of the property name or value:
String prop = request.getParameter('prop');
String value = request.getParameter('value');
HashMap properties = new HashMap();
properties.put(prop, value);
BeanUtils.populate(user, properties);
desc.dataflow.java.bean_manipulation